From bc551e3369d4ffcfc788d5d474604b6602bddc12 Mon Sep 17 00:00:00 2001 From: Benjamin Lipp Date: Fri, 5 Aug 2022 15:10:54 +0200 Subject: [PATCH] Changes along with new preprint version --- README.md | 18 +- common.dhkem.dh.ocv | 13 - common.dhkem.ocv => common.dhkem.ocvl | 67 +- common.hpke.ocv => common.hpke.ocvl | 17 +- dhkem.auth.insider-cca-lr.m4.ocv | 54 +- dhkem.auth.insider-cca-lr.ocv | 54 +- dhkem.auth.insider-cca-lr.proof | 9143 +++++++------- dhkem.auth.outsider-auth-lr.m4.ocv | 65 +- dhkem.auth.outsider-auth-lr.ocv | 65 +- dhkem.auth.outsider-auth-lr.proof | 12000 +++++++++--------- dhkem.auth.outsider-cca-lr.m4.ocv | 54 +- dhkem.auth.outsider-cca-lr.ocv | 52 +- dhkem.auth.outsider-cca-lr.proof | 6837 ++++++----- hpke.auth.insider-cca.m4.ocv | 32 +- hpke.auth.insider-cca.ocv | 47 +- hpke.auth.insider-cca.proof | 6611 +++++----- hpke.auth.outsider-auth.m4.ocv | 30 +- hpke.auth.outsider-auth.ocv | 45 +- hpke.auth.outsider-auth.proof | 15437 ++++++++++++------------ hpke.auth.outsider-cca.m4.ocv | 32 +- hpke.auth.outsider-cca.ocv | 47 +- hpke.auth.outsider-cca.proof | 7856 ++++++------ keyschedule.auth.prf.ocv | 17 + keyschedule.auth.prf.proof | 3116 +++-- lib.aead.ocvl | 12 + lib.authkem.ocvl | 86 +- lib.choice.ocvl | 12 + lib.gdh.ocvl | 12 + lib.ocvl | 7241 +++++------ lib.option.ocvl | 12 + lib.prf.ocvl | 12 + lib.truncate.ocvl | 12 + run.bash | 24 +- 33 files changed, 35145 insertions(+), 33987 deletions(-) delete mode 100644 common.dhkem.dh.ocv rename common.dhkem.ocv => common.dhkem.ocvl (73%) rename common.hpke.ocv => common.hpke.ocvl (87%) diff --git a/README.md b/README.md index 643b349..65f21a4 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,17 @@ # Analysing the HPKE Standard – Supplementary Material -[![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.4297811.svg)](https://doi.org/10.5281/zenodo.4297811) +The material in this directory is supplementary material accompanying the paper: -This is supplementary material accompanying the paper -“Analysing the HPKE Standard” by Joël Alwen, Bruno Blanchet, Eduard Hauck, -Eike Kiltz, Benjamin Lipp, and Doreen Riepel. +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 ## Preliminaries The “RFC” we are referring to in this README, is -[the draft 6 of the RFC “Hybrid Public Key Encryption”](https://www.ietf.org/id/draft-irtf-cfrg-hpke-06.html). +[the draft 8 of the RFC “Hybrid Public Key Encryption”](https://www.ietf.org/id/draft-irtf-cfrg-hpke-08.html). ### Installation of CryptoVerif @@ -68,10 +70,10 @@ for CryptoVerif: The files with filenames starting by `common.*` contain definitions used in multiple models: -- `common.dhkem.dh.ocv`: definition of the Diffie-Hellman group for +- `common.dhkem.dh.ocvl`: definition of the Diffie-Hellman group for all DHKEM security notions -- `common.dhkem.ocv`: definition of DHKEM as defined in the RFC -- `common.hpke.ocv`: definition of HPKE (only everything after the KEM) +- `common.dhkem.ocvl`: definition of DHKEM as defined in the RFC +- `common.hpke.ocvl`: definition of HPKE (only everything after the KEM) as defined in the RFC These files are included by the `*.m4.ocv` files that generate the model files. diff --git a/common.dhkem.dh.ocv b/common.dhkem.dh.ocv deleted file mode 100644 index 111b561..0000000 --- a/common.dhkem.dh.ocv +++ /dev/null @@ -1,13 +0,0 @@ -type G_t [bounded]. -fun Serialize(G_t): bitstring [data]. -type Z_t [bounded,nonuniform]. -proba PCollKey. - -expand DH_proba_collision_minimal( - G_t, - Z_t, - g, - exp, - mult, - PCollKey -). diff --git a/common.dhkem.ocv b/common.dhkem.ocvl similarity index 73% rename from common.dhkem.ocv rename to common.dhkem.ocvl index 526d0ef..c319cf6 100644 --- a/common.dhkem.ocv +++ b/common.dhkem.ocvl @@ -1,3 +1,68 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + + +type G_t [bounded]. +fun Serialize(G_t): bitstring [data]. +type Z_t [bounded,nonuniform]. +proba PCollKey. + +expand DH_proba_collision_minimal( + G_t, + Z_t, + g, + exp, + mult, + PCollKey +). + +ifdef(`square',` + +proba Adv_sqGDH. +proba PDistRerandom. +expand square_GDH_RSR_minimal( + (* types *) + G_t, (* Group elements *) + Z_t, (* Exponents *) + (* variables *) + g, (* a generator of the group *) + exp, (* exponentiation function *) + mult, (* multiplication function for exponents *) + (* probabilities *) + Adv_sqGDH, (* probability of breaking the square GDH assumption *) + PDistRerandom (* probability of distinguishing a key that comes from + rerandomization from an honestly chosen key *) +). + +',` + +proba Adv_GDH. +proba PDistRerandom. +expand GDH_RSR_minimal( + (* types *) + G_t, (* Group elements *) + Z_t, (* Exponents *) + (* variables *) + g, (* a generator of the group *) + exp, (* exponentiation function *) + mult, (* multiplication function for exponents *) + (* probabilities *) + Adv_GDH, (* probability of breaking the GDH assumption *) + PDistRerandom (* probability of distinguishing a key that comes from + rerandomization from an honestly chosen key *) +). + +') + (* For a group of prime order q: PColl1Rand(Z_t) = PColl2Rand(Z_t) = 1/(q-1) PCollKey1 = PCollKey2 = 1/(q-1) @@ -38,7 +103,7 @@ const lbytes_empty: extract_salt_t. fun eae_input(extract_salt_t, extract_key_t, expand_info_t): eae_input_t [data]. (* The core of ExtractAndExpand, a.k.a. HKDF. -(* Usage of the RO assumption is for example justified in Lemma 6 of +Usage of the RO assumption is for example justified in Lemma 6 of Benjamin Lipp, Bruno Blanchet, Karthikeyan Bhargavan, A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol, EuroSP2019 *) diff --git a/common.hpke.ocv b/common.hpke.ocvl similarity index 87% rename from common.hpke.ocv rename to common.hpke.ocvl index 224fb9f..01eebe7 100644 --- a/common.hpke.ocv +++ b/common.hpke.ocvl @@ -1,3 +1,14 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) type key_t [large,fixed]. @@ -48,9 +59,9 @@ expand multikey_AEAD( Seal_inner, Open_inner, injbot, (* injection from plaintext to bitstringbot: - (* injbot(plaintext): bitstringbot *) - Length, (* returns a plaintext of same length, consisting of zeros: - (* Length(plaintext): plaintext *) + injbot(plaintext): bitstringbot *) + Length, (* returns a plaintext of same length, consisting of zeros: + Length(plaintext): plaintext *) (* probabilities *) Adv_cpa, Adv_ctxt diff --git a/dhkem.auth.insider-cca-lr.m4.ocv b/dhkem.auth.insider-cca-lr.m4.ocv index e0d6cb7..66c92f1 100644 --- a/dhkem.auth.insider-cca-lr.m4.ocv +++ b/dhkem.auth.insider-cca-lr.m4.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { allowed_collisions default^4/large; (* We allow eliminating collisions with probability in power 4 of @@ -101,32 +113,17 @@ proof { SArename z_5; SArename enc_8; SArename pkE_10; + remove_assign binder E_1; out_game "r3.out.cv"; success } -include(`common.dhkem.dh.ocv') - -proba Adv_GDH. -proba PDistRerandom. -expand GDH_RSR_minimal( - (* types *) - G_t, (* Group elements *) - Z_t, (* Exponents *) - (* variables *) - g, (* a generator of the group *) - exp, (* exponentiation function *) - mult, (* multiplication function for exponents *) - (* probabilities *) - Adv_GDH, (* probability of breaking the GDH assumption *) - PDistRerandom (* probability of distinguishing a key that comes from - rerandomization from an honestly chosen key *) -). - -include(`common.dhkem.ocv') +include(`common.dhkem.ocvl') param N, Qeperuser, Qcperuser, Qdperuser. +table E(G_t, G_t, bitstring, eae_output_t). + equivalence Ostart() := key_extr <-R hash_key_t; @@ -158,6 +155,7 @@ equivalence Ochall(sk': Z_t) := let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = AuthEncap(key_extr, pkgen(sk), skgen(sk')) in ( k' <-R eae_output_t; + insert E(pkgen(sk'), pkgen(sk), ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -168,17 +166,8 @@ equivalence return(AuthEncap(key_extr, pk_R, skgen(sk)))) | foreach id <= Qdperuser do ( OADecap(pk_S: G_t, cd: bitstring) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - Ochall queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ic1 <= Qcperuser, i1 <= N suchthat - defined(ce[ic1, i1], k'[ic1, i1], sk'[ic1, i1], sk[i1]) - && ce[ic1, i1] = cd - && pkgen(sk'[ic1, i1]) = pk_S - && pkgen(sk[i1]) = pkgen(sk) then ( - return(AuthDecap_Some(k'[ic1, i1])) + get E(=pk_S, =pkgen(sk), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(key_extr, cd, skgen(sk), pk_S)) )) | @@ -186,3 +175,8 @@ equivalence )) | run ExtractAndExpand_inner_orcl(key_extr) ) + +(* EXPECTED FILENAME: examples/hpke/dhkem.auth.insider-cca-lr.m4.ocv TAG: 1 +All queries proved. +0.988s (user 0.980s + system 0.008s), max rss 30224K +END *) diff --git a/dhkem.auth.insider-cca-lr.ocv b/dhkem.auth.insider-cca-lr.ocv index 5cafc9a..61653f5 100644 --- a/dhkem.auth.insider-cca-lr.ocv +++ b/dhkem.auth.insider-cca-lr.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { allowed_collisions default^4/large; (* We allow eliminating collisions with probability in power 4 of @@ -101,10 +113,24 @@ proof { SArename z_5; SArename enc_8; SArename pkE_10; + remove_assign binder E_1; out_game "r3.out.cv"; success } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + + type G_t [bounded]. fun Serialize(G_t): bitstring [data]. type Z_t [bounded,nonuniform]. @@ -120,6 +146,7 @@ expand DH_proba_collision_minimal( ). + proba Adv_GDH. proba PDistRerandom. expand GDH_RSR_minimal( @@ -132,10 +159,12 @@ expand GDH_RSR_minimal( mult, (* multiplication function for exponents *) (* probabilities *) Adv_GDH, (* probability of breaking the GDH assumption *) - PDistRerandom (* probability of distinguishing a key that comes from + PDistRerandom (* probability of distinguishing a key that comes from rerandomization from an honestly chosen key *) ). + + (* For a group of prime order q: PColl1Rand(Z_t) = PColl2Rand(Z_t) = 1/(q-1) PCollKey1 = PCollKey2 = 1/(q-1) @@ -176,7 +205,7 @@ const lbytes_empty: extract_salt_t. fun eae_input(extract_salt_t, extract_key_t, expand_info_t): eae_input_t [data]. (* The core of ExtractAndExpand, a.k.a. HKDF. -(* Usage of the RO assumption is for example justified in Lemma 6 of +Usage of the RO assumption is for example justified in Lemma 6 of Benjamin Lipp, Bruno Blanchet, Karthikeyan Bhargavan, A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol, EuroSP2019 *) @@ -293,6 +322,8 @@ letfun AuthDecap(key_extr: hash_key_t, enc: bitstring, skR: Z_t, pkS: G_t) = param N, Qeperuser, Qcperuser, Qdperuser. +table E(G_t, G_t, bitstring, eae_output_t). + equivalence Ostart() := key_extr <-R hash_key_t; @@ -324,6 +355,7 @@ equivalence Ochall(sk': Z_t) := let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = AuthEncap(key_extr, pkgen(sk), skgen(sk')) in ( k' <-R eae_output_t; + insert E(pkgen(sk'), pkgen(sk), ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -334,17 +366,8 @@ equivalence return(AuthEncap(key_extr, pk_R, skgen(sk)))) | foreach id <= Qdperuser do ( OADecap(pk_S: G_t, cd: bitstring) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - Ochall queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ic1 <= Qcperuser, i1 <= N suchthat - defined(ce[ic1, i1], k'[ic1, i1], sk'[ic1, i1], sk[i1]) - && ce[ic1, i1] = cd - && pkgen(sk'[ic1, i1]) = pk_S - && pkgen(sk[i1]) = pkgen(sk) then ( - return(AuthDecap_Some(k'[ic1, i1])) + get E(=pk_S, =pkgen(sk), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(key_extr, cd, skgen(sk), pk_S)) )) | @@ -352,3 +375,8 @@ equivalence )) | run ExtractAndExpand_inner_orcl(key_extr) ) + +(* EXPECTED FILENAME: examples/hpke/dhkem.auth.insider-cca-lr.m4.ocv TAG: 1 +All queries proved. +0.988s (user 0.980s + system 0.008s), max rss 30224K +END *) diff --git a/dhkem.auth.insider-cca-lr.proof b/dhkem.auth.insider-cca-lr.proof index 2bc0394..eecc434 100644 --- a/dhkem.auth.insider-cca-lr.proof +++ b/dhkem.auth.insider-cca-lr.proof @@ -1,4490 +1,4653 @@ -Initial state -Game 1 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - return((pkR_1: G_t <- exp(g, sk); {26}let (skE_2: Z_t, pkE_3: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); enc_2: bitstring <- Serialize(pkE_3); pkS: G_t <- exp(g, sk'); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); zz_3: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_3, enc_2) else AuthEncap_None)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - return({119}(let (skE_3: Z_t, pkE_4: G_t) = (z_2 <-R Z_t; (z_2, exp(g, z_2))) in dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); enc_3: bitstring <- Serialize(pkE_4); pkS_1: G_t <- exp(g, sk); kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); zz_4: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1))); AuthEncap_tuple(zz_4, enc_3) else AuthEncap_None)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - return((skR: Z_t <- sk; let Serialize(pkE_5: G_t) = cd in dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); pkR_2: G_t <- exp(g, skR); kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); zz_5: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2))); AuthDecap_Some(zz_5) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE_3: Z_t, pkE_4: G_t) (tuple expanded) at 119 - - Remove else branch of let at 119 - - Simplify pattern (skE_2: Z_t, pkE_3: G_t) (tuple expanded) at 26 - - Remove else branch of let at 26 -yields - -Game 2 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - skE_2: Z_t <- z_1; - dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - skE_3: Z_t <- z_2; - dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - skR: Z_t <- sk; - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); - pkR_2: G_t <- exp(g, skR); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR (definition removed, all usages removed) - - Remove assignments on skE_3 (definition removed, all usages removed) - - Remove assignments on skE_2 (definition removed, all usages removed) -yields - -Game 3 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- {32}concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')) with concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))) at 32 -yields - -Game 4 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - {217} let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying insert instruction find ic_1 = ic <= Qcperuser suchthat - defined(zz_3[ic], sk'[ic], enc_2[ic]) - && (enc_2[ic] = cd) - && (exp(g, sk'[ic]) = pk_S) - then at occurrence 217 -yields - -Game 5 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - {241} let Serialize(pkE_5: G_t) = {242}cd in - dh_5: GG_t <- {246}concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced cd with Serialize(pkE_3[ic_2]) at 242 - - Remove else branch of let at 241 - - Simplify pattern Serialize(pkE_5: G_t) (tuple expanded) at 241 - - Replaced concatDH(exp(pkE_5, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))) at 246 - - Replaced defined condition zz_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 -yields - -Game 6 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - pkE_5: G_t <- pkE_3[ic_2]; - dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some({321}zz_5)) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying replace term at occurrence 321 with zz_3[ic_2] -yields - -Game 7 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - pkE_5: G_t <- pkE_3[ic_2]; - dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying remove assignments of useless - - Remove assignments on pkE_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on key_2 (definition removed, all usages removed) - - Remove assignments on info_2 (definition removed, all usages removed) - - Remove assignments on dh_5 (definition removed, all usages removed) - - Remove assignments on kemContext_5 (definition removed, all usages removed) - - Remove assignments on pkR_2 (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 -yields - -Game 9 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - {123} z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk[i1]) - && pk_R = exp(g, sk[i1]) then at occurrence 123 -yields - -Game 10 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - else - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename z_2 - - Rename variable z_2 into z_7, z_6 -yields - -Game 11 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_4: GG_t <- {141}concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pk_R, z_6), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))) at 141 -yields - -Game 12 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_4: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename enc_3 - - Rename variable enc_3 into enc_10, enc_9 -yields - -Game 13 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_4: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_9)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename dh_4 - - Rename variable dh_4 into dh_13, dh_12 -yields - -Game 14 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_9)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename zz_4 - - Rename variable zz_4 into zz_13, zz_12 -yields - -Game 15 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename pkE_4 - - Rename variable pkE_4 into pkE_13, pkE_12 -yields - -Game 16 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename kemContext_4 - - Rename variable kemContext_4 into kemContext_13, kemContext_12 -yields - -Game 17 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename key_1 - - Rename variable key_1 into key_7, key_6 -yields - -Game 18 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename info_1 - - Rename variable info_1 into info_7, info_6 -yields - -Game 19 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - {448} return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand( - l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 448 -yields - -Game 20 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return(ExtractAndExpand_inner(key_extr_4, x1)) - else - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_4 -> hk -yields - -Game 21 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_58 = ri_58 <= Qcperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && {121}(x_O = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && {139}(x_O = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_51] orfind u_50 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {185}(x_O = x_O_5[ri_50]) then r_5[u_50] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {309}find [unique] u_48 = ri_48 <= Qcperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && {314}(x_O_2 = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && {332}(x_O_2 = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {396}(x_O_2 = x_O_5[ri_40]) then r_5[u_40] else r_2 <-R eae_output_t; r_2); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {499}find [unique] u_38 = ri_38 <= Qcperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && {504}(x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qeperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && {540}(x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_31] orfind u_30 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {586}(x_O_1 = x_O_5[ri_30]) then r_5[u_30] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {717}find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_21] orfind u_20 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {804}(x_O_3 = x_O_5[ri_20]) then r_5[u_20] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; {855}find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] orfind u_10 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {928}(x_O_4 = x_O_5[ri_10]) then r_5[u_10] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; {945}find [unique] u_8 = ri_8 <= Qcperuser, u_9 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {950}(x_O_5 = x_O[ri_8, ri_9]) then r[u_8, u_9] orfind u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {965}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_6, u_7] orfind u_4 = ri_4 <= Qeperuser, u_5 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {980}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {995}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1008}(x_O_5 = x_O_4[ri_1]) then r_4[u_1] orfind u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + #Ochall^2 + 4 * #Ochall * #OAEncap + N^2) * PCollKey] - - Simplification pass - - Replaced (x_O = x_O_5[ri_50]) with false at 185 - - Remove branch 6 in find at 98 - - Replaced (x_O = x_O_2[ri_54, ri_55]) with false at 139 - - Remove branch 3 in find at 98 - - Replaced (x_O = x_O_1[ri_56, ri_57]) with false at 121 - - Remove branch 2 in find at 98 - - Replaced (x_O_2 = x_O_5[ri_40]) with false at 396 - - Remove branch 6 in find at 309 - - Replaced (x_O_2 = x_O_1[ri_46, ri_47]) with false at 332 - - Remove branch 2 in find at 309 - - Replaced (x_O_2 = x_O[ri_48, ri_49]) with false at 314 - - Remove branch 1 in find at 309 - - Replaced (x_O_1 = x_O_5[ri_30]) with false at 586 - - Remove branch 6 in find at 499 - - Replaced (x_O_1 = x_O_2[ri_34, ri_35]) with false at 540 - - Remove branch 3 in find at 499 - - Replaced (x_O_1 = x_O[ri_38, ri_39]) with false at 504 - - Remove branch 1 in find at 499 - - Replaced (x_O_3 = x_O_5[ri_20]) with false at 804 - - Remove branch 6 in find at 717 - - Replaced (x_O_4 = x_O_5[ri_10]) with false at 928 - - Remove branch 6 in find at 855 - - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1008 - - Remove branch 5 in find at 945 - - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 995 - - Remove branch 4 in find at 945 - - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 980 - - Remove branch 3 in find at 945 - - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 965 - - Remove branch 2 in find at 945 - - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 950 - - Remove branch 1 in find at 945 -yields - -Game 22 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_58 = ri_58 <= Qcperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_51] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {261}find [unique] u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_41] else r_2 <-R eae_output_t; r_2); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {403}find [unique] u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_31] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {573}find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_21] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying expand [probability (#Ochall^2 + 2 * #OAEncap^2 + #OAEncap * N + N^2) * PCollKey] - - Expand if/find/let - - Remove branch 2 in find at 573 - - Remove branch 2 in find at 403 - - Remove branch 1 in find at 403 - - Remove branch 1 in find at 261 - - Remove branch 1 in find at 98 -yields - -Game 23 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - find [unique] u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then - zz_3: eae_output_t <- r_3[u_52, u_53]; - return(AuthEncap_tuple(zz_3, enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(zz_3, enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then - zz_12: eae_output_t <- r_3[u_42, u_43]; - return(AuthEncap_tuple(zz_12, enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then - zz_12: eae_output_t <- r_4[u_41]; - return(AuthEncap_tuple(zz_12, enc_9)) - else - r_2 <-R eae_output_t; - zz_12: eae_output_t <- r_2; - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then - zz_13: eae_output_t <- r_4[u_31]; - return(AuthEncap_tuple(zz_13, enc_10)) - else - r_1 <-R eae_output_t; - zz_13: eae_output_t <- r_1; - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then - zz_5: eae_output_t <- r[u_28, u_29]; - return(AuthDecap_Some(zz_5)) - orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then - zz_5: eae_output_t <- r_2[u_24, u_25]; - return(AuthDecap_Some(zz_5)) - orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then - zz_5: eae_output_t <- r_3[u_22, u_23]; - return(AuthDecap_Some(zz_5)) - orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then - zz_5: eae_output_t <- r_4[u_21]; - return(AuthDecap_Some(zz_5)) - else - r_3 <-R eae_output_t; - zz_5: eae_output_t <- r_3; - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- x1; - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- x1; - find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_5 (definition point kept, all usages removed) - - Remove assignments on x_O_4 (definition point kept, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on zz_3 (definition kept, array references kept) - - Remove assignments on zz_3 (definition kept, array references kept) - - Remove assignments on zz_3 (definition kept, array references kept) -yields - -Game 24 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - {97} find [unique] u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && {102}(x_O = x_O_3[ri_52, ri_53]) then - zz_3: eae_output_t <- r_3[u_52, u_53]; - return(AuthEncap_tuple(r_3[u_52, u_53], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {135}(x_O = x1[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - {273} find [unique] u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && {278}(x_O_2 = x_O_3[ri_42, ri_43]) then - return(AuthEncap_tuple(r_3[u_42, u_43], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {302}(x_O_2 = x1[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - {408} find [unique] u_31 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {412}(x_O_1 = x1[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - {546} find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && {551}(x_O_3 = x_O[ri_28, ri_29]) then - return(AuthDecap_Some(r[u_28, u_29])) - orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {573}(x_O_3 = x_O_2[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && {595}(x_O_3 = x_O_3[ri_22, ri_23]) then - return(AuthDecap_Some(r_3[u_22, u_23])) - orfind u_21 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {616}(x_O_3 = x1[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - {665} find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {670}(x1 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {688}(x1 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {706}(x1 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {724}(x1 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {741}(x1 = x1[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - {761} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 761 - - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 741 - - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 665 - - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 724 - - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 665 - - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 706 - - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15] in find at 665 - - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 688 - - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17] in find at 665 - - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 670 - - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19] in find at 665 - - Replaced (x_O_3 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 616 - - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 546 - - Replaced (x_O_3 = x_O_3[ri_22, ri_23]) with ((pk_S = pk_S[ri_22, ri_23]) && (i = ri_23) && (pkE_5 = pkE_5[ri_22, ri_23])) at 595 - - In branch 3 of find at 546, substituting u_23 with i - - Replaced defined condition x_O_3[ri_22, ri_23], r_3[ri_22, ri_23] with r_3[ri_22], pkE_5[ri_22], pk_S[ri_22] in find at 546 - - Replaced (x_O_3 = x_O_2[ri_24, ri_25]) with ((pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25])) at 573 - - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25] in find at 546 - - Replaced (x_O_3 = x_O[ri_28, ri_29]) with ((pk_S = pkS[ri_28, ri_29]) && (i = ri_29) && (pkE_5 = pkE_3[ri_28, ri_29])) at 551 - - Remove branch 1 in find at 546 - - Replaced (x_O_1 = x1[ri_31]) with ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 412 - - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 408 - - Replaced (x_O_2 = x1[ri_41]) with ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 302 - - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 273 - - Replaced (x_O_2 = x_O_3[ri_42, ri_43]) with ((pkS_1 = pk_S[ri_42, ri_43]) && (i1_2 = ri_43) && (pkE_12 = pkE_5[ri_42, ri_43])) at 278 - - In branch 1 of find at 273, substituting u_43 with i1_2 - - Replaced defined condition x_O_3[ri_42, ri_43], r_3[ri_42, ri_43] with r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2] in find at 273 - - Replaced (x_O = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 135 - - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 97 - - Replaced (x_O = x_O_3[ri_52, ri_53]) with ((pkS = pk_S[ri_52, ri_53]) && (i = ri_53) && (pkE_3 = pkE_5[ri_52, ri_53])) at 102 - - In branch 1 of find at 97, substituting u_53 with i - - Replaced defined condition x_O_3[ri_52, ri_53], r_3[ri_52, ri_53] with r_3[ri_52], pkE_5[ri_52], pk_S[ri_52] in find at 97 -yields - -Game 25 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - {97} find [unique] u_52 = ri_52 <= Qdperuser suchthat defined(r_3[ri_52], pkE_5[ri_52], pk_S[ri_52]) && {104}((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) then - u_53 <= N <- i; - zz_3: eae_output_t <- r_3[u_52]; - return(AuthEncap_tuple(r_3[u_52], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && {389}((pkS_1 = pk_S[ri_42, i1_2]) && (i1_2 = i1_2) && (pkE_12 = pkE_5[ri_42, i1_2])) then - u_43 <= N <- i1_2; - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && {909}((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) then - u_23 <= N <- i; - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify [probability #OADecap * Qcperuser * PCollKey] - - Simplification pass - - Replaced ((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) with ((pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22])) at 909 - - Replaced ((pkS_1 = pk_S[ri_42, i1_2]) && (i1_2 = i1_2) && (pkE_12 = pkE_5[ri_42, i1_2])) with ((pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2])) at 389 - - Replaced ((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) with false at 104 - - Remove branch 1 in find at 97 -yields - -Game 26 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then - u_43 <= N <- i1_2; - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - u_23 <= N <- i; - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying move all binders - - Move assignment to x_O_5 - - Move assignment to x_O_4 - - Move assignment to x_O_3 - - Move assignment to info_2 - - Move assignment to key_2 - - Move assignment to kemContext_5 - - Move assignment to x_O_1 - - Move assignment to info_7 - - Move assignment to key_7 - - Move assignment to kemContext_13 - - Move assignment to x_O_2 - - Move assignment to info_6 - - Move assignment to key_6 - - Move assignment to kemContext_12 - - Move assignment to x_O - - Move assignment to info - - Move assignment to key - - Move assignment to kemContext_3 -yields - -Game 27 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then - u_43 <= N <- i1_2; - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - u_23 <= N <- i; - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_5 (definition removed, all usages removed) - - Remove assignments on u_23 (definition removed, all usages removed) - - Remove assignments on dh_13 (definition removed, all usages removed) - - Remove assignments on dh_12 (definition removed, all usages removed) - - Remove assignments on u_43 (definition removed, all usages removed) - - Remove assignments on dh_3 (definition removed, all usages removed) -yields - -Game 28 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying equivalence gdh(exp) with variables: sk -> a, z_1 -> b. [probability Adv_GDH(time_1, 5 * Qh) + (#Ochall + N) * PDistRerandom + (#Ochall^2 + 2 * #OAEncap^2 + N^2) * PCollKey] - - Equivalence gdh(exp) with variables: sk -> a, z_1 -> b. -yields - -Game 29 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - {41} find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && ((x: Z_t <- sk'; exp(g, mult(sk, x))) = dh2[ri_51]) && (m_3: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_5: G_t <- pk_R; (m_5 = exp(g, sk[i1_3]))) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_10: G_t <- dh2[ri_41]; (m_10 = exp(g, mult(sk[i1_2], sk)))) && ((x_1: Z_t <- z_6; exp(g, mult(sk[i1_2], x_1))) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_4: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; (m_4 = exp(m'_1, sk))) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_12: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; (m_12 = exp(m'_3, sk))) && (m_11: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_5; (m_11 = exp(m'_2, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - {812} find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], sk[ri_19], sk'[ri_18, ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = (x_2: Z_t <- sk'[ri_18, ri_19]; exp(g, mult(sk[ri_19], x_2)))) && (m_14: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_15: G_t <- dh2; m'_4: G_t <- pk_R[ri_16, ri_17]; (m_15 = exp(m'_4, sk[ri_17]))) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_20: G_t <- dh2; (m_20 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15])))) && (dh1 = (x_3: Z_t <- z_6[ri_14, ri_15]; exp(g, mult(sk[i1_2[ri_14, ri_15]], x_3)))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22: G_t <- dh2; m'_6: G_t <- pk_S[ri_12, ri_13]; (m_22 = exp(m'_6, sk[ri_13]))) && (m_21: G_t <- dh1; m'_5: G_t <- pkE_5[ri_12, ri_13]; (m_21 = exp(m'_5, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 1 in find at 812 - - Remove branch 1 in find at 41 - - Find at 41 removed (else branch kept if any) -yields - -Game 30 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_5: G_t <- pk_R; (m_5 = exp(g, sk[i1_3]))) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m_10: G_t <- dh2[ri_41]; x_1: Z_t <- z_6; ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_10 = exp(g, mult(sk[i1_2], sk))) && (exp(g, mult(sk[i1_2], x_1)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (m_4: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_4 = exp(m'_1, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]))) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_12: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; m_11: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_5; ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_12 = exp(m'_3, sk)) && (m_11 = exp(m'_2, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (m_15: G_t <- dh2; m'_4: G_t <- pk_R[ri_16, ri_17]; ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_15 = exp(m'_4, sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (m_20: G_t <- dh2; x_3: Z_t <- z_6[ri_14, ri_15]; ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_20 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], x_3))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (m_22: G_t <- dh2; m'_6: G_t <- pk_S[ri_12, ri_13]; m_21: G_t <- dh1; m'_5: G_t <- pkE_5[ri_12, ri_13]; ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22 = exp(m'_6, sk[ri_13])) && (m_21 = exp(m'_5, sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_15 (definition removed, all usages removed) - - Remove assignments on m'_4 (definition removed, all usages removed) - - Remove assignments on m_20 (definition removed, all usages removed) - - Remove assignments on x_3 (definition removed, all usages removed) - - Remove assignments on m_22 (definition removed, all usages removed) - - Remove assignments on m'_6 (definition removed, all usages removed) - - Remove assignments on m_21 (definition removed, all usages removed) - - Remove assignments on m'_5 (definition removed, all usages removed) - - Remove assignments on m_12 (definition removed, all usages removed) - - Remove assignments on m'_3 (definition removed, all usages removed) - - Remove assignments on m_11 (definition removed, all usages removed) - - Remove assignments on m'_2 (definition removed, all usages removed) - - Remove assignments on m_4 (definition removed, all usages removed) - - Remove assignments on m'_1 (definition removed, all usages removed) - - Remove assignments on m_10 (definition removed, all usages removed) - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on m_5 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) - - Remove assignments on pkS (definition removed, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) -yields - -Game 31 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(g, mult(sk[i1_2], sk))) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (dh2[ri_31] = exp(pk_R, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(r[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(r[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_5, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - -Initial state -Game 32 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - {19} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (pkR_4: G_t <- exp(g, sk_1); {25}let (skE_6: Z_t, pkE_9: G_t) = (z_4 <-R Z_t; (z_4, exp(g, z_4))) in dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); enc_7: bitstring <- Serialize(pkE_9); pkS_3: G_t <- exp(g, sk'_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); zz_9: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_9, enc_7) else AuthEncap_None) in - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - else - return(AuthEncap_None) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - return({132}(let (skE_7: Z_t, pkE_10: G_t) = (z_5 <-R Z_t; (z_5, exp(g, z_5))) in dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); enc_8: bitstring <- Serialize(pkE_10); pkS_4: G_t <- exp(g, sk_1); kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); zz_10: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthEncap_tuple(zz_10, enc_8) else AuthEncap_None)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(ce[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && (ce[ic1, i1] = cd_1) && ((exponent_15: Z_t <- sk'_1[ic1, i1]; exp(g, exponent_15)) = pk_S_1) && ((exponent_16: Z_t <- sk_1[i1]; exp(g, exponent_16)) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - return((skR_1: Z_t <- sk_1; let Serialize(pkE_11: G_t) = cd_1 in dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); pkR_5: G_t <- exp(g, skR_1); kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); zz_11: eae_output_t <- (key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5))); AuthDecap_Some(zz_11) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying expand [probability N^2 * PCollKey] - - Expand if/find/let - - Simplify pattern (skE_7: Z_t, pkE_10: G_t) (tuple expanded) at 132 - - Remove else branch of let at 132 - - Simplify pattern (skE_6: Z_t, pkE_9: G_t) (tuple expanded) at 25 - - Remove else branch of let at 25 - - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 19 - - Remove else branch of let at 19 -yields - -Game 33 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - pkR_4: G_t <- exp(g, sk_1); - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - skE_6: Z_t <- z_4; - dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); - enc_7: bitstring <- Serialize(pkE_9); - pkS_3: G_t <- exp(g, sk'_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - ce: bitstring <- enc_7; - k: eae_output_t <- zz_9; - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - skE_7: Z_t <- z_5; - dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(ce[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && (exponent_15: Z_t <- sk'_1[ic1, i1]; exponent_16: Z_t <- sk_1[i1]; ((ce[ic1, i1] = cd_1) && (exp(g, exponent_15) = pk_S_1) && (exp(g, exponent_16) = exp(g, sk_1)))) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - skR_1: Z_t <- sk_1; - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); - pkR_5: G_t <- exp(g, skR_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on exponent_15 (definition removed, all usages removed) - - Remove assignments on exponent_16 (definition removed, all usages removed) - - Remove assignments on skE_7 (definition removed, all usages removed) - - Remove assignments on skE_6 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) - - Remove assignments on k (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on key_3 (definition removed, all usages removed) - - Remove assignments on info_3 (definition removed, all usages removed) - - Remove assignments on dh_9 (definition removed, all usages removed) - - Remove assignments on kemContext_9 (definition removed, all usages removed) - - Remove assignments on pkR_4 (definition removed, all usages removed) - - Remove assignments on pkS_3 (definition removed, all usages removed) -yields - -Game 34 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - {142} find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(enc_7[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && {150}((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1))) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced ((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1))) with ((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (i1 = i_1)) at 150 - - In branch 1 of find at 142, substituting i1_1 with i_1 - - Replaced defined condition enc_7[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1] with k'[ic1], sk'_1[ic1], enc_7[ic1] in find at 142 -yields - -Game 35 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && {149}((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) && (i_1 = i_1)) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced ((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) && (i_1 = i_1)) with ((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1)) at 149 -yields - -Game 36 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on i1_1 (definition removed, all usages removed) -yields - -Game 37 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - {48} z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction find i2 <= N suchthat - defined(sk_1[i2]) - && pk_R_1 = exp(g, sk_1[i2]) then at occurrence 48 -yields - -Game 38 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - {367} return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand(l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 367 -yields - -Game 39 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - else - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk -yields - -Game 40 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {128}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] orfind u_92 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {197}(x_O_7 = x_O_10[ri_92]) then r_10[u_92] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {300}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] orfind u_84 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {369}(x_O_6 = x_O_10[ri_84]) then r_10[u_84] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {500}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] orfind u_76 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {569}(x_O_8 = x_O_10[ri_76]) then r_10[u_76] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; {620}find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] orfind u_68 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {678}(x_O_9 = x_O_10[ri_68]) then r_10[u_68] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; {695}find [unique] u_66 = ri_66 <= Qeperuser, u_67 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {700}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_66, u_67] orfind u_64 = ri_64 <= Qeperuser, u_65 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {715}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_64, u_65] orfind u_62 = ri_62 <= Qdperuser, u_63 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {730}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_62, u_63] orfind u_61 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {743}(x_O_10 = x_O_9[ri_61]) then r_9[u_61] orfind u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying simplify (non-expanded game) [probability (#OAEncap^2 + N^2) * PCollKey] - - Simplification pass - - Replaced (x_O_7 = x_O_10[ri_92]) with false at 197 - - Remove branch 5 in find at 128 - - Replaced (x_O_6 = x_O_10[ri_84]) with false at 369 - - Remove branch 5 in find at 300 - - Replaced (x_O_8 = x_O_10[ri_76]) with false at 569 - - Remove branch 5 in find at 500 - - Replaced (x_O_9 = x_O_10[ri_68]) with false at 678 - - Remove branch 5 in find at 620 - - Replaced (x_O_10 = x_O_9[ri_61]) with false at 743 - - Remove branch 4 in find at 695 - - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 730 - - Remove branch 3 in find at 695 - - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 715 - - Remove branch 2 in find at 695 - - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 700 - - Remove branch 1 in find at 695 -yields - -Game 41 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {128}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {288}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {476}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying expand [probability (#OAEncap^2 + #OAEncap * N + N^2) * PCollKey] - - Expand if/find/let - - Remove branch 1 in find at 476 - - Remove branch 3 in find at 288 - - Remove branch 2 in find at 288 - - Remove branch 1 in find at 288 - - Remove branch 2 in find at 128 - - Remove branch 1 in find at 128 -yields - -Game 42 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then - zz_10: eae_output_t <- r_8[u_94, u_95]; - return(AuthEncap_tuple(zz_10, enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then - zz_10: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(zz_10, enc_8)) - else - r_7 <-R eae_output_t; - zz_10: eae_output_t <- r_7; - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then - zz_10: eae_output_t <- r_9[u_85]; - return(AuthEncap_tuple(zz_10, enc_8)) - else - r_6 <-R eae_output_t; - zz_10: eae_output_t <- r_6; - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then - zz_11: eae_output_t <- r_7[u_80, u_81]; - return(AuthDecap_Some(zz_11)) - orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then - zz_11: eae_output_t <- r_8[u_78, u_79]; - return(AuthDecap_Some(zz_11)) - orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then - zz_11: eae_output_t <- r_9[u_77]; - return(AuthDecap_Some(zz_11)) - else - r_8 <-R eae_output_t; - zz_11: eae_output_t <- r_8; - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- x1_1; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- x1_1; - find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_10 (definition point kept, all usages removed) - - Remove assignments on x_O_9 (definition point kept, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) -yields - -Game 43 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- {65}concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - {127} find [unique] u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && {132}(x_O_7 = x_O_8[ri_94, ri_95]) then - return(AuthEncap_tuple(r_8[u_94, u_95], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {156}(x_O_7 = x1_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - {262} find [unique] u_85 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {266}(x_O_6 = x1_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - {400} find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && {405}(x_O_8 = x_O_7[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {427}(x_O_8 = x_O_8[ri_78, ri_79]) then - return(AuthDecap_Some(r_8[u_78, u_79])) - orfind u_77 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {448}(x_O_8 = x1_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - {497} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {502}(x1_1 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {520}(x1_1 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {538}(x1_1 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {555}(x1_1 = x1_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - {575} find [unique] u_60 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 575 - - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 555 - - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 497 - - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 538 - - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 497 - - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 520 - - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73] in find at 497 - - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 502 - - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75] in find at 497 - - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 448 - - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 400 - - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_11 = pkE_11[ri_78, ri_79])) at 427 - - In branch 2 of find at 400, substituting u_79 with i_1 - - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78] in find at 400 - - Replaced (x_O_8 = x_O_7[ri_80, ri_81]) with ((pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81])) at 405 - - Replaced defined condition x_O_7[ri_80, ri_81], r_7[ri_80, ri_81] with r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81] in find at 400 - - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 266 - - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 262 - - Replaced concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))) at 65 - - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 156 - - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 127 - - Replaced (x_O_7 = x_O_8[ri_94, ri_95]) with ((pkS_4 = pk_S_1[ri_94, ri_95]) && (i2_901 = ri_95) && (pkE_10 = pkE_11[ri_94, ri_95])) at 132 - - In branch 1 of find at 127, substituting u_95 with i2_901 - - Replaced defined condition x_O_8[ri_94, ri_95], r_8[ri_94, ri_95] with r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901] in find at 127 -yields - -Game 44 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && {146}((pkS_4 = pk_S_1[ri_94, i2_901]) && (i2_901 = i2_901) && (pkE_10 = pkE_11[ri_94, i2_901])) then - u_95 <= N <- i2_901; - return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && {666}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify - - Simplification pass - - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78])) at 666 - - Replaced ((pkS_4 = pk_S_1[ri_94, i2_901]) && (i2_901 = i2_901) && (pkE_10 = pkE_11[ri_94, i2_901])) with ((pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901])) at 146 -yields - -Game 45 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then - u_95 <= N <- i2_901; - return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying move all binders - - Move assignment to x_O_10 - - Move assignment to x_O_9 - - Move assignment to x_O_8 - - Move assignment to info_5 - - Move assignment to key_5 - - Move assignment to kemContext_11 - - Move assignment to x_O_6 - - Move assignment to info_4 - - Move assignment to key_4 - - Move assignment to kemContext_10 - - Move assignment to x_O_7 - - Move assignment to info_4 - - Move assignment to key_4 - - Move assignment to kemContext_10 -yields - -Game 46 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then - u_95 <= N <- i2_901; - return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_11 (definition removed, all usages removed) - - Remove assignments on u_79 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) - - Remove assignments on u_95 (definition removed, all usages removed) -yields - -Game 47 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then - return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying SA rename z_5 - - Rename variable z_5 into z_9, z_8 -yields - -Game 48 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_8 <-R Z_t; - pkE_10: G_t <- exp(g, z_8); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then - return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_9 <-R Z_t; - pkE_10: G_t <- exp(g, z_9); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying SA rename enc_8 - - Rename variable enc_8 into enc_12, enc_11 -yields - -Game 49 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_8 <-R Z_t; - pkE_10: G_t <- exp(g, z_8); - enc_11: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then - return(AuthEncap_tuple(r_8[u_94, i2_901], enc_11)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_11)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_11)) - else - z_9 <-R Z_t; - pkE_10: G_t <- exp(g, z_9); - enc_12: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_12)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_12)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying SA rename pkE_10 - - Rename variable pkE_10 into pkE_15, pkE_14 -yields - -Game 50 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then - z_8 <-R Z_t; - pkE_14: G_t <- exp(g, z_8); - enc_11: bitstring <- Serialize(pkE_14); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_14 = pkE_11[ri_94, i2_901]) then - return(AuthEncap_tuple(r_8[u_94, i2_901], enc_11)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_14 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_11)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_11)) - else - z_9 <-R Z_t; - pkE_15: G_t <- exp(g, z_9); - enc_12: bitstring <- Serialize(pkE_15); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_15 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_12)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_12)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_14[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_14[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_15[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_15[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_14[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_14[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Proved indistinguishability between game 50 and game 1 -Game 50 is the same as game 31. -Adv[Game 1: indistinguishability from game 31] <= Adv_GDH(time_1, 5 * Qh) + (N + #Ochall) * PDistRerandom + (#OADecap * Qcperuser + #OAEncap * N + 4 * N^2 + 4 * #Ochall * #OAEncap + 3 * #Ochall^2 + 8 * #OAEncap^2) * PCollKey + Adv[Game 31: indistinguishability from game 31] -Adv[Game 31: indistinguishability from game 31] <= 0 -Adv[Game 32: indistinguishability from game 50] <= (#OAEncap * N + 2 * #OAEncap^2 + 5 * N^2) * PCollKey + Adv[Game 50: indistinguishability from game 50] -Adv[Game 50: indistinguishability from game 50] <= 0 -RESULT Proved indistinguishability between game 32 and game 1 up to probability Adv_GDH(time_1, 5 * Qh) + (N + #Ochall) * PDistRerandom + (#OADecap * Qcperuser + 2 * #OAEncap * N + 9 * N^2 + 4 * #Ochall * #OAEncap + 3 * #Ochall^2 + 10 * #OAEncap^2) * PCollKey -RESULT time_1 = (#Ochall + #OAEncap) * time(Serialize) + #Ochall * time(AuthEncap_tuple, maxlength(game 28: enc_2)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_10)) + #OADecap * Qcperuser * time(= bitstring, maxlength(game 28: enc_2), maxlength(game 28: cd)) + (#OADecap * Qcperuser + 2 * Qh * #OAEncap + 3 * #Ochall + 2 * #OAEncap + 1 + N) * time(exp) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (2 * Qh * #Ochall + 3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + time -All queries proved. +Initial state +Game 1 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + return((pkR_1: G_t <- exp(g, sk); {26}let (skE_2: Z_t, pkE_3: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); enc_2: bitstring <- Serialize(pkE_3); pkS: G_t <- exp(g, sk'); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); zz_3: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_3, enc_2) else AuthEncap_None)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + return({119}(let (skE_3: Z_t, pkE_4: G_t) = (z_2 <-R Z_t; (z_2, exp(g, z_2))) in dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); enc_3: bitstring <- Serialize(pkE_4); pkS_1: G_t <- exp(g, sk); kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); zz_4: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1))); AuthEncap_tuple(zz_4, enc_3) else AuthEncap_None)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + return((skR: Z_t <- sk; let Serialize(pkE_5: G_t) = cd in dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); pkR_2: G_t <- exp(g, skR); kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); zz_5: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2))); AuthDecap_Some(zz_5) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (skE_3: Z_t, pkE_4: G_t) (tuple expanded) at 119 + - Remove else branch of let at 119 + - Simplify pattern (skE_2: Z_t, pkE_3: G_t) (tuple expanded) at 26 + - Remove else branch of let at 26 +yields + +Game 2 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + skE_2: Z_t <- z_1; + dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + skE_3: Z_t <- z_2; + dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + skR: Z_t <- sk; + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); + pkR_2: G_t <- exp(g, skR); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR (definition removed, all usages removed) + - Remove assignments on skE_3 (definition removed, all usages removed) + - Remove assignments on skE_2 (definition removed, all usages removed) +yields + +Game 3 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- {32}concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')) with concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))) at 32 +yields + +Game 4 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + {217} let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying insert instruction find ic_1 = ic <= Qcperuser suchthat + defined(zz_3[ic], sk'[ic], enc_2[ic]) + && (enc_2[ic] = cd) + && (exp(g, sk'[ic]) = pk_S) + then at occurrence 217 +yields + +Game 5 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + {241} let Serialize(pkE_5: G_t) = {242}cd in + dh_5: GG_t <- {246}concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced cd with Serialize(pkE_3[ic_2]) at 242 + - Remove else branch of let at 241 + - Simplify pattern Serialize(pkE_5: G_t) (tuple expanded) at 241 + - Replaced concatDH(exp(pkE_5, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))) at 246 + - Replaced defined condition zz_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 +yields + +Game 6 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + pkE_5: G_t <- pkE_3[ic_2]; + dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some({321}zz_5)) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying replace term at occurrence 321 with zz_3[ic_2] +yields + +Game 7 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + pkE_5: G_t <- pkE_3[ic_2]; + dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying remove assignments of useless + - Remove assignments on pkE_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on key_2 (definition removed, all usages removed) + - Remove assignments on info_2 (definition removed, all usages removed) + - Remove assignments on dh_5 (definition removed, all usages removed) + - Remove assignments on kemContext_5 (definition removed, all usages removed) + - Remove assignments on pkR_2 (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 +yields + +Game 9 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + {123} z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk[i1]) + && pk_R = exp(g, sk[i1]) then at occurrence 123 +yields + +Game 10 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + else + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename z_2 + - Rename variable z_2 into z_7, z_6 +yields + +Game 11 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_4: GG_t <- {141}concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R, z_6), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))) at 141 +yields + +Game 12 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_4: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename enc_3 + - Rename variable enc_3 into enc_10, enc_9 +yields + +Game 13 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_4: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_9)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename dh_4 + - Rename variable dh_4 into dh_13, dh_12 +yields + +Game 14 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_9)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename zz_4 + - Rename variable zz_4 into zz_13, zz_12 +yields + +Game 15 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename pkE_4 + - Rename variable pkE_4 into pkE_13, pkE_12 +yields + +Game 16 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename kemContext_4 + - Rename variable kemContext_4 into kemContext_13, kemContext_12 +yields + +Game 17 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename key_1 + - Rename variable key_1 into key_7, key_6 +yields + +Game 18 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename info_1 + - Rename variable info_1 into info_7, info_6 +yields + +Game 19 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + {448} return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand( + l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 448 +yields + +Game 20 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return(ExtractAndExpand_inner(key_extr_4, x1)) + else + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_4 -> hk +yields + +Game 21 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_62 = ri_58 <= Qcperuser, u_63 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_62, u_63] orfind u_60 = ri_56 <= Qeperuser, u_61 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && {121}(x_O = x_O_1[ri_56, ri_57]) then r_1[u_60, u_61] orfind u_58 = ri_54 <= Qeperuser, u_59 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && {139}(x_O = x_O_2[ri_54, ri_55]) then r_2[u_58, u_59] orfind u_56 = ri_52 <= Qdperuser, u_57 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_56, u_57] orfind u_55 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_55] orfind u_54 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {185}(x_O = x_O_5[ri_50]) then r_5[u_54] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {309}find [unique] u_52 = ri_48 <= Qcperuser, u_53 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && {314}(x_O_2 = x_O[ri_48, ri_49]) then r[u_52, u_53] orfind u_50 = ri_46 <= Qeperuser, u_51 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && {332}(x_O_2 = x_O_1[ri_46, ri_47]) then r_1[u_50, u_51] orfind u_48 = ri_44 <= Qeperuser, u_49 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_48, u_49] orfind u_46 = ri_42 <= Qdperuser, u_47 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_46, u_47] orfind u_45 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_45] orfind u_44 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {396}(x_O_2 = x_O_5[ri_40]) then r_5[u_44] else r_2 <-R eae_output_t; r_2); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {499}find [unique] u_42 = ri_38 <= Qcperuser, u_43 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && {504}(x_O_1 = x_O[ri_38, ri_39]) then r[u_42, u_43] orfind u_40 = ri_36 <= Qeperuser, u_41 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_40, u_41] orfind u_38 = ri_34 <= Qeperuser, u_39 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && {540}(x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_38, u_39] orfind u_36 = ri_32 <= Qdperuser, u_37 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_36, u_37] orfind u_35 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_35] orfind u_34 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {586}(x_O_1 = x_O_5[ri_30]) then r_5[u_34] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {717}find [unique] u_32 = ri_28 <= Qcperuser, u_33 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_32, u_33] orfind u_30 = ri_26 <= Qeperuser, u_31 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_30, u_31] orfind u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_28, u_29] orfind u_26 = ri_22 <= Qdperuser, u_27 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_26, u_27] orfind u_25 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_25] orfind u_24 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {804}(x_O_3 = x_O_5[ri_20]) then r_5[u_24] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; {855}find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_22, u_23] orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_20, u_21] orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_18, u_19] orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_16, u_17] orfind u_15 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_15] orfind u_14 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {928}(x_O_4 = x_O_5[ri_10]) then r_5[u_14] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; {945}find [unique] u_12 = ri_8 <= Qcperuser, u_13 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {950}(x_O_5 = x_O[ri_8, ri_9]) then r[u_12, u_13] orfind u_10 = ri_6 <= Qeperuser, u_11 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {965}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_10, u_11] orfind u_8 = ri_4 <= Qeperuser, u_9 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {980}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_8, u_9] orfind u_6 = ri_2 <= Qdperuser, u_7 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {995}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_6, u_7] orfind u_5 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1008}(x_O_5 = x_O_4[ri_1]) then r_4[u_5] orfind u_4 = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u_4] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + #Ochall^2 + 4 * #Ochall * #OAEncap + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O = x_O_5[ri_50]) with false at 185 + - Remove branch 6 in find at 98 + - Replaced (x_O = x_O_2[ri_54, ri_55]) with false at 139 + - Remove branch 3 in find at 98 + - Replaced (x_O = x_O_1[ri_56, ri_57]) with false at 121 + - Remove branch 2 in find at 98 + - Replaced (x_O_2 = x_O_5[ri_40]) with false at 396 + - Remove branch 6 in find at 309 + - Replaced (x_O_2 = x_O_1[ri_46, ri_47]) with false at 332 + - Remove branch 2 in find at 309 + - Replaced (x_O_2 = x_O[ri_48, ri_49]) with false at 314 + - Remove branch 1 in find at 309 + - Replaced (x_O_1 = x_O_5[ri_30]) with false at 586 + - Remove branch 6 in find at 499 + - Replaced (x_O_1 = x_O_2[ri_34, ri_35]) with false at 540 + - Remove branch 3 in find at 499 + - Replaced (x_O_1 = x_O[ri_38, ri_39]) with false at 504 + - Remove branch 1 in find at 499 + - Replaced (x_O_3 = x_O_5[ri_20]) with false at 804 + - Remove branch 6 in find at 717 + - Replaced (x_O_4 = x_O_5[ri_10]) with false at 928 + - Remove branch 6 in find at 855 + - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1008 + - Remove branch 5 in find at 945 + - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 995 + - Remove branch 4 in find at 945 + - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 980 + - Remove branch 3 in find at 945 + - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 965 + - Remove branch 2 in find at 945 + - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 950 + - Remove branch 1 in find at 945 +yields + +Game 22 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_62 = ri_58 <= Qcperuser, u_63 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_62, u_63] orfind u_56 = ri_52 <= Qdperuser, u_57 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_56, u_57] orfind u_55 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_55] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {261}find [unique] u_48 = ri_44 <= Qeperuser, u_49 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_48, u_49] orfind u_46 = ri_42 <= Qdperuser, u_47 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_46, u_47] orfind u_45 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_45] else r_2 <-R eae_output_t; r_2); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {403}find [unique] u_40 = ri_36 <= Qeperuser, u_41 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_40, u_41] orfind u_36 = ri_32 <= Qdperuser, u_37 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_36, u_37] orfind u_35 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_35] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {573}find [unique] u_32 = ri_28 <= Qcperuser, u_33 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_32, u_33] orfind u_30 = ri_26 <= Qeperuser, u_31 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_30, u_31] orfind u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_28, u_29] orfind u_26 = ri_22 <= Qdperuser, u_27 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_26, u_27] orfind u_25 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_25] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_22, u_23] orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_20, u_21] orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_18, u_19] orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_16, u_17] orfind u_15 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_15] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; find [unique] u_4 = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u_4] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying expand [probability (#Ochall^2 + 2 * #OAEncap^2 + #OAEncap * N + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 2 in find at 573 + - Remove branch 2 in find at 403 + - Remove branch 1 in find at 403 + - Remove branch 1 in find at 261 + - Remove branch 1 in find at 98 +yields + +Game 23 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + find [unique] u_56 = ri_52 <= Qdperuser, u_57 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then + zz_3: eae_output_t <- r_3[u_56, u_57]; + return(AuthEncap_tuple(zz_3, enc_2)) + orfind u_55 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then + zz_3: eae_output_t <- r_4[u_55]; + return(AuthEncap_tuple(zz_3, enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_46 = ri_42 <= Qdperuser, u_47 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then + zz_12: eae_output_t <- r_3[u_46, u_47]; + return(AuthEncap_tuple(zz_12, enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then + zz_12: eae_output_t <- r_4[u_45]; + return(AuthEncap_tuple(zz_12, enc_9)) + else + r_2 <-R eae_output_t; + zz_12: eae_output_t <- r_2; + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_35 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then + zz_13: eae_output_t <- r_4[u_35]; + return(AuthEncap_tuple(zz_13, enc_10)) + else + r_1 <-R eae_output_t; + zz_13: eae_output_t <- r_1; + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_32 = ri_28 <= Qcperuser, u_33 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then + zz_5: eae_output_t <- r[u_32, u_33]; + return(AuthDecap_Some(zz_5)) + orfind u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then + zz_5: eae_output_t <- r_2[u_28, u_29]; + return(AuthDecap_Some(zz_5)) + orfind u_26 = ri_22 <= Qdperuser, u_27 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then + zz_5: eae_output_t <- r_3[u_26, u_27]; + return(AuthDecap_Some(zz_5)) + orfind u_25 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then + zz_5: eae_output_t <- r_4[u_25]; + return(AuthDecap_Some(zz_5)) + else + r_3 <-R eae_output_t; + zz_5: eae_output_t <- r_3; + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- x1; + find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then + return(r[u_22, u_23]) + orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- x1; + find [unique] u_4 = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_5 (definition point kept, all usages removed) + - Remove assignments on x_O_4 (definition point kept, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on zz_3 (definition kept, array references kept) + - Remove assignments on zz_3 (definition kept, array references kept) + - Remove assignments on zz_3 (definition kept, array references kept) +yields + +Game 24 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + {97} find [unique] u_56 = ri_52 <= Qdperuser, u_57 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && {102}(x_O = x_O_3[ri_52, ri_53]) then + zz_3: eae_output_t <- r_3[u_56, u_57]; + return(AuthEncap_tuple(r_3[u_56, u_57], enc_2)) + orfind u_55 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {135}(x_O = x1[ri_51]) then + zz_3: eae_output_t <- r_4[u_55]; + return(AuthEncap_tuple(r_4[u_55], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + {273} find [unique] u_46 = ri_42 <= Qdperuser, u_47 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && {278}(x_O_2 = x_O_3[ri_42, ri_43]) then + return(AuthEncap_tuple(r_3[u_46, u_47], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {302}(x_O_2 = x1[ri_41]) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + {408} find [unique] u_35 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {412}(x_O_1 = x1[ri_31]) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + {546} find [unique] u_32 = ri_28 <= Qcperuser, u_33 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && {551}(x_O_3 = x_O[ri_28, ri_29]) then + return(AuthDecap_Some(r[u_32, u_33])) + orfind u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {573}(x_O_3 = x_O_2[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser, u_27 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && {595}(x_O_3 = x_O_3[ri_22, ri_23]) then + return(AuthDecap_Some(r_3[u_26, u_27])) + orfind u_25 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {616}(x_O_3 = x1[ri_21]) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + {665} find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {670}(x1 = x_O[ri_18, ri_19]) then + return(r[u_22, u_23]) + orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {688}(x1 = x_O_1[ri_16, ri_17]) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {706}(x1 = x_O_2[ri_14, ri_15]) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {724}(x1 = x_O_3[ri_12, ri_13]) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {741}(x1 = x1[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + {761} find [unique] u_4 = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 761 + - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 741 + - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 665 + - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 724 + - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 665 + - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 706 + - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15] in find at 665 + - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 688 + - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17] in find at 665 + - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 670 + - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19] in find at 665 + - Replaced (x_O_3 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 616 + - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 546 + - Replaced (x_O_3 = x_O_3[ri_22, ri_23]) with ((pk_S = pk_S[ri_22, ri_23]) && (i = ri_23) && (pkE_5 = pkE_5[ri_22, ri_23])) at 595 + - In branch 3 of find at 546, substituting u_27 with i + - Replaced defined condition x_O_3[ri_22, ri_23], r_3[ri_22, ri_23] with r_3[ri_22], pkE_5[ri_22], pk_S[ri_22] in find at 546 + - Replaced (x_O_3 = x_O_2[ri_24, ri_25]) with ((pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25])) at 573 + - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25] in find at 546 + - Replaced (x_O_3 = x_O[ri_28, ri_29]) with ((pk_S = pkS[ri_28, ri_29]) && (i = ri_29) && (pkE_5 = pkE_3[ri_28, ri_29])) at 551 + - Remove branch 1 in find at 546 + - Replaced (x_O_1 = x1[ri_31]) with ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 412 + - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 408 + - Replaced (x_O_2 = x1[ri_41]) with ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 302 + - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 273 + - Replaced (x_O_2 = x_O_3[ri_42, ri_43]) with ((pkS_1 = pk_S[ri_42, ri_43]) && (i1 = ri_43) && (pkE_12 = pkE_5[ri_42, ri_43])) at 278 + - In branch 1 of find at 273, substituting u_47 with i1 + - Replaced defined condition x_O_3[ri_42, ri_43], r_3[ri_42, ri_43] with r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1] in find at 273 + - Replaced (x_O = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 135 + - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 97 + - Replaced (x_O = x_O_3[ri_52, ri_53]) with ((pkS = pk_S[ri_52, ri_53]) && (i = ri_53) && (pkE_3 = pkE_5[ri_52, ri_53])) at 102 + - In branch 1 of find at 97, substituting u_57 with i + - Replaced defined condition x_O_3[ri_52, ri_53], r_3[ri_52, ri_53] with r_3[ri_52], pkE_5[ri_52], pk_S[ri_52] in find at 97 +yields + +Game 25 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + {97} find [unique] u_56 = ri_52 <= Qdperuser suchthat defined(r_3[ri_52], pkE_5[ri_52], pk_S[ri_52]) && {104}((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) then + u_57 <= N <- i; + zz_3: eae_output_t <- r_3[u_56]; + return(AuthEncap_tuple(r_3[u_56], enc_2)) + orfind u_55 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_55]; + return(AuthEncap_tuple(r_4[u_55], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_46 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1]) && {389}((pkS_1 = pk_S[ri_42, i1]) && (i1 = i1) && (pkE_12 = pkE_5[ri_42, i1])) then + u_47 <= N <- i1; + return(AuthEncap_tuple(r_3[u_46, i1], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_35 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && {909}((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) then + u_27 <= N <- i; + return(AuthDecap_Some(r_3[u_26])) + orfind u_25 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_22, u_23]) + orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u_4 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify [probability #OADecap * Qcperuser * PCollKey] + - Simplification pass + - Replaced ((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) with ((pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22])) at 909 + - Replaced ((pkS_1 = pk_S[ri_42, i1]) && (i1 = i1) && (pkE_12 = pkE_5[ri_42, i1])) with ((pkS_1 = pk_S[ri_42, i1]) && (pkE_12 = pkE_5[ri_42, i1])) at 389 + - Replaced ((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) with false at 104 + - Remove branch 1 in find at 97 +yields + +Game 26 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + find [unique] u_55 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_55]; + return(AuthEncap_tuple(r_4[u_55], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_46 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1]) && (pkS_1 = pk_S[ri_42, i1]) && (pkE_12 = pkE_5[ri_42, i1]) then + u_47 <= N <- i1; + return(AuthEncap_tuple(r_3[u_46, i1], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_35 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + u_27 <= N <- i; + return(AuthDecap_Some(r_3[u_26])) + orfind u_25 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_22, u_23]) + orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u_4 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying move all binders + - Move assignment to x_O_5 + - Move assignment to x_O_4 + - Move assignment to x_O_3 + - Move assignment to info_2 + - Move assignment to key_2 + - Move assignment to kemContext_5 + - Move assignment to x_O_1 + - Move assignment to info_7 + - Move assignment to key_7 + - Move assignment to kemContext_13 + - Move assignment to x_O_2 + - Move assignment to info_6 + - Move assignment to key_6 + - Move assignment to kemContext_12 + - Move assignment to x_O + - Move assignment to info + - Move assignment to key + - Move assignment to kemContext_3 +yields + +Game 27 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + find [unique] u_55 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_55]; + return(AuthEncap_tuple(r_4[u_55], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1], z_6)), exp(g, mult(sk[i1], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_46 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1]) && (pkS_1 = pk_S[ri_42, i1]) && (pkE_12 = pkE_5[ri_42, i1]) then + u_47 <= N <- i1; + return(AuthEncap_tuple(r_3[u_46, i1], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_35 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + find [unique] u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + u_27 <= N <- i; + return(AuthDecap_Some(r_3[u_26])) + orfind u_25 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_22, u_23]) + orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_5 (definition removed, all usages removed) + - Remove assignments on u_27 (definition removed, all usages removed) + - Remove assignments on dh_13 (definition removed, all usages removed) + - Remove assignments on dh_12 (definition removed, all usages removed) + - Remove assignments on u_47 (definition removed, all usages removed) + - Remove assignments on dh_3 (definition removed, all usages removed) +yields + +Game 28 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + find [unique] u_55 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_55]; + return(AuthEncap_tuple(r_4[u_55], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_46 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1]) && (pkS_1 = pk_S[ri_42, i1]) && (pkE_12 = pkE_5[ri_42, i1]) then + return(AuthEncap_tuple(r_3[u_46, i1], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_35 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_26])) + orfind u_25 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_22, u_23]) + orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying equivalence gdh(exp) with variables: sk -> a, z_1 -> b. [probability Adv_GDH(time_1, 5 * Qh) + (#Ochall + N) * PDistRerandom + (#Ochall^2 + 2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk -> a, z_1 -> b. +yields + +Game 29 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + {41} find [unique] u_55 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && ((x: Z_t <- sk'; exp(g, mult(sk, x))) = dh2[ri_51]) && (m_3: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_55]; + return(AuthEncap_tuple(r_4[u_55], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (m_5: G_t <- pk_R; (m_5 = exp(g, sk[i1_1]))) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_46 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1]) && (pkS_1 = pk_S[ri_42, i1]) && (pkE_12 = pkE_5[ri_42, i1]) then + return(AuthEncap_tuple(r_3[u_46, i1], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_10: G_t <- dh2[ri_41]; (m_10 = exp(g, mult(sk[i1], sk)))) && ((x_1: Z_t <- z_6; exp(g, mult(sk[i1], x_1))) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_35 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_4: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; (m_4 = exp(m'_1, sk))) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_26])) + orfind u_25 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_12: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; (m_12 = exp(m'_3, sk))) && (m_11: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_5; (m_11 = exp(m'_2, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + {812} find [unique] u_22 = ri_18 <= Qcperuser, u_23 = ri_19 <= N suchthat defined(r[ri_18, ri_19], sk[ri_19], sk'[ri_18, ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = (x_2: Z_t <- sk'[ri_18, ri_19]; exp(g, mult(sk[ri_19], x_2)))) && (m_14: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_22, u_23]) + orfind u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_15: G_t <- dh2; m'_4: G_t <- pk_R[ri_16, ri_17]; (m_15 = exp(m'_4, sk[ri_17]))) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_20: G_t <- dh2; (m_20 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15])))) && (dh1 = (x_3: Z_t <- z_6[ri_14, ri_15]; exp(g, mult(sk[i1[ri_14, ri_15]], x_3)))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22: G_t <- dh2; m'_6: G_t <- pk_S[ri_12, ri_13]; (m_22 = exp(m'_6, sk[ri_13]))) && (m_21: G_t <- dh1; m'_5: G_t <- pkE_5[ri_12, ri_13]; (m_21 = exp(m'_5, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 1 in find at 812 + - Remove branch 1 in find at 41 + - Find at 41 removed (else branch kept if any) +yields + +Game 30 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (m_5: G_t <- pk_R; (m_5 = exp(g, sk[i1_1]))) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_46 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1]) && (pkS_1 = pk_S[ri_42, i1]) && (pkE_12 = pkE_5[ri_42, i1]) then + return(AuthEncap_tuple(r_3[u_46, i1], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m_10: G_t <- dh2[ri_41]; x_1: Z_t <- z_6; ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_10 = exp(g, mult(sk[i1], sk))) && (exp(g, mult(sk[i1], x_1)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_35 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (m_4: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_4 = exp(m'_1, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]))) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_26])) + orfind u_25 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_12: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; m_11: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_5; ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_12 = exp(m'_3, sk)) && (m_11 = exp(m'_2, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (m_15: G_t <- dh2; m'_4: G_t <- pk_R[ri_16, ri_17]; ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_15 = exp(m'_4, sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (m_20: G_t <- dh2; x_3: Z_t <- z_6[ri_14, ri_15]; ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_20 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1[ri_14, ri_15]], x_3))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (m_22: G_t <- dh2; m'_6: G_t <- pk_S[ri_12, ri_13]; m_21: G_t <- dh1; m'_5: G_t <- pkE_5[ri_12, ri_13]; ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22 = exp(m'_6, sk[ri_13])) && (m_21 = exp(m'_5, sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_15 (definition removed, all usages removed) + - Remove assignments on m'_4 (definition removed, all usages removed) + - Remove assignments on m_20 (definition removed, all usages removed) + - Remove assignments on x_3 (definition removed, all usages removed) + - Remove assignments on m_22 (definition removed, all usages removed) + - Remove assignments on m'_6 (definition removed, all usages removed) + - Remove assignments on m_21 (definition removed, all usages removed) + - Remove assignments on m'_5 (definition removed, all usages removed) + - Remove assignments on m_12 (definition removed, all usages removed) + - Remove assignments on m'_3 (definition removed, all usages removed) + - Remove assignments on m_11 (definition removed, all usages removed) + - Remove assignments on m'_2 (definition removed, all usages removed) + - Remove assignments on m_4 (definition removed, all usages removed) + - Remove assignments on m'_1 (definition removed, all usages removed) + - Remove assignments on m_10 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on m_5 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) + - Remove assignments on pkS (definition removed, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) +yields + +Game 31 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1 = i1_1 <= N suchthat defined(sk[i1_1]) && (pk_R = exp(g, sk[i1_1])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_46 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1], pkE_5[ri_42, i1], pk_S[ri_42, i1]) && (pkS_1 = pk_S[ri_42, i1]) && (pkE_12 = pkE_5[ri_42, i1]) then + return(AuthEncap_tuple(r_3[u_46, i1], enc_9)) + orfind u_45 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(g, mult(sk[i1], sk))) && (exp(g, mult(sk[i1], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_45], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_35 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (dh2[ri_31] = exp(pk_R, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_35], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(r[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(r[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_28 = ri_24 <= Qeperuser, u_29 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_28, u_29])) + orfind u_26 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_26])) + orfind u_25 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_5, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_25])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_20, u_21]) + orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_18, u_19]) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_16, u_17]) + orfind u_15 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_15]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_4]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + +Initial state +Game 32 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (pkR_4: G_t <- exp(g, sk_1); let (skE_6: Z_t, pkE_9: G_t) = (z_4 <-R Z_t; (z_4, exp(g, z_4))) in dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); enc_7: bitstring <- Serialize(pkE_9); pkS_3: G_t <- exp(g, sk'_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); zz_9: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_9, enc_7) else AuthEncap_None) in + k' <-R eae_output_t; + insert E(exp(g, sk'_1), exp(g, sk_1), ce, k'); + return(AuthEncap_tuple(k', ce)) + else + return(AuthEncap_None) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + return((let (skE_7: Z_t, pkE_10: G_t) = (z_5 <-R Z_t; (z_5, exp(g, z_5))) in dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); enc_8: bitstring <- Serialize(pkE_10); pkS_4: G_t <- exp(g, sk_1); kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); zz_10: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthEncap_tuple(zz_10, enc_8) else AuthEncap_None)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + get E(=pk_S_1, =exp(g, sk_1), =cd_1, k'': eae_output_t) in + return(AuthDecap_Some(k'')) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_11: G_t) = cd_1 in dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); pkR_5: G_t <- exp(g, skR_1); kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); zz_11: eae_output_t <- (key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5))); AuthDecap_Some(zz_11) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 33 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + {19} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (pkR_4: G_t <- exp(g, sk_1); {25}let (skE_6: Z_t, pkE_9: G_t) = (z_4 <-R Z_t; (z_4, exp(g, z_4))) in dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); enc_7: bitstring <- Serialize(pkE_9); pkS_3: G_t <- exp(g, sk'_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); zz_9: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_9, enc_7) else AuthEncap_None) in + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + E_2: G_t <- exp(g, sk_1); + E_3: bitstring <- ce; + E_4: eae_output_t <- k'; + return(AuthEncap_tuple(k', ce)) + else + return(AuthEncap_None) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + return({155}(let (skE_7: Z_t, pkE_10: G_t) = (z_5 <-R Z_t; (z_5, exp(g, z_5))) in dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); enc_8: bitstring <- Serialize(pkE_10); pkS_4: G_t <- exp(g, sk_1); kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); zz_10: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthEncap_tuple(zz_10, enc_8) else AuthEncap_None)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (E_2[u_2, u_3] = exp(g, sk_1)) && (E_3[u_2, u_3] = cd_1) then + return(AuthDecap_Some(E_4[u, u_1])) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_11: G_t) = cd_1 in dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); pkR_5: G_t <- exp(g, skR_1); kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); zz_11: eae_output_t <- (key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5))); AuthDecap_Some(zz_11) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying expand [probability N^2 * PCollKey] + - Expand if/find/let + - Simplify pattern (skE_7: Z_t, pkE_10: G_t) (tuple expanded) at 155 + - Remove else branch of let at 155 + - Simplify pattern (skE_6: Z_t, pkE_9: G_t) (tuple expanded) at 25 + - Remove else branch of let at 25 + - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 19 + - Remove else branch of let at 19 +yields + +Game 34 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + pkR_4: G_t <- exp(g, sk_1); + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + skE_6: Z_t <- z_4; + dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); + enc_7: bitstring <- Serialize(pkE_9); + pkS_3: G_t <- exp(g, sk'_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + ce: bitstring <- enc_7; + k: eae_output_t <- zz_9; + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + E_2: G_t <- exp(g, sk_1); + E_3: bitstring <- ce; + E_4: eae_output_t <- k'; + return(AuthEncap_tuple(k', ce)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + skE_7: Z_t <- z_5; + dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (E_2[u_2, u_3] = exp(g, sk_1)) && (E_3[u_2, u_3] = cd_1) then + return(AuthDecap_Some(E_4[u, u_1])) + else + skR_1: Z_t <- sk_1; + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); + pkR_5: G_t <- exp(g, skR_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on skE_7 (definition removed, all usages removed) + - Remove assignments on skE_6 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) + - Remove assignments on k (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on key_3 (definition removed, all usages removed) + - Remove assignments on info_3 (definition removed, all usages removed) + - Remove assignments on dh_9 (definition removed, all usages removed) + - Remove assignments on kemContext_9 (definition removed, all usages removed) + - Remove assignments on pkR_4 (definition removed, all usages removed) + - Remove assignments on pkS_3 (definition removed, all usages removed) +yields + +Game 35 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + E_2: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + {155} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(enc_7[u_2, u_3], k'[u_2, u_3], E_1[u_2, u_3], E_2[u_2, u_3]) && {164}((E_1[u_2, u_3] = pk_S_1) && (E_2[u_2, u_3] = exp(g, sk_1)) && (enc_7[u_2, u_3] = cd_1)) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((E_1[u_2, u_3] = pk_S_1) && (E_2[u_2, u_3] = exp(g, sk_1)) && (enc_7[u_2, u_3] = cd_1)) with ((E_1[u_2, u_3] = pk_S_1) && (u_3 = i_1) && (enc_7[u_2, u_3] = cd_1)) at 164 + - In branch 1 of find at 155, substituting u_1 with i_1 + - Replaced defined condition enc_7[u_2, u_3], k'[u_2, u_3], E_1[u_2, u_3], E_2[u_2, u_3] with enc_7[u_2], k'[u_2], E_1[u_2], E_2[u_2] in find at 155 +yields + +Game 36 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + E_2: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2], E_2[u_2]) && {164}((E_1[u_2] = pk_S_1) && (i_1 = i_1) && (enc_7[u_2] = cd_1)) then + u_1 <= N <- i_1; + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Replaced ((E_1[u_2] = pk_S_1) && (i_1 = i_1) && (enc_7[u_2] = cd_1)) with ((E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1)) at 164 +yields + +Game 37 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + E_2: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2], E_2[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + u_1 <= N <- i_1; + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_1 (definition removed, all usages removed) + - Remove assignments on E_2 (definition removed, all usages removed) +yields + +Game 38 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + {55} z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction find i2 <= N suchthat + defined(sk_1[i2]) + && pk_R_1 = exp(g, sk_1[i2]) then at occurrence 55 +yields + +Game 39 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + {372} return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand(l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 372 +yields + +Game 40 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + else + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk +yields + +Game 41 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {135}find [unique] u_102 = ri_98 <= Qeperuser, u_103 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_102, u_103] orfind u_100 = ri_96 <= Qeperuser, u_101 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_100, u_101] orfind u_98 = ri_94 <= Qdperuser, u_99 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_98, u_99] orfind u_97 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_97] orfind u_96 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {204}(x_O_7 = x_O_10[ri_92]) then r_10[u_96] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {307}find [unique] u_94 = ri_90 <= Qeperuser, u_95 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_94, u_95] orfind u_92 = ri_88 <= Qeperuser, u_93 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_92, u_93] orfind u_90 = ri_86 <= Qdperuser, u_91 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_90, u_91] orfind u_89 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_89] orfind u_88 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {376}(x_O_6 = x_O_10[ri_84]) then r_10[u_88] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {505}find [unique] u_86 = ri_82 <= Qeperuser, u_87 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_86, u_87] orfind u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_84, u_85] orfind u_82 = ri_78 <= Qdperuser, u_83 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_82, u_83] orfind u_81 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_81] orfind u_80 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {574}(x_O_8 = x_O_10[ri_76]) then r_10[u_80] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; {625}find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_78, u_79] orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_76, u_77] orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_74, u_75] orfind u_73 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_73] orfind u_72 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {683}(x_O_9 = x_O_10[ri_68]) then r_10[u_72] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; {700}find [unique] u_70 = ri_66 <= Qeperuser, u_71 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {705}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_70, u_71] orfind u_68 = ri_64 <= Qeperuser, u_69 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {720}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_68, u_69] orfind u_66 = ri_62 <= Qdperuser, u_67 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {735}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_66, u_67] orfind u_65 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {748}(x_O_10 = x_O_9[ri_61]) then r_9[u_65] orfind u_64 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_64] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying simplify (non-expanded game) [probability (#OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_7 = x_O_10[ri_92]) with false at 204 + - Remove branch 5 in find at 135 + - Replaced (x_O_6 = x_O_10[ri_84]) with false at 376 + - Remove branch 5 in find at 307 + - Replaced (x_O_8 = x_O_10[ri_76]) with false at 574 + - Remove branch 5 in find at 505 + - Replaced (x_O_9 = x_O_10[ri_68]) with false at 683 + - Remove branch 5 in find at 625 + - Replaced (x_O_10 = x_O_9[ri_61]) with false at 748 + - Remove branch 4 in find at 700 + - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 735 + - Remove branch 3 in find at 700 + - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 720 + - Remove branch 2 in find at 700 + - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 705 + - Remove branch 1 in find at 700 +yields + +Game 42 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {135}find [unique] u_102 = ri_98 <= Qeperuser, u_103 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_102, u_103] orfind u_100 = ri_96 <= Qeperuser, u_101 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_100, u_101] orfind u_98 = ri_94 <= Qdperuser, u_99 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_98, u_99] orfind u_97 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_97] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {295}find [unique] u_94 = ri_90 <= Qeperuser, u_95 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_94, u_95] orfind u_92 = ri_88 <= Qeperuser, u_93 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_92, u_93] orfind u_90 = ri_86 <= Qdperuser, u_91 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_90, u_91] orfind u_89 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_89] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {481}find [unique] u_86 = ri_82 <= Qeperuser, u_87 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_86, u_87] orfind u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_84, u_85] orfind u_82 = ri_78 <= Qdperuser, u_83 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_82, u_83] orfind u_81 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_81] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_78, u_79] orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_76, u_77] orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_74, u_75] orfind u_73 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_73] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; find [unique] u_64 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_64] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying expand [probability (#OAEncap^2 + #OAEncap * N + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 1 in find at 481 + - Remove branch 3 in find at 295 + - Remove branch 2 in find at 295 + - Remove branch 1 in find at 295 + - Remove branch 2 in find at 135 + - Remove branch 1 in find at 135 +yields + +Game 43 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_98 = ri_94 <= Qdperuser, u_99 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then + zz_10: eae_output_t <- r_8[u_98, u_99]; + return(AuthEncap_tuple(zz_10, enc_8)) + orfind u_97 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then + zz_10: eae_output_t <- r_9[u_97]; + return(AuthEncap_tuple(zz_10, enc_8)) + else + r_7 <-R eae_output_t; + zz_10: eae_output_t <- r_7; + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_89 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then + zz_10: eae_output_t <- r_9[u_89]; + return(AuthEncap_tuple(zz_10, enc_8)) + else + r_6 <-R eae_output_t; + zz_10: eae_output_t <- r_6; + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then + zz_11: eae_output_t <- r_7[u_84, u_85]; + return(AuthDecap_Some(zz_11)) + orfind u_82 = ri_78 <= Qdperuser, u_83 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then + zz_11: eae_output_t <- r_8[u_82, u_83]; + return(AuthDecap_Some(zz_11)) + orfind u_81 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then + zz_11: eae_output_t <- r_9[u_81]; + return(AuthDecap_Some(zz_11)) + else + r_8 <-R eae_output_t; + zz_11: eae_output_t <- r_8; + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- x1_1; + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- x1_1; + find [unique] u_64 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_10 (definition point kept, all usages removed) + - Remove assignments on x_O_9 (definition point kept, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) +yields + +Game 44 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- {72}concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + {134} find [unique] u_98 = ri_94 <= Qdperuser, u_99 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && {139}(x_O_7 = x_O_8[ri_94, ri_95]) then + return(AuthEncap_tuple(r_8[u_98, u_99], enc_8)) + orfind u_97 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {163}(x_O_7 = x1_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + {269} find [unique] u_89 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {273}(x_O_6 = x1_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + {405} find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && {410}(x_O_8 = x_O_7[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser, u_83 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {432}(x_O_8 = x_O_8[ri_78, ri_79]) then + return(AuthDecap_Some(r_8[u_82, u_83])) + orfind u_81 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {453}(x_O_8 = x1_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + {502} find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {507}(x1_1 = x_O_6[ri_74, ri_75]) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {525}(x1_1 = x_O_7[ri_72, ri_73]) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {543}(x1_1 = x_O_8[ri_70, ri_71]) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {560}(x1_1 = x1_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + {580} find [unique] u_64 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 580 + - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 560 + - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 502 + - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 543 + - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 502 + - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 525 + - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73] in find at 502 + - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 507 + - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75] in find at 502 + - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 453 + - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 405 + - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_11 = pkE_11[ri_78, ri_79])) at 432 + - In branch 2 of find at 405, substituting u_83 with i_1 + - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78] in find at 405 + - Replaced (x_O_8 = x_O_7[ri_80, ri_81]) with ((pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81])) at 410 + - Replaced defined condition x_O_7[ri_80, ri_81], r_7[ri_80, ri_81] with r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81] in find at 405 + - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 273 + - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 269 + - Replaced concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i2_952], z_5)), exp(g, mult(sk_1[i2_952], sk_1))) at 72 + - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 163 + - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 134 + - Replaced (x_O_7 = x_O_8[ri_94, ri_95]) with ((pkS_4 = pk_S_1[ri_94, ri_95]) && (i2_952 = ri_95) && (pkE_10 = pkE_11[ri_94, ri_95])) at 139 + - In branch 1 of find at 134, substituting u_99 with i2_952 + - Replaced defined condition x_O_8[ri_94, ri_95], r_8[ri_94, ri_95] with r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952] in find at 134 +yields + +Game 45 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_952], z_5)), exp(g, mult(sk_1[i2_952], sk_1))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && {153}((pkS_4 = pk_S_1[ri_94, i2_952]) && (i2_952 = i2_952) && (pkE_10 = pkE_11[ri_94, i2_952])) then + u_99 <= N <- i2_952; + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_8)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && {671}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) then + u_83 <= N <- i_1; + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78])) at 671 + - Replaced ((pkS_4 = pk_S_1[ri_94, i2_952]) && (i2_952 = i2_952) && (pkE_10 = pkE_11[ri_94, i2_952])) with ((pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_10 = pkE_11[ri_94, i2_952])) at 153 +yields + +Game 46 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_952], z_5)), exp(g, mult(sk_1[i2_952], sk_1))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && (pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_10 = pkE_11[ri_94, i2_952]) then + u_99 <= N <- i2_952; + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_8)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + u_83 <= N <- i_1; + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying move all binders + - Move assignment to x_O_10 + - Move assignment to x_O_9 + - Move assignment to x_O_8 + - Move assignment to info_5 + - Move assignment to key_5 + - Move assignment to kemContext_11 + - Move assignment to x_O_6 + - Move assignment to info_4 + - Move assignment to key_4 + - Move assignment to kemContext_10 + - Move assignment to x_O_7 + - Move assignment to info_4 + - Move assignment to key_4 + - Move assignment to kemContext_10 +yields + +Game 47 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_952], z_5)), exp(g, mult(sk_1[i2_952], sk_1))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && (pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_10 = pkE_11[ri_94, i2_952]) then + u_99 <= N <- i2_952; + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_8)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + u_83 <= N <- i_1; + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_11 (definition removed, all usages removed) + - Remove assignments on u_83 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) + - Remove assignments on u_99 (definition removed, all usages removed) +yields + +Game 48 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && (pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_10 = pkE_11[ri_94, i2_952]) then + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_8)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying SA rename z_5 + - Rename variable z_5 into z_9, z_8 +yields + +Game 49 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_8 <-R Z_t; + pkE_10: G_t <- exp(g, z_8); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && (pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_10 = pkE_11[ri_94, i2_952]) then + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_8)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_9 <-R Z_t; + pkE_10: G_t <- exp(g, z_9); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying SA rename enc_8 + - Rename variable enc_8 into enc_12, enc_11 +yields + +Game 50 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_8 <-R Z_t; + pkE_10: G_t <- exp(g, z_8); + enc_11: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && (pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_10 = pkE_11[ri_94, i2_952]) then + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_11)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_11)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_11)) + else + z_9 <-R Z_t; + pkE_10: G_t <- exp(g, z_9); + enc_12: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_12)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_12)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying SA rename pkE_10 + - Rename variable pkE_10 into pkE_15, pkE_14 +yields + +Game 51 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk'_1); + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_8 <-R Z_t; + pkE_14: G_t <- exp(g, z_8); + enc_11: bitstring <- Serialize(pkE_14); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && (pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_14 = pkE_11[ri_94, i2_952]) then + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_11)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_14 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_11)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_11)) + else + z_9 <-R Z_t; + pkE_15: G_t <- exp(g, z_9); + enc_12: bitstring <- Serialize(pkE_15); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_15 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_12)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_12)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(enc_7[u_2], k'[u_2], E_1[u_2]) && (E_1[u_2] = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_14[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_14[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_15[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_15[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_14[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_14[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of binder E_1 + - Remove assignments on E_1 (definition removed, all usages removed) +yields + +Game 52 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_952 = i2_953 <= N suchthat defined(sk_1[i2_953]) && (pk_R_1 = exp(g, sk_1[i2_953])) then + z_8 <-R Z_t; + pkE_14: G_t <- exp(g, z_8); + enc_11: bitstring <- Serialize(pkE_14); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_98 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_952], pkE_11[ri_94, i2_952], pk_S_1[ri_94, i2_952]) && (pkS_4 = pk_S_1[ri_94, i2_952]) && (pkE_14 = pkE_11[ri_94, i2_952]) then + return(AuthEncap_tuple(r_8[u_98, i2_952], enc_11)) + orfind u_97 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_14 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_952], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_952], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_97], enc_11)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_11)) + else + z_9 <-R Z_t; + pkE_15: G_t <- exp(g, z_9); + enc_12: bitstring <- Serialize(pkE_15); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_89 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_15 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_89], enc_12)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_12)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(sk'_1[u_2], enc_7[u_2], k'[u_2]) && (exp(g, sk'_1[u_2]) = pk_S_1) && (enc_7[u_2] = cd_1) then + return(AuthDecap_Some(k'[u])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_84 = ri_80 <= Qeperuser, u_85 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_14[ri_80, ri_81], i2_952[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_952[ri_80, ri_81]) && (pkE_11 = pkE_14[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_84, u_85])) + orfind u_82 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_82])) + orfind u_81 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_81])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_78 = ri_74 <= Qeperuser, u_79 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_15[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_15[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_78, u_79]) + orfind u_76 = ri_72 <= Qeperuser, u_77 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_952[ri_72, ri_73]], pkE_14[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_14[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_952[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_76, u_77]) + orfind u_74 = ri_70 <= Qdperuser, u_75 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_74, u_75]) + orfind u_73 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_73]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_64 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_64]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Proved indistinguishability between game 52 and game 1 +Game 52 is the same as game 31. +Adv[Game 1: indistinguishability from game 31] <= Adv_GDH(time_1, 5 * Qh) + (N + #Ochall) * PDistRerandom + (#OADecap * Qcperuser + #OAEncap * N + 4 * N^2 + 4 * #Ochall * #OAEncap + 3 * #Ochall^2 + 8 * #OAEncap^2) * PCollKey + Adv[Game 31: indistinguishability from game 31] +Adv[Game 32: indistinguishability from game 52] <= (#OAEncap * N + 2 * #OAEncap^2 + 5 * N^2) * PCollKey + Adv[Game 52: indistinguishability from game 52] +RESULT Proved indistinguishability between game 32 and game 1 up to probability Adv_GDH(time_1, 5 * Qh) + (N + #Ochall) * PDistRerandom + (#OADecap * Qcperuser + 2 * #OAEncap * N + 9 * N^2 + 4 * #Ochall * #OAEncap + 3 * #Ochall^2 + 10 * #OAEncap^2) * PCollKey +RESULT time_1 = (#Ochall + #OAEncap) * time(Serialize) + #Ochall * time(AuthEncap_tuple, maxlength(game 28: enc_2)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_10)) + #OADecap * Qcperuser * time(= bitstring, maxlength(game 28: enc_2), maxlength(game 28: cd)) + (#OADecap * Qcperuser + 2 * Qh * #OAEncap + 3 * #Ochall + 2 * #OAEncap + 1 + N) * time(exp) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (2 * Qh * #Ochall + 3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + time +All queries proved. diff --git a/dhkem.auth.outsider-auth-lr.m4.ocv b/dhkem.auth.outsider-auth-lr.m4.ocv index 0aabe26..e10896c 100644 --- a/dhkem.auth.outsider-auth-lr.m4.ocv +++ b/dhkem.auth.outsider-auth-lr.m4.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { allowed_collisions default^4/large; (* We allow eliminating collisions with probability in power 4 of @@ -41,14 +53,14 @@ proof { find introduced above. *) replace at_nth 1 3 "return{[0-9]*}({[0-9]*}AuthDecap_Some({[0-9]*}zz_3))" - "zz_2[ie1_2, i1_8]"; + "zz_2[ie1_1, i1_4]"; remove_assign useless; out_game "l2occ.out.cv" occ; (* Replace the result of OADecap with the result of a previous call to OADecap, in the second branch of the first find introduced above *) replace at_nth 1 3 "return{[0-9]*}({[0-9]*}AuthDecap_Some({[0-9]*}zz_3))" - "zz_3[id1_2]"; + "zz_3[id1_1]"; (* Use unique names for the assignments of the following variables that are currently not unique *) SArename zz_3; @@ -95,6 +107,7 @@ proof { start_from_other_end; (* Now we work on the right-hand side *) + remove_assign binder E_5; (* In OAEncap, distinguish whether pk_R is an honest key or not *) insert after "OAEncap(pk_R_1" "find i1 <= N suchthat @@ -130,30 +143,15 @@ proof { success } -include(`common.dhkem.dh.ocv') - -proba Adv_sqGDH. -proba PDistRerandom. -expand square_GDH_RSR_minimal( - (* types *) - G_t, (* Group elements *) - Z_t, (* Exponents *) - (* variables *) - g, (* a generator of the group *) - exp, (* exponentiation function *) - mult, (* multiplication function for exponents *) - (* probabilities *) - Adv_sqGDH, (* probability of breaking the square GDH assumption *) - PDistRerandom (* probability of distinguishing a key that comes from - rerandomization from an honestly chosen key *) -). - -include(`common.dhkem.ocv') +define(`square') +include(`common.dhkem.ocvl') event AuthEncap_does_not_fail. param N, Qeperuser, Qdperuser. +table E(G_t, G_t, bitstring, eae_output_t). + equivalence Ostart() := key_extr <-R hash_key_t; @@ -181,6 +179,7 @@ equivalence foreach ie <= Qeperuser do ( OAEncap(pk_R: G_t) := let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = AuthEncap(key_extr, pk_R, skgen(sk)) in ( + insert E(pkgen(sk), pk_R, ce, k); return(AuthEncap_tuple(k, ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -188,27 +187,14 @@ equivalence )) | foreach id <= Qdperuser do ( OADecap(pk_S: G_t, cd: bitstring) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - OAEncap and previous OADecap queries using arrays. - The first branch looks into OAEncap queries, and in case of - success, the oracle returns the key k computed there. - The second branch (after "orfind") looks into previous - OADecap queries, and in case of success, the oracle returns - the previously computed key k'. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(sk[i1], pk_R[ie1, i1], k[ie1, i1], ce[ie1, i1]) && - pkgen(sk) = pk_R[ie1, i1] && pkgen(sk[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k[ie1, i1])) - ) orfind id1 <= Qdperuser, i1 <= N suchthat - defined(sk[i1], pk_S[id1, i1], k'[id1, i1], cd[id1, i1]) && - pkgen(sk) = pkgen(sk[i1]) && pk_S[id1, i1] = pk_S && cd[id1, i1] = cd then ( - return(AuthDecap_Some(k'[id1, i1])) + get E(=pk_S, =pkgen(sk), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( (* This "find" checks whether pk_S is among the honest public keys pk_i *) find i1 <= N suchthat defined(sk[i1]) && pk_S = pkgen(sk[i1]) then ( let AuthDecap_Some(k0) = AuthDecap(key_extr, cd, skgen(sk), pk_S) in ( k' <-R eae_output_t; + insert E(pk_S, pkgen(sk), cd, k'); return(AuthDecap_Some(k')) ) else ( return(AuthDecap_None) @@ -221,3 +207,8 @@ equivalence )) | run ExtractAndExpand_inner_orcl(key_extr) ) + +(* EXPECTED FILENAME: examples/hpke/dhkem.auth.outsider-auth-lr.m4.ocv TAG: 1 +All queries proved. +0.924s (user 0.916s + system 0.008s), max rss 30176K +END *) diff --git a/dhkem.auth.outsider-auth-lr.ocv b/dhkem.auth.outsider-auth-lr.ocv index 117735f..f4afb04 100644 --- a/dhkem.auth.outsider-auth-lr.ocv +++ b/dhkem.auth.outsider-auth-lr.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { allowed_collisions default^4/large; (* We allow eliminating collisions with probability in power 4 of @@ -41,14 +53,14 @@ proof { find introduced above. *) replace at_nth 1 3 "return{[0-9]*}({[0-9]*}AuthDecap_Some({[0-9]*}zz_3))" - "zz_2[ie1_2, i1_8]"; + "zz_2[ie1_1, i1_4]"; remove_assign useless; out_game "l2occ.out.cv" occ; (* Replace the result of OADecap with the result of a previous call to OADecap, in the second branch of the first find introduced above *) replace at_nth 1 3 "return{[0-9]*}({[0-9]*}AuthDecap_Some({[0-9]*}zz_3))" - "zz_3[id1_2]"; + "zz_3[id1_1]"; (* Use unique names for the assignments of the following variables that are currently not unique *) SArename zz_3; @@ -95,6 +107,7 @@ proof { start_from_other_end; (* Now we work on the right-hand side *) + remove_assign binder E_5; (* In OAEncap, distinguish whether pk_R is an honest key or not *) insert after "OAEncap(pk_R_1" "find i1 <= N suchthat @@ -130,6 +143,20 @@ proof { success } + +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + + type G_t [bounded]. fun Serialize(G_t): bitstring [data]. type Z_t [bounded,nonuniform]. @@ -145,6 +172,7 @@ expand DH_proba_collision_minimal( ). + proba Adv_sqGDH. proba PDistRerandom. expand square_GDH_RSR_minimal( @@ -156,11 +184,13 @@ expand square_GDH_RSR_minimal( exp, (* exponentiation function *) mult, (* multiplication function for exponents *) (* probabilities *) - Adv_sqGDH, (* probability of breaking the square GDH assumption *) + Adv_sqGDH, (* probability of breaking the GDH assumption *) PDistRerandom (* probability of distinguishing a key that comes from rerandomization from an honestly chosen key *) ). + + (* For a group of prime order q: PColl1Rand(Z_t) = PColl2Rand(Z_t) = 1/(q-1) PCollKey1 = PCollKey2 = 1/(q-1) @@ -201,7 +231,7 @@ const lbytes_empty: extract_salt_t. fun eae_input(extract_salt_t, extract_key_t, expand_info_t): eae_input_t [data]. (* The core of ExtractAndExpand, a.k.a. HKDF. -(* Usage of the RO assumption is for example justified in Lemma 6 of +Usage of the RO assumption is for example justified in Lemma 6 of Benjamin Lipp, Bruno Blanchet, Karthikeyan Bhargavan, A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol, EuroSP2019 *) @@ -320,6 +350,8 @@ event AuthEncap_does_not_fail. param N, Qeperuser, Qdperuser. +table E(G_t, G_t, bitstring, eae_output_t). + equivalence Ostart() := key_extr <-R hash_key_t; @@ -347,6 +379,7 @@ equivalence foreach ie <= Qeperuser do ( OAEncap(pk_R: G_t) := let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = AuthEncap(key_extr, pk_R, skgen(sk)) in ( + insert E(pkgen(sk), pk_R, ce, k); return(AuthEncap_tuple(k, ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -354,27 +387,14 @@ equivalence )) | foreach id <= Qdperuser do ( OADecap(pk_S: G_t, cd: bitstring) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - OAEncap and previous OADecap queries using arrays. - The first branch looks into OAEncap queries, and in case of - success, the oracle returns the key k computed there. - The second branch (after "orfind") looks into previous - OADecap queries, and in case of success, the oracle returns - the previously computed key k'. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(sk[i1], pk_R[ie1, i1], k[ie1, i1], ce[ie1, i1]) && - pkgen(sk) = pk_R[ie1, i1] && pkgen(sk[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k[ie1, i1])) - ) orfind id1 <= Qdperuser, i1 <= N suchthat - defined(sk[i1], pk_S[id1, i1], k'[id1, i1], cd[id1, i1]) && - pkgen(sk) = pkgen(sk[i1]) && pk_S[id1, i1] = pk_S && cd[id1, i1] = cd then ( - return(AuthDecap_Some(k'[id1, i1])) + get E(=pk_S, =pkgen(sk), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( (* This "find" checks whether pk_S is among the honest public keys pk_i *) find i1 <= N suchthat defined(sk[i1]) && pk_S = pkgen(sk[i1]) then ( let AuthDecap_Some(k0) = AuthDecap(key_extr, cd, skgen(sk), pk_S) in ( k' <-R eae_output_t; + insert E(pk_S, pkgen(sk), cd, k'); return(AuthDecap_Some(k')) ) else ( return(AuthDecap_None) @@ -387,3 +407,8 @@ equivalence )) | run ExtractAndExpand_inner_orcl(key_extr) ) + +(* EXPECTED FILENAME: examples/hpke/dhkem.auth.outsider-auth-lr.m4.ocv TAG: 1 +All queries proved. +0.924s (user 0.916s + system 0.008s), max rss 30176K +END *) diff --git a/dhkem.auth.outsider-auth-lr.proof b/dhkem.auth.outsider-auth-lr.proof index c6e25a5..418c0a1 100644 --- a/dhkem.auth.outsider-auth-lr.proof +++ b/dhkem.auth.outsider-auth-lr.proof @@ -1,5932 +1,6068 @@ -Initial state -Game 1 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 - - Remove else branch of let at 23 -yields - -Game 2 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - skS: Z_t <- sk; - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - skE: Z_t <- z; - dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, skS); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - skR: Z_t <- sk; - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); - pkR_1: G_t <- exp(g, skR); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR (definition removed, all usages removed) - - Remove assignments on skS (definition removed, all usages removed) - - Remove assignments on skE (definition removed, all usages removed) -yields - -Game 3 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find ie1_1 = ie1 <= Qeperuser, i1_3 = i1_2 <= N suchthat - defined(zz_2[ie1, i1_2], enc_1[ie1, i1_2], sk[i1_2], pk_R[ie1, i1_2]) - && (exp(g, sk) = pk_R[ie1, i1_2]) - && (exp(g, sk[i1_2]) = pk_S) - && (enc_1[ie1, i1_2] = enc_2) then - orfind id1_1 = id1 <= Qdperuser suchthat - defined(random_br[id1], zz_3[id1], enc_2[id1], pk_S[id1]) - && (pk_S[id1] = pk_S) - && (enc_2[id1] = enc_2) then - else - find i1_1 = i1 <= N suchthat - defined(sk[i1]) - && (pk_S = exp(g, sk[i1])) then - random_br <- true at occurrence 116 -yields - -Game 4 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], enc_1[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {124}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (enc_1[ie1_3, i1_9] = enc_2)) then - dh_3: GG_t <- {150}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], enc_2[id1_3], pk_S[id1_3]) && {229}((pk_S[id1_3] = pk_S) && (enc_2[id1_3] = enc_2)) then - dh_3: GG_t <- {245}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- true; - dh_3: GG_t <- {329}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))) at 329 - - Replaced ((pk_S[id1_3] = pk_S) && (enc_2[id1_3] = enc_2)) with ((pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3)) at 229 - - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))) at 245 - - Replaced defined condition random_br[id1_3], zz_3[id1_3], enc_2[id1_3], pk_S[id1_3] with random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3] in find at 116 - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (enc_1[ie1_3, i1_9] = enc_2)) with ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) at 124 - - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))) at 150 - - Replaced defined condition zz_2[ie1_3, i1_9], enc_1[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] in find at 116 -yields - -Game 5 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some({222}zz_3)) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- true; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying replace term at occurrence 222 with zz_2[ie1_2, i1_8] -yields - -Game 6 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- true; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of useless - - Remove assignments on random_br (definition point kept, all usages removed) - - Remove assignments on zz_3 (definition point kept, all usages removed) - - Remove assignments on key_1 (definition removed, all usages removed) - - Remove assignments on info_1 (definition removed, all usages removed) - - Remove assignments on dh_3 (definition removed, all usages removed) - - Remove assignments on kemContext_3 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) -yields - -Game 7 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_3: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some({258}zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- cst_bool; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying replace term at occurrence 258 with zz_3[id1_2] -yields - -Game 8 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_3: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- cst_bool; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename zz_3 - - Rename variable zz_3 into zz_13, zz_12, zz_11, zz_10 -yields - -Game 9 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_10[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_10[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_11[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_11[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_13[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- cst_bool; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on random_br (definition removed, all usages removed) -yields - -Game 10 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_10[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_10[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_11[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_11[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_13[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Remove branch 5 in find at 116 - - Remove branch 3 in find at 116 - - Remove branch 2 in find at 116 - - Replaced defined condition zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] in find at 116 -yields - -Game 11 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename dh_3 - - Rename variable dh_3 into dh_12, dh_11, dh_10 -yields - -Game 12 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_10: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on key_1 (definition removed, all usages removed) - - Remove assignments on info_1 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) - - Remove assignments on kemContext_3 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) -yields - -Game 13 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3] with zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3] in find at 116 -yields - -Game 14 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename kemContext_3 - - Rename variable kemContext_3 into kemContext_11, kemContext_10 -yields - -Game 15 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename key_1 - - Rename variable key_1 into key_6, key_5 -yields - -Game 16 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename info_1 - - Rename variable info_1 into info_6, info_5 -yields - -Game 17 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - {18} z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk[i1]) - && pk_R = exp(g, sk[i1]) then at occurrence 18 -yields - -Game 18 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename z - - Rename variable z into z_3, z_2 -yields - -Game 19 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_2: GG_t <- {36}concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pk_R, z_2), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))) at 36 -yields - -Game 20 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename enc_1 - - Rename variable enc_1 into enc_8, enc_7 -yields - -Game 21 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename dh_2 - - Rename variable dh_2 into dh_14, dh_13 -yields - -Game 22 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename zz_2 - - Rename variable zz_2 into zz_15, zz_14 -yields - -Game 23 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {222} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {230}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_15[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {273}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) then - return(AuthDecap_Some(zz_15[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify [probability (N^2 + #OAEncap * N) * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) with false at 273 - - Remove branch 2 in find at 222 - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) with ((i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) at 230 - - Replaced defined condition zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9] in find at 222 -yields - -Game 24 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename kemContext_2 - - Rename variable kemContext_2 into kemContext_13, kemContext_12 -yields - -Game 25 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename key - - Rename variable key into key_8, key_7 -yields - -Game 26 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename info - - Rename variable info into info_8, info_7 -yields - -Game 27 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename pkR_1 - - Rename variable pkR_1 into pkR_6, pkR_5 -yields - -Game 28 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - {466} return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand( - l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 466 -yields - -Game 29 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return(ExtractAndExpand_inner(key_extr_3, x1)) - else - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk -yields - -Game 30 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_58 = ri_58 <= Qeperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && {109}(x_O_1 = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_51] orfind u_50 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {191}(x_O_1 = x_O_5[ri_50]) then r_5[u_50] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {294}find [unique] u_48 = ri_48 <= Qeperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && {317}(x_O = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qdperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {381}(x_O = x_O_5[ri_40]) then r_5[u_40] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {563}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_31] orfind u_30 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {650}(x_O_3 = x_O_5[ri_30]) then r_5[u_30] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {735}find [unique] u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_21] orfind u_20 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {822}(x_O_2 = x_O_5[ri_20]) then r_5[u_20] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; {873}find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] orfind u_10 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {946}(x_O_4 = x_O_5[ri_10]) then r_5[u_10] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; {963}find [unique] u_8 = ri_8 <= Qeperuser, u_9 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {968}(x_O_5 = x_O[ri_8, ri_9]) then r[u_8, u_9] orfind u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {983}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_6, u_7] orfind u_4 = ri_4 <= Qdperuser, u_5 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {998}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {1013}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1026}(x_O_5 = x_O_4[ri_1]) then r_4[u_1] orfind u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] - - Simplification pass - - Replaced (x_O_1 = x_O_5[ri_50]) with false at 191 - - Remove branch 6 in find at 104 - - Replaced (x_O_1 = x_O[ri_58, ri_59]) with false at 109 - - Remove branch 1 in find at 104 - - Replaced (x_O = x_O_5[ri_40]) with false at 381 - - Remove branch 6 in find at 294 - - Replaced (x_O = x_O_1[ri_46, ri_47]) with false at 317 - - Remove branch 2 in find at 294 - - Replaced (x_O_3 = x_O_5[ri_30]) with false at 650 - - Remove branch 6 in find at 563 - - Replaced (x_O_2 = x_O_5[ri_20]) with false at 822 - - Remove branch 6 in find at 735 - - Replaced (x_O_4 = x_O_5[ri_10]) with false at 946 - - Remove branch 6 in find at 873 - - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1026 - - Remove branch 5 in find at 963 - - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 1013 - - Remove branch 4 in find at 963 - - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 998 - - Remove branch 3 in find at 963 - - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 983 - - Remove branch 2 in find at 963 - - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 968 - - Remove branch 1 in find at 963 -yields - -Game 31 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_51] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {264}find [unique] u_48 = ri_48 <= Qeperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_44 = ri_44 <= Qdperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_41] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {503}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_31] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {663}find [unique] u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_21] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2 + #OADecap * N) * PCollKey] - - Expand if/find/let - - Remove branch 4 in find at 663 - - Remove branch 2 in find at 663 - - Remove branch 1 in find at 663 - - Remove branch 3 in find at 503 - - Remove branch 2 in find at 503 - - Remove branch 1 in find at 503 - - Remove branch 3 in find at 264 - - Remove branch 2 in find at 264 - - Remove branch 1 in find at 264 - - Remove branch 3 in find at 104 - - Remove branch 2 in find at 104 - - Remove branch 1 in find at 104 -yields - -Game 32 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(zz_14, enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - find [unique] u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then - zz_15: eae_output_t <- r_4[u_41]; - return(AuthEncap_tuple(zz_15, enc_8)) - else - r <-R eae_output_t; - zz_15: eae_output_t <- r; - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then - zz_12: eae_output_t <- r_3[u_32, u_33]; - return(AuthDecap_Some(zz_12)) - orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(zz_12)) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then - zz_13: eae_output_t <- r_2[u_24, u_25]; - return(AuthDecap_Some(zz_13)) - orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then - zz_13: eae_output_t <- r_4[u_21]; - return(AuthDecap_Some(zz_13)) - else - r_2 <-R eae_output_t; - zz_13: eae_output_t <- r_2; - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- x1; - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- x1; - find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_5 (definition point kept, all usages removed) - - Remove assignments on x_O_4 (definition point kept, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition kept, array references kept) - - Remove assignments on zz_12 (definition kept, array references kept) - - Remove assignments on zz_12 (definition kept, array references kept) - - Remove assignments on zz_15 (definition removed, all usages removed) - - Remove assignments on zz_15 (definition removed, all usages removed) - - Remove assignments on zz_14 (definition kept, array references kept) - - Remove assignments on zz_14 (definition kept, array references kept) -yields - -Game 33 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - {103} find [unique] u_51 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {107}(x_O_1 = x1[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - {224} find [unique] u_41 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {228}(x_O = x1[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - {413} find [unique] u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && {418}(x_O_3 = x_O_3[ri_32, ri_33]) then - zz_12: eae_output_t <- r_3[u_32, u_33]; - return(AuthDecap_Some(r_3[u_32, u_33])) - orfind u_31 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {448}(x_O_3 = x1[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - {544} find [unique] u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {549}(x_O_2 = x_O_2[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_21 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {570}(x_O_2 = x1[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - {619} find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {624}(x1 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {642}(x1 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {660}(x1 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {678}(x1 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {695}(x1 = x1[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - {715} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify [probability (N^2 + #OADecap * N) * PCollKey] - - Simplification pass - - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 715 - - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 695 - - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 619 - - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 678 - - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 619 - - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 660 - - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15] in find at 619 - - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 642 - - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17] in find at 619 - - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 624 - - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19] in find at 619 - - Replaced (x_O_2 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 570 - - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 544 - - Replaced (x_O_2 = x_O_2[ri_24, ri_25]) with ((pk_S = pk_S[ri_24, ri_25]) && (i = ri_25) && (pkE_3 = pkE_3[ri_24, ri_25])) at 549 - - In branch 1 of find at 544, substituting u_25 with i - - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24], pkE_3[ri_24], pk_S[ri_24] in find at 544 - - Replaced (x_O_3 = x1[ri_31]) with ((pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 448 - - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 413 - - Replaced (x_O_3 = x_O_3[ri_32, ri_33]) with ((i1_6 = i1_6[ri_32, ri_33]) && (i = ri_33) && (pkE_3 = pkE_3[ri_32, ri_33])) at 418 - - Remove branch 1 in find at 413 - - Replaced (x_O = x1[ri_41]) with ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 228 - - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 224 - - Replaced (x_O_1 = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 107 - - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 103 -yields - -Game 34 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && {789}((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) then - u_25 <= N <- i; - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify - - Simplification pass - - Replaced ((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) with ((pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24])) at 789 -yields - -Game 35 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - u_25 <= N <- i; - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying move all binders - - Move assignment to x_O_5 - - Move assignment to x_O_4 - - Move assignment to x_O_2 - - Move assignment to info_6 - - Move assignment to key_6 - - Move assignment to kemContext_11 - - Move assignment to x_O_3 - - Move assignment to info_5 - - Move assignment to key_5 - - Move assignment to kemContext_10 - - Move assignment to x_O - - Move assignment to info_8 - - Move assignment to key_8 - - Move assignment to kemContext_13 - - Move assignment to x_O_1 - - Move assignment to info_7 - - Move assignment to key_7 - - Move assignment to kemContext_12 -yields - -Game 36 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - u_25 <= N <- i; - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_12 (definition removed, all usages removed) - - Remove assignments on u_25 (definition removed, all usages removed) - - Remove assignments on dh_11 (definition removed, all usages removed) - - Remove assignments on dh_14 (definition removed, all usages removed) - - Remove assignments on dh_13 (definition removed, all usages removed) -yields - -Game 37 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - pkR_5: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying equivalence gdh(exp) with z_2, sk. [probability Adv_sqGDH(time_1, 7 * Qh) + (N + #OAEncap) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] - - Equivalence gdh(exp) with variables: sk -> a, z_2 -> a. -yields - -Game 38 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_11]))) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - {49} find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (m_3: G_t <- dh2[ri_51]; false) && (m_2: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (m_9: G_t <- pk_S; (m_9 = exp(g, sk[i1_9]))) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_6: G_t <- pk_S; (m_6 = exp(g, sk[i1_7]))) then - pkR_5: G_t <- exp(g, sk); - {425} find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_8: G_t <- dh2[ri_31]; false) && (m_7: G_t <- dh1[ri_31]; m'_3: G_t <- pkE_3; (m_7 = exp(m'_3, sk))) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_2: G_t <- pk_S; (m_5 = exp(m'_2, sk))) && (m_4: G_t <- dh1[ri_21]; m'_1: G_t <- pkE_3; (m_4 = exp(m'_1, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - {741} find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10: G_t <- dh2; m'_4: G_t <- pk_R[ri_18, ri_19]; (m_10 = exp(m'_4, sk[ri_19]))) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_12: G_t <- dh2; false) && (m_11: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14: G_t <- dh2; m'_6: G_t <- pk_S[ri_14, ri_15]; (m_14 = exp(m'_6, sk[ri_15]))) && (m_13: G_t <- dh1; m'_5: G_t <- pkE_3[ri_14, ri_15]; (m_13 = exp(m'_5, sk[ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_16: G_t <- dh2; false) && (m_15: G_t <- dh1; m'_7: G_t <- pkE_3[ri_12, ri_13]; (m_15 = exp(m'_7, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 4 in find at 741 - - Remove branch 2 in find at 741 - - Remove branch 1 in find at 425 - - Find at 425 removed (else branch kept if any) - - Remove branch 1 in find at 49 - - Find at 49 removed (else branch kept if any) -yields - -Game 39 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_11]))) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m = exp(m', sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (m_9: G_t <- pk_S; ((i = i1_10[ie1_3, i1_9]) && (m_9 = exp(g, sk[i1_9])) && (pkE_2[ie1_3, i1_9] = pkE_3))) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_6: G_t <- pk_S; (m_6 = exp(g, sk[i1_7]))) then - pkR_5: G_t <- exp(g, sk); - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_2: G_t <- pk_S; m_4: G_t <- dh1[ri_21]; m'_1: G_t <- pkE_3; ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5 = exp(m'_2, sk)) && (m_4 = exp(m'_1, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (m_10: G_t <- dh2; m'_4: G_t <- pk_R[ri_18, ri_19]; ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10 = exp(m'_4, sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r[u_18, u_19]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (m_14: G_t <- dh2; m'_6: G_t <- pk_S[ri_14, ri_15]; m_13: G_t <- dh1; m'_5: G_t <- pkE_3[ri_14, ri_15]; ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14 = exp(m'_6, sk[ri_15])) && (m_13 = exp(m'_5, sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_2[u_14, u_15]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_10 (definition removed, all usages removed) - - Remove assignments on m'_4 (definition removed, all usages removed) - - Remove assignments on m_14 (definition removed, all usages removed) - - Remove assignments on m'_6 (definition removed, all usages removed) - - Remove assignments on m_13 (definition removed, all usages removed) - - Remove assignments on m'_5 (definition removed, all usages removed) - - Remove assignments on m_5 (definition removed, all usages removed) - - Remove assignments on m'_2 (definition removed, all usages removed) - - Remove assignments on m_4 (definition removed, all usages removed) - - Remove assignments on m'_1 (definition removed, all usages removed) - - Remove assignments on pkR_5 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on m_6 (definition removed, all usages removed) - - Remove assignments on m_9 (definition removed, all usages removed) - - Remove assignments on m (definition removed, all usages removed) - - Remove assignments on m' (definition removed, all usages removed) - - Remove assignments on zz_14 (definition removed, all usages removed) - - Remove assignments on m_1 (definition removed, all usages removed) -yields - -Game 40 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(pk_R, sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(r_1[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(r_3[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(r_3[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - -Initial state -Game 41 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - {18} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {22}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_3: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None) in - return(AuthEncap_tuple(k, ce)) - else - return(AuthEncap_None) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k[ie1, i1_2], ce[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && ((exponent_16: Z_t <- sk_1[i1_2]; exp(g, exponent_16)) = pk_S_1) && (ce[ie1, i1_2] = cd) then - return(AuthDecap_Some(k[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && (exp(g, sk_1) = (exponent_17: Z_t <- sk_1[i1_4]; exp(g, exponent_17))) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd) then - return(AuthDecap_Some(k'[id1_1, i1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = (exponent_15: Z_t <- sk_1[i1]; exp(g, exponent_15))) then - {240} let AuthDecap_Some(k0: eae_output_t) = (skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None) in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - return((skR_1: Z_t <- sk_1; let Serialize(pkE_8: G_t) = cd in dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); pkR_3: G_t <- exp(g, skR_1); kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthDecap_Some(zz_8) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying expand [probability N^2 * PCollKey] - - Expand if/find/let - - Remove let at 240 - - Simplify pattern AuthDecap_Some(k0: eae_output_t) (tuple expanded) at 240 - - Remove else branch of let at 240 - - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 22 - - Remove else branch of let at 22 - - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 18 - - Remove else branch of let at 18 -yields - -Game 42 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - skS_1: Z_t <- sk_1; - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - skE_1: Z_t <- z_1; - dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, skS_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - ce: bitstring <- enc_6; - k: eae_output_t <- zz_7; - return(AuthEncap_tuple(k, ce)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k[ie1, i1_2], ce[ie1, i1_2]) && (exponent_16: Z_t <- sk_1[i1_2]; ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, exponent_16) = pk_S_1) && (ce[ie1, i1_2] = cd))) then - return(AuthDecap_Some(k[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && (exponent_17: Z_t <- sk_1[i1_4]; ((exp(g, sk_1) = exp(g, exponent_17)) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd))) then - return(AuthDecap_Some(k'[id1_1, i1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_15: Z_t <- sk_1[i1]; (pk_S_1 = exp(g, exponent_15))) then - skR_1: Z_t <- sk_1; - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); - pkR_4: G_t <- exp(g, skR_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - k0: eae_output_t <- zz_9; - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - skR_1: Z_t <- sk_1; - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); - pkR_3: G_t <- exp(g, skR_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on k0 (definition removed, all usages removed) - - Remove assignments on exponent_15 (definition removed, all usages removed) - - Remove assignments on exponent_16 (definition removed, all usages removed) - - Remove assignments on exponent_17 (definition removed, all usages removed) - - Remove assignments on skS_1 (definition removed, all usages removed) - - Remove assignments on skE_1 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) - - Remove assignments on k (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on key_4 (definition removed, all usages removed) - - Remove assignments on info_4 (definition removed, all usages removed) - - Remove assignments on dh_9 (definition removed, all usages removed) - - Remove assignments on kemContext_9 (definition removed, all usages removed) - - Remove assignments on pkR_4 (definition removed, all usages removed) -yields - -Game 43 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {112} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && {163}((exp(g, sk_1) = exp(g, sk_1[i1_4])) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) then - return(AuthDecap_Some(k'[id1_1, i1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk_1) = exp(g, sk_1[i1_4])) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) with ((i_1 = i1_4) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) at 163 - - In branch 2 of find at 112, substituting i1_1 with i_1 - - Replaced defined condition sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4] with k'[id1], cd[id1], pk_S_1[id1] in find at 112 -yields - -Game 44 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {162}((i_1 = i_1) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i_1 = i_1) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) at 162 -yields - -Game 45 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on i1_1 (definition removed, all usages removed) -yields - -Game 46 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {112} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction let Serialize(pkE_10) = cd in at occurrence 112 -yields - -Game 47 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - {116} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {124}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {166}((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - {200} let Serialize(pkE_9: G_t) = {201}cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - {216} let Serialize(pkE_8: G_t) = {217}cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - else - {296} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {304}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {346}((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - {380} let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - {396} let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Remove let at 396 - - Remove let at 380 - - Replaced ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with false at 346 - - Remove branch 2 in find at 296 - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) with false at 304 - - Remove branch 1 in find at 296 - - Find at 296 removed (else branch kept if any) - - Replaced cd with Serialize(pkE_10) at 217 - - Remove else branch of let at 216 - - Simplify pattern Serialize(pkE_8: G_t) (tuple expanded) at 216 - - Replaced cd with Serialize(pkE_10) at 201 - - Remove else branch of let at 200 - - Simplify pattern Serialize(pkE_9: G_t) (tuple expanded) at 200 - - Replaced ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with ((pk_S_1[id1] = pk_S_1) && (pkE_9[id1] = pkE_10)) at 166 - - Replaced defined condition k'[id1], cd[id1], pk_S_1[id1] with k'[id1], pkE_9[id1], pk_S_1[id1] in find at 116 - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) with ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) at 124 - - Replaced defined condition enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] in find at 116 -yields - -Game 48 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_9[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_9[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - pkE_9: G_t <- pkE_10; - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkE_8: G_t <- pkE_10; - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - return(AuthDecap_None) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on pkE_8 (definition removed, all usages removed) - - Remove assignments on pkE_9 (definition removed, all usages removed) -yields - -Game 49 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - {280} find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - return(AuthDecap_None) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying merge branches - - Merge all branches of find at 280 -yields - -Game 50 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - {18} z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk_1[i1]) - && pk_R_1 = exp(g, sk_1[i1]) then at occurrence 18 -yields - -Game 51 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename z_1 - - Rename variable z_1 into z_5, z_4 -yields - -Game 52 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_7: GG_t <- {36}concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))) at 36 -yields - -Game 53 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_7: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename dh_7 - - Rename variable dh_7 into dh_16, dh_15 -yields - -Game 54 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename enc_6 - - Rename variable enc_6 into enc_10, enc_9 -yields - -Game 55 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename kemContext_7 - - Rename variable kemContext_7 into kemContext_15, kemContext_14 -yields - -Game 56 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename key_2 - - Rename variable key_2 into key_10, key_9 -yields - -Game 57 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_2)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_2)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename info_2 - - Rename variable info_2 into info_10, info_9 -yields - -Game 58 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename zz_7 - - Rename variable zz_7 into zz_17, zz_16 -yields - -Game 59 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - {222} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {230}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_17[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {273}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) then - return(AuthDecap_Some(zz_17[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify [probability (N^2 + #OAEncap * N) * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) with false at 273 - - Remove branch 2 in find at 222 - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) with ((i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) at 230 - - Replaced defined condition zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2] in find at 222 -yields - -Game 60 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - {399} return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand(l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 399 -yields - -Game 61 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - else - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk -yields - -Game 62 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && {109}(x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] orfind u_92 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {173}(x_O_7 = x_O_10[ri_92]) then r_10[u_92] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {276}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && {299}(x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] orfind u_84 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {345}(x_O_6 = x_O_10[ri_84]) then r_10[u_84] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {532}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] orfind u_76 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {601}(x_O_8 = x_O_10[ri_76]) then r_10[u_76] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; {652}find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] orfind u_68 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {710}(x_O_9 = x_O_10[ri_68]) then r_10[u_68] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; {727}find [unique] u_66 = ri_66 <= Qeperuser, u_67 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {732}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_66, u_67] orfind u_64 = ri_64 <= Qeperuser, u_65 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {747}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_64, u_65] orfind u_62 = ri_62 <= Qdperuser, u_63 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {762}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_62, u_63] orfind u_61 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {775}(x_O_10 = x_O_9[ri_61]) then r_9[u_61] orfind u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] - - Simplification pass - - Replaced (x_O_7 = x_O_10[ri_92]) with false at 173 - - Remove branch 5 in find at 104 - - Replaced (x_O_7 = x_O_6[ri_98, ri_99]) with false at 109 - - Remove branch 1 in find at 104 - - Replaced (x_O_6 = x_O_10[ri_84]) with false at 345 - - Remove branch 5 in find at 276 - - Replaced (x_O_6 = x_O_7[ri_88, ri_89]) with false at 299 - - Remove branch 2 in find at 276 - - Replaced (x_O_8 = x_O_10[ri_76]) with false at 601 - - Remove branch 5 in find at 532 - - Replaced (x_O_9 = x_O_10[ri_68]) with false at 710 - - Remove branch 5 in find at 652 - - Replaced (x_O_10 = x_O_9[ri_61]) with false at 775 - - Remove branch 4 in find at 727 - - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 762 - - Remove branch 3 in find at 727 - - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 747 - - Remove branch 2 in find at 727 - - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 732 - - Remove branch 1 in find at 727 -yields - -Game 63 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {246}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {472}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2 + #OADecap * N) * PCollKey] - - Expand if/find/let - - Remove branch 2 in find at 472 - - Remove branch 1 in find at 472 - - Remove branch 2 in find at 246 - - Remove branch 1 in find at 246 - - Remove branch 2 in find at 104 - - Remove branch 1 in find at 104 -yields - -Game 64 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - find [unique] u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(zz_16, enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - find [unique] u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then - zz_17: eae_output_t <- r_9[u_85]; - return(AuthEncap_tuple(zz_17, enc_10)) - else - r_6 <-R eae_output_t; - zz_17: eae_output_t <- r_6; - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - find [unique] u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then - zz_8: eae_output_t <- r_8[u_78, u_79]; - return(AuthDecap_Some(zz_8)) - orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then - zz_8: eae_output_t <- r_9[u_77]; - return(AuthDecap_Some(zz_8)) - else - r_8 <-R eae_output_t; - zz_8: eae_output_t <- r_8; - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- x1_1; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- x1_1; - find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_10 (definition point kept, all usages removed) - - Remove assignments on x_O_9 (definition point kept, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on zz_17 (definition removed, all usages removed) - - Remove assignments on zz_17 (definition removed, all usages removed) - - Remove assignments on zz_16 (definition kept, array references kept) - - Remove assignments on zz_16 (definition kept, array references kept) -yields - -Game 65 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - {103} find [unique] u_93 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {107}(x_O_7 = x1_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - {224} find [unique] u_85 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {228}(x_O_6 = x1_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - {418} find [unique] u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {423}(x_O_8 = x_O_8[ri_78, ri_79]) then - return(AuthDecap_Some(r_8[u_78, u_79])) - orfind u_77 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {444}(x_O_8 = x1_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - {493} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {498}(x1_1 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {516}(x1_1 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {534}(x1_1 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {551}(x1_1 = x1_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - {571} find [unique] u_60 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify [probability (N^2 + #OADecap * N) * PCollKey] - - Simplification pass - - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 571 - - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 551 - - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 493 - - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 534 - - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 493 - - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 516 - - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73] in find at 493 - - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 498 - - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75] in find at 493 - - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 444 - - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 418 - - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_10 = pkE_10[ri_78, ri_79])) at 423 - - In branch 1 of find at 418, substituting u_79 with i_1 - - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78] in find at 418 - - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 228 - - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 224 - - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 107 - - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 103 -yields - -Game 66 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && {605}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify - - Simplification pass - - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78])) at 605 -yields - -Game 67 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying move all binders - - Move assignment to x_O_10 - - Move assignment to x_O_9 - - Move assignment to x_O_8 - - Move assignment to info_3 - - Move assignment to key_3 - - Move assignment to kemContext_8 - - Move assignment to x_O_6 - - Move assignment to info_10 - - Move assignment to key_10 - - Move assignment to kemContext_15 - - Move assignment to x_O_7 - - Move assignment to info_9 - - Move assignment to key_9 - - Move assignment to kemContext_14 -yields - -Game 68 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_8 (definition removed, all usages removed) - - Remove assignments on u_79 (definition removed, all usages removed) - - Remove assignments on dh_16 (definition removed, all usages removed) - - Remove assignments on dh_15 (definition removed, all usages removed) -yields - -Game 69 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying equivalence gdh(exp) [probability Adv_sqGDH(time_2, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] - - Equivalence gdh(exp) with variables: sk_1 -> a, z_4 -> a -yields - -Game 70 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (m_28: G_t <- pk_R_1; (m_28 = exp(g, sk_1[i1_13]))) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - {49} find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (m_29: G_t <- dh2_1[ri_93]; false) && (m_17: G_t <- dh1_1[ri_93]; false) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_13: G_t <- pk_R_1; (m_27 = exp(m'_13, sk_1))) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (m_21: G_t <- pk_S_1; (m_21 = exp(g, sk_1[i1_2]))) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; (m_20 = exp(g, sk_1[i1]))) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_9: G_t <- pk_S_1; (m_19 = exp(m'_9, sk_1))) && (m_18: G_t <- dh1_1[ri_77]; m'_8: G_t <- pkE_10; (m_18 = exp(m'_8, sk_1))) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - {615} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22: G_t <- dh2_1; m'_10: G_t <- pk_R_1[ri_74, ri_75]; (m_22 = exp(m'_10, sk_1[ri_75]))) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_24: G_t <- dh2_1; false) && (m_23: G_t <- dh1_1; false) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26: G_t <- dh2_1; m'_12: G_t <- pk_S_1[ri_70, ri_71]; (m_26 = exp(m'_12, sk_1[ri_71]))) && (m_25: G_t <- dh1_1; m'_11: G_t <- pkE_10[ri_70, ri_71]; (m_25 = exp(m'_11, sk_1[ri_71]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 2 in find at 615 - - Remove branch 1 in find at 49 - - Find at 49 removed (else branch kept if any) -yields - -Game 71 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (m_28: G_t <- pk_R_1; (m_28 = exp(g, sk_1[i1_13]))) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_13: G_t <- pk_R_1; ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27 = exp(m'_13, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]))) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (m_21: G_t <- pk_S_1; ((i_1 = i1_12[ie1, i1_2]) && (m_21 = exp(g, sk_1[i1_2])) && (pkE_7[ie1, i1_2] = pkE_10))) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; (m_20 = exp(g, sk_1[i1]))) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_9: G_t <- pk_S_1; m_18: G_t <- dh1_1[ri_77]; m'_8: G_t <- pkE_10; ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19 = exp(m'_9, sk_1)) && (m_18 = exp(m'_8, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]))) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (m_22: G_t <- dh2_1; m'_10: G_t <- pk_R_1[ri_74, ri_75]; ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22 = exp(m'_10, sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then - return(r_6[u_74, u_75]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (m_26: G_t <- dh2_1; m'_12: G_t <- pk_S_1[ri_70, ri_71]; m_25: G_t <- dh1_1; m'_11: G_t <- pkE_10[ri_70, ri_71]; ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26 = exp(m'_12, sk_1[ri_71])) && (m_25 = exp(m'_11, sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_22 (definition removed, all usages removed) - - Remove assignments on m'_10 (definition removed, all usages removed) - - Remove assignments on m_26 (definition removed, all usages removed) - - Remove assignments on m'_12 (definition removed, all usages removed) - - Remove assignments on m_25 (definition removed, all usages removed) - - Remove assignments on m'_11 (definition removed, all usages removed) - - Remove assignments on m_19 (definition removed, all usages removed) - - Remove assignments on m'_9 (definition removed, all usages removed) - - Remove assignments on m_18 (definition removed, all usages removed) - - Remove assignments on m'_8 (definition removed, all usages removed) - - Remove assignments on m_20 (definition removed, all usages removed) - - Remove assignments on m_21 (definition removed, all usages removed) - - Remove assignments on m_27 (definition removed, all usages removed) - - Remove assignments on m'_13 (definition removed, all usages removed) - - Remove assignments on zz_16 (definition removed, all usages removed) - - Remove assignments on m_28 (definition removed, all usages removed) -yields - -Game 72 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (dh2_1[ri_85] = exp(pk_R_1, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(r_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (pk_S_1 = exp(g, sk_1[i1_2])) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(r_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (dh2_1[ri_77] = exp(pk_S_1, sk_1)) && (dh1_1[ri_77] = exp(pkE_10, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Proved indistinguishability between game 72 and game 1 -Game 72 is the same as game 40. -Adv[Game 1: indistinguishability from game 40] <= Adv_sqGDH(time_1, 7 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OADecap * N + #OAEncap * #OADecap + 8 * #OAEncap^2 + 2 * #OAEncap * N + 5 * N^2) * PCollKey + Adv[Game 40: indistinguishability from game 40] -Adv[Game 40: indistinguishability from game 40] <= 0 -Adv[Game 41: indistinguishability from game 72] <= Adv_sqGDH(time_2, 5 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OADecap * N + #OAEncap * #OADecap + 8 * #OAEncap^2 + 2 * #OAEncap * N + 7 * N^2) * PCollKey + Adv[Game 72: indistinguishability from game 72] -Adv[Game 72: indistinguishability from game 72] <= 0 -RESULT Proved indistinguishability between game 41 and game 1 up to probability Adv_sqGDH(time_2, 5 * Qh) + Adv_sqGDH(time_1, 7 * Qh) + (2 * #OAEncap + 2 * N) * PDistRerandom + (4 * #OADecap * N + 2 * #OAEncap * #OADecap + 16 * #OAEncap^2 + 4 * #OAEncap * N + 12 * N^2) * PCollKey -RESULT time_1 = #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_7)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_8)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 3 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + N + 2 * #OAEncap) * time(exp) + time -RESULT time_2 = #OAEncap * time(AuthEncap_tuple, maxlength(game 69: enc_9)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 69: enc_10)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + N + 2 * #OAEncap) * time(exp) + time -All queries proved. +Initial state +Game 1 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 + - Remove else branch of let at 23 +yields + +Game 2 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + skS: Z_t <- sk; + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + skE: Z_t <- z; + dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, skS); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + skR: Z_t <- sk; + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); + pkR_1: G_t <- exp(g, skR); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR (definition removed, all usages removed) + - Remove assignments on skS (definition removed, all usages removed) + - Remove assignments on skE (definition removed, all usages removed) +yields + +Game 3 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find ie1_1 = ie1 <= Qeperuser, i1_3 = i1_2 <= N suchthat + defined(zz_2[ie1, i1_2], enc_1[ie1, i1_2], sk[i1_2], pk_R[ie1, i1_2]) + && (exp(g, sk) = pk_R[ie1, i1_2]) + && (exp(g, sk[i1_2]) = pk_S) + && (enc_1[ie1, i1_2] = enc_2) then + orfind id1_1 = id1 <= Qdperuser suchthat + defined(random_br[id1], zz_3[id1], enc_2[id1], pk_S[id1]) + && (pk_S[id1] = pk_S) + && (enc_2[id1] = enc_2) then + else + find i1_1 = i1 <= N suchthat + defined(sk[i1]) + && (pk_S = exp(g, sk[i1])) then + random_br <- true at occurrence 116 +yields + +Game 4 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], enc_1[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && {124}((exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (enc_1[ie1, i1_5] = enc_2)) then + dh_3: GG_t <- {150}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + orfind id1_1 = id1 <= Qdperuser suchthat defined(random_br[id1], zz_3[id1], enc_2[id1], pk_S[id1]) && {229}((pk_S[id1] = pk_S) && (enc_2[id1] = enc_2)) then + dh_3: GG_t <- {245}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + random_br: bool <- true; + dh_3: GG_t <- {329}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))) at 329 + - Replaced ((pk_S[id1] = pk_S) && (enc_2[id1] = enc_2)) with ((pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3)) at 229 + - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))) at 245 + - Replaced defined condition random_br[id1], zz_3[id1], enc_2[id1], pk_S[id1] with random_br[id1], zz_3[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1] in find at 116 + - Replaced ((exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (enc_1[ie1, i1_5] = enc_2)) with ((exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3)) at 124 + - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z[ie1_1, i1_4], sk)), exp(g, mult(sk[i1_4], sk))) at 150 + - Replaced defined condition zz_2[ie1, i1_5], enc_1[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5] with zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5] in find at 116 +yields + +Game 5 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_1, i1_4], sk)), exp(g, mult(sk[i1_4], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some({222}zz_3)) + orfind id1_1 = id1 <= Qdperuser suchthat defined(random_br[id1], zz_3[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + random_br: bool <- true; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying replace term at occurrence 222 with zz_2[ie1_1, i1_4] +yields + +Game 6 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_1, i1_4], sk)), exp(g, mult(sk[i1_4], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(random_br[id1], zz_3[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + random_br: bool <- true; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of useless + - Remove assignments on random_br (definition point kept, all usages removed) + - Remove assignments on zz_3 (definition point kept, all usages removed) + - Remove assignments on key_1 (definition removed, all usages removed) + - Remove assignments on info_1 (definition removed, all usages removed) + - Remove assignments on dh_3 (definition removed, all usages removed) + - Remove assignments on kemContext_3 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) +yields + +Game 7 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + zz_3: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(random_br[id1], zz_3[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some({258}zz_3)) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + random_br: bool <- cst_bool; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying replace term at occurrence 258 with zz_3[id1_1] +yields + +Game 8 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + zz_3: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_3[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + random_br: bool <- cst_bool; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename zz_3 + - Rename variable zz_3 into zz_13, zz_12, zz_11, zz_10 +yields + +Game 9 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_10[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_10[id1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_11[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_11[id1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_13[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + random_br: bool <- cst_bool; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on random_br (definition removed, all usages removed) +yields + +Game 10 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_10[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_10[id1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_11[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_11[id1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_13[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Remove branch 5 in find at 116 + - Remove branch 3 in find at 116 + - Remove branch 2 in find at 116 + - Replaced defined condition zz_2[ie1, i1_5], z[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5] with zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5] in find at 116 +yields + +Game 11 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename dh_3 + - Rename variable dh_3 into dh_12, dh_11, dh_10 +yields + +Game 12 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + dh_10: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2[id1_1]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on key_1 (definition removed, all usages removed) + - Remove assignments on info_1 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) + - Remove assignments on kemContext_3 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) +yields + +Game 13 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition zz_12[id1], sk[i1_2[id1]], pkE_3[id1], pk_S[id1] with zz_12[id1], pkE_3[id1], pk_S[id1] in find at 116 +yields + +Game 14 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename kemContext_3 + - Rename variable kemContext_3 into kemContext_11, kemContext_10 +yields + +Game 15 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename key_1 + - Rename variable key_1 into key_6, key_5 +yields + +Game 16 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename info_1 + - Rename variable info_1 into info_6, info_5 +yields + +Game 17 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + {18} z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk[i1]) + && pk_R = exp(g, sk[i1]) then at occurrence 18 +yields + +Game 18 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename z + - Rename variable z into z_3, z_2 +yields + +Game 19 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_2: GG_t <- {36}concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R, z_2), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))) at 36 +yields + +Game 20 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename enc_1 + - Rename variable enc_1 into enc_8, enc_7 +yields + +Game 21 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename dh_2 + - Rename variable dh_2 into dh_14, dh_13 +yields + +Game 22 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_2[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && (exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename zz_2 + - Rename variable zz_2 into zz_15, zz_14 +yields + +Game 23 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {222} find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && {230}((exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3)) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_15[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5]) && {273}((exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3)) then + return(AuthDecap_Some(zz_15[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify [probability (N^2 + #OAEncap * N) * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3)) with false at 273 + - Remove branch 2 in find at 222 + - Replaced ((exp(g, sk) = pk_R[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3)) with ((i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3)) at 230 + - Replaced defined condition zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], pk_R[ie1, i1_5] with zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5] in find at 222 +yields + +Game 24 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename kemContext_2 + - Rename variable kemContext_2 into kemContext_13, kemContext_12 +yields + +Game 25 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename key + - Rename variable key into key_8, key_7 +yields + +Game 26 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename info + - Rename variable info into info_8, info_7 +yields + +Game 27 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename pkR_1 + - Rename variable pkR_1 into pkR_6, pkR_5 +yields + +Game 28 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + {466} return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand( + l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 466 +yields + +Game 29 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return(ExtractAndExpand_inner(key_extr_3, x1)) + else + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk +yields + +Game 30 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_66 = ri_58 <= Qeperuser, u_67 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && {109}(x_O_1 = x_O[ri_58, ri_59]) then r[u_66, u_67] orfind u_64 = ri_56 <= Qeperuser, u_65 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_64, u_65] orfind u_62 = ri_54 <= Qdperuser, u_63 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_62, u_63] orfind u_60 = ri_52 <= Qdperuser, u_61 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_60, u_61] orfind u_59 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_59] orfind u_58 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {191}(x_O_1 = x_O_5[ri_50]) then r_5[u_58] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {294}find [unique] u_56 = ri_48 <= Qeperuser, u_57 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_56, u_57] orfind u_54 = ri_46 <= Qeperuser, u_55 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && {317}(x_O = x_O_1[ri_46, ri_47]) then r_1[u_54, u_55] orfind u_52 = ri_44 <= Qdperuser, u_53 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_52, u_53] orfind u_50 = ri_42 <= Qdperuser, u_51 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_50, u_51] orfind u_49 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_49] orfind u_48 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {381}(x_O = x_O_5[ri_40]) then r_5[u_48] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {563}find [unique] u_46 = ri_38 <= Qeperuser, u_47 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_46, u_47] orfind u_44 = ri_36 <= Qeperuser, u_45 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_44, u_45] orfind u_42 = ri_34 <= Qdperuser, u_43 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_42, u_43] orfind u_40 = ri_32 <= Qdperuser, u_41 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_40, u_41] orfind u_39 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_39] orfind u_38 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {650}(x_O_3 = x_O_5[ri_30]) then r_5[u_38] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {735}find [unique] u_36 = ri_28 <= Qeperuser, u_37 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_36, u_37] orfind u_34 = ri_26 <= Qeperuser, u_35 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_34, u_35] orfind u_32 = ri_24 <= Qdperuser, u_33 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_32, u_33] orfind u_30 = ri_22 <= Qdperuser, u_31 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_30, u_31] orfind u_29 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_29] orfind u_28 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {822}(x_O_2 = x_O_5[ri_20]) then r_5[u_28] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; {873}find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_26, u_27] orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_24, u_25] orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_22, u_23] orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_20, u_21] orfind u_19 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_19] orfind u_18 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {946}(x_O_4 = x_O_5[ri_10]) then r_5[u_18] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; {963}find [unique] u_16 = ri_8 <= Qeperuser, u_17 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {968}(x_O_5 = x_O[ri_8, ri_9]) then r[u_16, u_17] orfind u_14 = ri_6 <= Qeperuser, u_15 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {983}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_14, u_15] orfind u_12 = ri_4 <= Qdperuser, u_13 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {998}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_12, u_13] orfind u_10 = ri_2 <= Qdperuser, u_11 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {1013}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_10, u_11] orfind u_9 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1026}(x_O_5 = x_O_4[ri_1]) then r_4[u_9] orfind u_8 = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u_8] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_1 = x_O_5[ri_50]) with false at 191 + - Remove branch 6 in find at 104 + - Replaced (x_O_1 = x_O[ri_58, ri_59]) with false at 109 + - Remove branch 1 in find at 104 + - Replaced (x_O = x_O_5[ri_40]) with false at 381 + - Remove branch 6 in find at 294 + - Replaced (x_O = x_O_1[ri_46, ri_47]) with false at 317 + - Remove branch 2 in find at 294 + - Replaced (x_O_3 = x_O_5[ri_30]) with false at 650 + - Remove branch 6 in find at 563 + - Replaced (x_O_2 = x_O_5[ri_20]) with false at 822 + - Remove branch 6 in find at 735 + - Replaced (x_O_4 = x_O_5[ri_10]) with false at 946 + - Remove branch 6 in find at 873 + - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1026 + - Remove branch 5 in find at 963 + - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 1013 + - Remove branch 4 in find at 963 + - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 998 + - Remove branch 3 in find at 963 + - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 983 + - Remove branch 2 in find at 963 + - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 968 + - Remove branch 1 in find at 963 +yields + +Game 31 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_64 = ri_56 <= Qeperuser, u_65 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_64, u_65] orfind u_62 = ri_54 <= Qdperuser, u_63 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_62, u_63] orfind u_60 = ri_52 <= Qdperuser, u_61 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_60, u_61] orfind u_59 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_59] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {264}find [unique] u_56 = ri_48 <= Qeperuser, u_57 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_56, u_57] orfind u_52 = ri_44 <= Qdperuser, u_53 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_52, u_53] orfind u_50 = ri_42 <= Qdperuser, u_51 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_50, u_51] orfind u_49 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_49] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {503}find [unique] u_46 = ri_38 <= Qeperuser, u_47 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_46, u_47] orfind u_44 = ri_36 <= Qeperuser, u_45 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_44, u_45] orfind u_42 = ri_34 <= Qdperuser, u_43 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_42, u_43] orfind u_40 = ri_32 <= Qdperuser, u_41 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_40, u_41] orfind u_39 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_39] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {663}find [unique] u_36 = ri_28 <= Qeperuser, u_37 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_36, u_37] orfind u_34 = ri_26 <= Qeperuser, u_35 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_34, u_35] orfind u_32 = ri_24 <= Qdperuser, u_33 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_32, u_33] orfind u_30 = ri_22 <= Qdperuser, u_31 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_30, u_31] orfind u_29 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_29] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_26, u_27] orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_24, u_25] orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_22, u_23] orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_20, u_21] orfind u_19 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_19] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; find [unique] u_8 = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u_8] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2 + #OADecap * N) * PCollKey] + - Expand if/find/let + - Remove branch 4 in find at 663 + - Remove branch 2 in find at 663 + - Remove branch 1 in find at 663 + - Remove branch 3 in find at 503 + - Remove branch 2 in find at 503 + - Remove branch 1 in find at 503 + - Remove branch 3 in find at 264 + - Remove branch 2 in find at 264 + - Remove branch 1 in find at 264 + - Remove branch 3 in find at 104 + - Remove branch 2 in find at 104 + - Remove branch 1 in find at 104 +yields + +Game 32 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_59 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then + zz_14: eae_output_t <- r_4[u_59]; + return(AuthEncap_tuple(zz_14, enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + find [unique] u_49 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then + zz_15: eae_output_t <- r_4[u_49]; + return(AuthEncap_tuple(zz_15, enc_8)) + else + r <-R eae_output_t; + zz_15: eae_output_t <- r; + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_40 = ri_32 <= Qdperuser, u_41 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then + zz_12: eae_output_t <- r_3[u_40, u_41]; + return(AuthDecap_Some(zz_12)) + orfind u_39 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then + zz_12: eae_output_t <- r_4[u_39]; + return(AuthDecap_Some(zz_12)) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_32 = ri_24 <= Qdperuser, u_33 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then + zz_13: eae_output_t <- r_2[u_32, u_33]; + return(AuthDecap_Some(zz_13)) + orfind u_29 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then + zz_13: eae_output_t <- r_4[u_29]; + return(AuthDecap_Some(zz_13)) + else + r_2 <-R eae_output_t; + zz_13: eae_output_t <- r_2; + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- x1; + find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then + return(r[u_26, u_27]) + orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then + return(r_1[u_24, u_25]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then + return(r_2[u_22, u_23]) + orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then + return(r_3[u_20, u_21]) + orfind u_19 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- x1; + find [unique] u_8 = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_5 (definition point kept, all usages removed) + - Remove assignments on x_O_4 (definition point kept, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition kept, array references kept) + - Remove assignments on zz_12 (definition kept, array references kept) + - Remove assignments on zz_12 (definition kept, array references kept) + - Remove assignments on zz_15 (definition removed, all usages removed) + - Remove assignments on zz_15 (definition removed, all usages removed) + - Remove assignments on zz_14 (definition kept, array references kept) + - Remove assignments on zz_14 (definition kept, array references kept) +yields + +Game 33 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + {103} find [unique] u_59 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {107}(x_O_1 = x1[ri_51]) then + zz_14: eae_output_t <- r_4[u_59]; + return(AuthEncap_tuple(r_4[u_59], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + {224} find [unique] u_49 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {228}(x_O = x1[ri_41]) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + {413} find [unique] u_40 = ri_32 <= Qdperuser, u_41 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && {418}(x_O_3 = x_O_3[ri_32, ri_33]) then + zz_12: eae_output_t <- r_3[u_40, u_41]; + return(AuthDecap_Some(r_3[u_40, u_41])) + orfind u_39 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {448}(x_O_3 = x1[ri_31]) then + zz_12: eae_output_t <- r_4[u_39]; + return(AuthDecap_Some(r_4[u_39])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + {544} find [unique] u_32 = ri_24 <= Qdperuser, u_33 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {549}(x_O_2 = x_O_2[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_32, u_33])) + orfind u_29 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {570}(x_O_2 = x1[ri_21]) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + {619} find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {624}(x1 = x_O[ri_18, ri_19]) then + return(r[u_26, u_27]) + orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {642}(x1 = x_O_1[ri_16, ri_17]) then + return(r_1[u_24, u_25]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {660}(x1 = x_O_2[ri_14, ri_15]) then + return(r_2[u_22, u_23]) + orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {678}(x1 = x_O_3[ri_12, ri_13]) then + return(r_3[u_20, u_21]) + orfind u_19 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {695}(x1 = x1[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + {715} find [unique] u_8 = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify [probability (N^2 + #OADecap * N) * PCollKey] + - Simplification pass + - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 715 + - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 695 + - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 619 + - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 678 + - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 619 + - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 660 + - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15] in find at 619 + - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_6[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 642 + - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_6[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17] in find at 619 + - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 624 + - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19] in find at 619 + - Replaced (x_O_2 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 570 + - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 544 + - Replaced (x_O_2 = x_O_2[ri_24, ri_25]) with ((pk_S = pk_S[ri_24, ri_25]) && (i = ri_25) && (pkE_3 = pkE_3[ri_24, ri_25])) at 549 + - In branch 1 of find at 544, substituting u_33 with i + - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24], pkE_3[ri_24], pk_S[ri_24] in find at 544 + - Replaced (x_O_3 = x1[ri_31]) with ((pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 448 + - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 413 + - Replaced (x_O_3 = x_O_3[ri_32, ri_33]) with ((i1_2 = i1_2[ri_32, ri_33]) && (i = ri_33) && (pkE_3 = pkE_3[ri_32, ri_33])) at 418 + - Remove branch 1 in find at 413 + - Replaced (x_O = x1[ri_41]) with ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 228 + - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 224 + - Replaced (x_O_1 = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_6], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 107 + - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 103 +yields + +Game 34 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_59 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_6], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_59]; + return(AuthEncap_tuple(r_4[u_59], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + find [unique] u_49 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_39 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_39]; + return(AuthDecap_Some(r_4[u_39])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_32 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && {789}((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) then + u_33 <= N <- i; + return(AuthDecap_Some(r_2[u_32])) + orfind u_29 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_26, u_27]) + orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_6[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_6[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_24, u_25]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_22, u_23]) + orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_20, u_21]) + orfind u_19 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u_8 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) with ((pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24])) at 789 +yields + +Game 35 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_59 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_6], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_59]; + return(AuthEncap_tuple(r_4[u_59], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + find [unique] u_49 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_39 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_39]; + return(AuthDecap_Some(r_4[u_39])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_32 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + u_33 <= N <- i; + return(AuthDecap_Some(r_2[u_32])) + orfind u_29 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_26, u_27]) + orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_6[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_6[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_24, u_25]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_22, u_23]) + orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_20, u_21]) + orfind u_19 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u_8 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying move all binders + - Move assignment to x_O_5 + - Move assignment to x_O_4 + - Move assignment to x_O_2 + - Move assignment to info_6 + - Move assignment to key_6 + - Move assignment to kemContext_11 + - Move assignment to x_O_3 + - Move assignment to info_5 + - Move assignment to key_5 + - Move assignment to kemContext_10 + - Move assignment to x_O + - Move assignment to info_8 + - Move assignment to key_8 + - Move assignment to kemContext_13 + - Move assignment to x_O_1 + - Move assignment to info_7 + - Move assignment to key_7 + - Move assignment to kemContext_12 +yields + +Game 36 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_2)), exp(g, mult(sk[i1_6], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_59 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_6], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_59]; + return(AuthEncap_tuple(r_4[u_59], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_49 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_2], sk))); + pkR_5: G_t <- exp(g, sk); + find [unique] u_39 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_39]; + return(AuthDecap_Some(r_4[u_39])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + find [unique] u_32 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + u_33 <= N <- i; + return(AuthDecap_Some(r_2[u_32])) + orfind u_29 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_26, u_27]) + orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_6[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_6[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_24, u_25]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_22, u_23]) + orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_20, u_21]) + orfind u_19 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_8 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_12 (definition removed, all usages removed) + - Remove assignments on u_33 (definition removed, all usages removed) + - Remove assignments on dh_11 (definition removed, all usages removed) + - Remove assignments on dh_14 (definition removed, all usages removed) + - Remove assignments on dh_13 (definition removed, all usages removed) +yields + +Game 37 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_59 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_6], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_59]; + return(AuthEncap_tuple(r_4[u_59], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_49 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (exp(g, sk[i1_5]) = pk_S) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + pkR_5: G_t <- exp(g, sk); + find [unique] u_39 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_39]; + return(AuthDecap_Some(r_4[u_39])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_32 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_32])) + orfind u_29 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_26, u_27]) + orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_6[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_6[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_24, u_25]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_22, u_23]) + orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_20, u_21]) + orfind u_19 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_8 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying equivalence gdh(exp) with z_2, sk. [probability Adv_sqGDH(time_1, 7 * Qh) + (N + #OAEncap) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk -> a, z_2 -> a. +yields + +Game 38 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_7]))) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + {49} find [unique] u_59 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (m_3: G_t <- dh2[ri_51]; false) && (m_2: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_59]; + return(AuthEncap_tuple(r_4[u_59], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_49 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (m_9: G_t <- pk_S; (m_9 = exp(g, sk[i1_5]))) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_6: G_t <- pk_S; (m_6 = exp(g, sk[i1_3]))) then + pkR_5: G_t <- exp(g, sk); + {425} find [unique] u_39 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_8: G_t <- dh2[ri_31]; false) && (m_7: G_t <- dh1[ri_31]; m'_3: G_t <- pkE_3; (m_7 = exp(m'_3, sk))) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_39]; + return(AuthDecap_Some(r_4[u_39])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_32 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_32])) + orfind u_29 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_2: G_t <- pk_S; (m_5 = exp(m'_2, sk))) && (m_4: G_t <- dh1[ri_21]; m'_1: G_t <- pkE_3; (m_4 = exp(m'_1, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + {741} find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10: G_t <- dh2; m'_4: G_t <- pk_R[ri_18, ri_19]; (m_10 = exp(m'_4, sk[ri_19]))) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_26, u_27]) + orfind u_24 = ri_16 <= Qeperuser, u_25 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_12: G_t <- dh2; false) && (m_11: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_24, u_25]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14: G_t <- dh2; m'_6: G_t <- pk_S[ri_14, ri_15]; (m_14 = exp(m'_6, sk[ri_15]))) && (m_13: G_t <- dh1; m'_5: G_t <- pkE_3[ri_14, ri_15]; (m_13 = exp(m'_5, sk[ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_22, u_23]) + orfind u_20 = ri_12 <= Qdperuser, u_21 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_16: G_t <- dh2; false) && (m_15: G_t <- dh1; m'_7: G_t <- pkE_3[ri_12, ri_13]; (m_15 = exp(m'_7, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_20, u_21]) + orfind u_19 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_8 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 4 in find at 741 + - Remove branch 2 in find at 741 + - Remove branch 1 in find at 425 + - Find at 425 removed (else branch kept if any) + - Remove branch 1 in find at 49 + - Find at 49 removed (else branch kept if any) +yields + +Game 39 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_7]))) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_49 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m = exp(m', sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_14[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (m_9: G_t <- pk_S; ((i = i1_6[ie1, i1_5]) && (m_9 = exp(g, sk[i1_5])) && (pkE_2[ie1, i1_5] = pkE_3))) then + return(AuthDecap_Some(zz_14[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(zz_12[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_6: G_t <- pk_S; (m_6 = exp(g, sk[i1_3]))) then + pkR_5: G_t <- exp(g, sk); + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_32 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_32])) + orfind u_29 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_2: G_t <- pk_S; m_4: G_t <- dh1[ri_21]; m'_1: G_t <- pkE_3; ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5 = exp(m'_2, sk)) && (m_4 = exp(m'_1, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (m_10: G_t <- dh2; m'_4: G_t <- pk_R[ri_18, ri_19]; ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10 = exp(m'_4, sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r[u_26, u_27]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (m_14: G_t <- dh2; m'_6: G_t <- pk_S[ri_14, ri_15]; m_13: G_t <- dh1; m'_5: G_t <- pkE_3[ri_14, ri_15]; ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14 = exp(m'_6, sk[ri_15])) && (m_13 = exp(m'_5, sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_2[u_22, u_23]) + orfind u_19 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_8 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_10 (definition removed, all usages removed) + - Remove assignments on m'_4 (definition removed, all usages removed) + - Remove assignments on m_14 (definition removed, all usages removed) + - Remove assignments on m'_6 (definition removed, all usages removed) + - Remove assignments on m_13 (definition removed, all usages removed) + - Remove assignments on m'_5 (definition removed, all usages removed) + - Remove assignments on m_5 (definition removed, all usages removed) + - Remove assignments on m'_2 (definition removed, all usages removed) + - Remove assignments on m_4 (definition removed, all usages removed) + - Remove assignments on m'_1 (definition removed, all usages removed) + - Remove assignments on pkR_5 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on m_6 (definition removed, all usages removed) + - Remove assignments on m_9 (definition removed, all usages removed) + - Remove assignments on m (definition removed, all usages removed) + - Remove assignments on m' (definition removed, all usages removed) + - Remove assignments on zz_14 (definition removed, all usages removed) + - Remove assignments on m_1 (definition removed, all usages removed) +yields + +Game 40 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_49 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(pk_R, sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_49], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_1 = ie1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(r_1[ie1, i1_5], pkE_2[ie1, i1_5], sk[i1_5], i1_6[ie1, i1_5]) && (i = i1_6[ie1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (pkE_2[ie1, i1_5] = pkE_3) then + return(AuthDecap_Some(r_1[ie1_1, i1_4])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(r_3[id1], pkE_3[id1], pk_S[id1]) && (pk_S[id1] = pk_S) && (pkE_3[id1] = pkE_3) then + return(AuthDecap_Some(r_3[id1_1])) + else + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_S = exp(g, sk[i1_3])) then + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_32 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_32])) + orfind u_29 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_29])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_26 = ri_18 <= Qeperuser, u_27 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_26, u_27]) + orfind u_22 = ri_14 <= Qdperuser, u_23 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_22, u_23]) + orfind u_19 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_19]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u_8 = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u_8]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + +Initial state +Game 41 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_3: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None) in + insert E(exp(g, sk_1), pk_R_1, ce, k); + return(AuthEncap_tuple(k, ce)) + else + return(AuthEncap_None) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + get E(=pk_S_1, =exp(g, sk_1), =cd, k'': eae_output_t) in + return(AuthDecap_Some(k'')) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = (exponent_17: Z_t <- sk_1[i1]; exp(g, exponent_17))) then + let AuthDecap_Some(k0: eae_output_t) = (skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None) in + k' <-R eae_output_t; + insert E(pk_S_1, exp(g, sk_1), cd, k'); + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_8: G_t) = cd in dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); pkR_3: G_t <- exp(g, skR_1); kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthDecap_Some(zz_8) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 42 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + {18} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {22}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_3: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None) in + E_5: G_t <- exp(g, sk_1); + E_6: G_t <- pk_R_1; + E_7: bitstring <- ce; + E_8: eae_output_t <- k; + return(AuthEncap_tuple(k, ce)) + else + return(AuthEncap_None) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3], E_8[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (E_6[u_2, u_3] = exp(g, sk_1)) && (E_7[u_2, u_3] = cd) then + return(AuthDecap_Some(E_8[u, u_1])) + orfind u_4 = u_6 <= Qdperuser, u_5 = u_7 <= N suchthat defined(E_1[u_6, u_7], E_2[u_6, u_7], E_3[u_6, u_7], E_4[u_6, u_7]) && (E_1[u_6, u_7] = pk_S_1) && (E_2[u_6, u_7] = exp(g, sk_1)) && (E_3[u_6, u_7] = cd) then + return(AuthDecap_Some(E_4[u_4, u_5])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = (exponent_17: Z_t <- sk_1[i1]; exp(g, exponent_17))) then + {249} let AuthDecap_Some(k0: eae_output_t) = (skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None) in + k' <-R eae_output_t; + E_1: G_t <- pk_S_1; + E_2: G_t <- exp(g, sk_1); + E_3: bitstring <- cd; + E_4: eae_output_t <- k'; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_8: G_t) = cd in dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); pkR_3: G_t <- exp(g, skR_1); kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthDecap_Some(zz_8) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying expand [probability N^2 * PCollKey] + - Expand if/find/let + - Remove let at 249 + - Simplify pattern AuthDecap_Some(k0: eae_output_t) (tuple expanded) at 249 + - Remove else branch of let at 249 + - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 22 + - Remove else branch of let at 22 + - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 18 + - Remove else branch of let at 18 +yields + +Game 43 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + skS_1: Z_t <- sk_1; + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + skE_1: Z_t <- z_1; + dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, skS_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + ce: bitstring <- enc_6; + k: eae_output_t <- zz_7; + E_5: G_t <- exp(g, sk_1); + E_6: G_t <- pk_R_1; + E_7: bitstring <- ce; + E_8: eae_output_t <- k; + return(AuthEncap_tuple(k, ce)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3], E_8[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (E_6[u_2, u_3] = exp(g, sk_1)) && (E_7[u_2, u_3] = cd) then + return(AuthDecap_Some(E_8[u, u_1])) + orfind u_4 = u_6 <= Qdperuser, u_5 = u_7 <= N suchthat defined(E_1[u_6, u_7], E_2[u_6, u_7], E_3[u_6, u_7], E_4[u_6, u_7]) && (E_1[u_6, u_7] = pk_S_1) && (E_2[u_6, u_7] = exp(g, sk_1)) && (E_3[u_6, u_7] = cd) then + return(AuthDecap_Some(E_4[u_4, u_5])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_17: Z_t <- sk_1[i1]; (pk_S_1 = exp(g, exponent_17))) then + skR_1: Z_t <- sk_1; + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); + pkR_4: G_t <- exp(g, skR_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + k0: eae_output_t <- zz_9; + k' <-R eae_output_t; + E_1: G_t <- pk_S_1; + E_2: G_t <- exp(g, sk_1); + E_3: bitstring <- cd; + E_4: eae_output_t <- k'; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + skR_1: Z_t <- sk_1; + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); + pkR_3: G_t <- exp(g, skR_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on k0 (definition removed, all usages removed) + - Remove assignments on E_1 (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on exponent_17 (definition removed, all usages removed) + - Remove assignments on skS_1 (definition removed, all usages removed) + - Remove assignments on skE_1 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) + - Remove assignments on k (definition removed, all usages removed) + - Remove assignments on E_6 (definition removed, all usages removed) + - Remove assignments on E_7 (definition removed, all usages removed) + - Remove assignments on E_8 (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on key_4 (definition removed, all usages removed) + - Remove assignments on info_4 (definition removed, all usages removed) + - Remove assignments on dh_9 (definition removed, all usages removed) + - Remove assignments on kemContext_9 (definition removed, all usages removed) + - Remove assignments on pkR_4 (definition removed, all usages removed) +yields + +Game 44 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + {118} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(pk_R_1[u_2, u_3], enc_6[u_2, u_3], zz_7[u_2, u_3], E_5[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser, u_5 = u_7 <= N suchthat defined(pk_S_1[u_6, u_7], cd[u_6, u_7], k'[u_6, u_7], E_2[u_6, u_7]) && {170}((pk_S_1[u_6, u_7] = pk_S_1) && (E_2[u_6, u_7] = exp(g, sk_1)) && (cd[u_6, u_7] = cd)) then + return(AuthDecap_Some(k'[u_4, u_5])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + E_2: G_t <- exp(g, sk_1); + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((pk_S_1[u_6, u_7] = pk_S_1) && (E_2[u_6, u_7] = exp(g, sk_1)) && (cd[u_6, u_7] = cd)) with ((pk_S_1[u_6, u_7] = pk_S_1) && (u_7 = i_1) && (cd[u_6, u_7] = cd)) at 170 + - In branch 2 of find at 118, substituting u_5 with i_1 + - Replaced defined condition pk_S_1[u_6, u_7], cd[u_6, u_7], k'[u_6, u_7], E_2[u_6, u_7] with pk_S_1[u_6], cd[u_6], k'[u_6], E_2[u_6] in find at 118 +yields + +Game 45 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(pk_R_1[u_2, u_3], enc_6[u_2, u_3], zz_7[u_2, u_3], E_5[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pk_S_1[u_6], cd[u_6], k'[u_6], E_2[u_6]) && {170}((pk_S_1[u_6] = pk_S_1) && (i_1 = i_1) && (cd[u_6] = cd)) then + u_5 <= N <- i_1; + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + E_2: G_t <- exp(g, sk_1); + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S_1[u_6] = pk_S_1) && (i_1 = i_1) && (cd[u_6] = cd)) with ((pk_S_1[u_6] = pk_S_1) && (cd[u_6] = cd)) at 170 +yields + +Game 46 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(pk_R_1[u_2, u_3], enc_6[u_2, u_3], zz_7[u_2, u_3], E_5[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pk_S_1[u_6], cd[u_6], k'[u_6], E_2[u_6]) && (pk_S_1[u_6] = pk_S_1) && (cd[u_6] = cd) then + u_5 <= N <- i_1; + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + E_2: G_t <- exp(g, sk_1); + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on E_2 (definition removed, all usages removed) + - Remove assignments on u_5 (definition removed, all usages removed) +yields + +Game 47 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + {118} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(pk_R_1[u_2, u_3], enc_6[u_2, u_3], zz_7[u_2, u_3], E_5[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pk_S_1[u_6], cd[u_6], k'[u_6]) && (pk_S_1[u_6] = pk_S_1) && (cd[u_6] = cd) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction let Serialize(pkE_10) = cd in at occurrence 118 +yields + +Game 48 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + {122} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(pk_R_1[u_2, u_3], enc_6[u_2, u_3], zz_7[u_2, u_3], E_5[u_2, u_3]) && {131}((E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd)) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pk_S_1[u_6], cd[u_6], k'[u_6]) && {172}((pk_S_1[u_6] = pk_S_1) && (cd[u_6] = cd)) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + {206} let Serialize(pkE_9: G_t) = {207}cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + {222} let Serialize(pkE_8: G_t) = {223}cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + else + {302} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(pk_R_1[u_2, u_3], enc_6[u_2, u_3], zz_7[u_2, u_3], E_5[u_2, u_3]) && {311}((E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd)) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pk_S_1[u_6], cd[u_6], k'[u_6]) && {352}((pk_S_1[u_6] = pk_S_1) && (cd[u_6] = cd)) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + {386} let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + {402} let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Remove let at 402 + - Remove let at 386 + - Replaced ((pk_S_1[u_6] = pk_S_1) && (cd[u_6] = cd)) with false at 352 + - Remove branch 2 in find at 302 + - Replaced ((E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd)) with false at 311 + - Remove branch 1 in find at 302 + - Find at 302 removed (else branch kept if any) + - Replaced cd with Serialize(pkE_10) at 223 + - Remove else branch of let at 222 + - Simplify pattern Serialize(pkE_8: G_t) (tuple expanded) at 222 + - Replaced cd with Serialize(pkE_10) at 207 + - Remove else branch of let at 206 + - Simplify pattern Serialize(pkE_9: G_t) (tuple expanded) at 206 + - Replaced ((pk_S_1[u_6] = pk_S_1) && (cd[u_6] = cd)) with ((pk_S_1[u_6] = pk_S_1) && (pkE_9[u_6] = pkE_10)) at 172 + - Replaced defined condition pk_S_1[u_6], cd[u_6], k'[u_6] with k'[u_6], pkE_9[u_6], pk_S_1[u_6] in find at 122 + - Replaced ((E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_6[u_2, u_3] = cd)) with ((E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10)) at 131 + - Replaced defined condition pk_R_1[u_2, u_3], enc_6[u_2, u_3], zz_7[u_2, u_3], E_5[u_2, u_3] with zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3], E_5[u_2, u_3] in find at 122 +yields + +Game 49 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3], E_5[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(k'[u_6], pkE_9[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_9[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + pkE_9: G_t <- pkE_10; + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkE_8: G_t <- pkE_10; + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + return(AuthDecap_None) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on pkE_8 (definition removed, all usages removed) + - Remove assignments on pkE_9 (definition removed, all usages removed) +yields + +Game 50 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3], E_5[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + {286} find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + return(AuthDecap_None) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying merge branches + - Merge all branches of find at 286 +yields + +Game 51 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + E_5: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3], E_5[u_2, u_3]) && (E_5[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of binder E_5 + - Remove assignments on E_5 (definition removed, all usages removed) +yields + +Game 52 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + {18} z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk_1[i1]) + && pk_R_1 = exp(g, sk_1[i1]) then at occurrence 18 +yields + +Game 53 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename z_1 + - Rename variable z_1 into z_5, z_4 +yields + +Game 54 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_7: GG_t <- {36}concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))) at 36 +yields + +Game 55 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_7: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename dh_7 + - Rename variable dh_7 into dh_16, dh_15 +yields + +Game 56 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename enc_6 + - Rename variable enc_6 into enc_10, enc_9 +yields + +Game 57 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename kemContext_7 + - Rename variable kemContext_7 into kemContext_15, kemContext_14 +yields + +Game 58 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename key_2 + - Rename variable key_2 into key_10, key_9 +yields + +Game 59 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_2)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_2)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename info_2 + - Rename variable info_2 into info_10, info_9 +yields + +Game 60 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_7[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename zz_7 + - Rename variable zz_7 into zz_17, zz_16 +yields + +Game 61 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + {222} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_16[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && {230}((exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10)) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], zz_17[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3]) && {273}((exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10)) then + return(AuthDecap_Some(zz_17[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify [probability (N^2 + #OAEncap * N) * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10)) with false at 273 + - Remove branch 2 in find at 222 + - Replaced ((exp(g, sk_1[u_3]) = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (pkE_7[u_2, u_3] = pkE_10)) with ((exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10)) at 230 + - Replaced defined condition sk_1[u_3], zz_16[u_2, u_3], pkE_7[u_2, u_3], pk_R_1[u_2, u_3] with zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3] in find at 222 +yields + +Game 62 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + {399} return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand(l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 399 +yields + +Game 63 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + else + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk +yields + +Game 64 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_106 = ri_98 <= Qeperuser, u_107 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && {109}(x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_106, u_107] orfind u_104 = ri_96 <= Qeperuser, u_105 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_104, u_105] orfind u_102 = ri_94 <= Qdperuser, u_103 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_102, u_103] orfind u_101 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_101] orfind u_100 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {173}(x_O_7 = x_O_10[ri_92]) then r_10[u_100] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {276}find [unique] u_98 = ri_90 <= Qeperuser, u_99 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_98, u_99] orfind u_96 = ri_88 <= Qeperuser, u_97 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && {299}(x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_96, u_97] orfind u_94 = ri_86 <= Qdperuser, u_95 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_94, u_95] orfind u_93 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_93] orfind u_92 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {345}(x_O_6 = x_O_10[ri_84]) then r_10[u_92] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {532}find [unique] u_90 = ri_82 <= Qeperuser, u_91 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_90, u_91] orfind u_88 = ri_80 <= Qeperuser, u_89 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_88, u_89] orfind u_86 = ri_78 <= Qdperuser, u_87 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_86, u_87] orfind u_85 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_85] orfind u_84 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {601}(x_O_8 = x_O_10[ri_76]) then r_10[u_84] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; {652}find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_82, u_83] orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_80, u_81] orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_78, u_79] orfind u_77 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_77] orfind u_76 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {710}(x_O_9 = x_O_10[ri_68]) then r_10[u_76] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; {727}find [unique] u_74 = ri_66 <= Qeperuser, u_75 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {732}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_74, u_75] orfind u_72 = ri_64 <= Qeperuser, u_73 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {747}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_72, u_73] orfind u_70 = ri_62 <= Qdperuser, u_71 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {762}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_70, u_71] orfind u_69 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {775}(x_O_10 = x_O_9[ri_61]) then r_9[u_69] orfind u_68 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_68] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_7 = x_O_10[ri_92]) with false at 173 + - Remove branch 5 in find at 104 + - Replaced (x_O_7 = x_O_6[ri_98, ri_99]) with false at 109 + - Remove branch 1 in find at 104 + - Replaced (x_O_6 = x_O_10[ri_84]) with false at 345 + - Remove branch 5 in find at 276 + - Replaced (x_O_6 = x_O_7[ri_88, ri_89]) with false at 299 + - Remove branch 2 in find at 276 + - Replaced (x_O_8 = x_O_10[ri_76]) with false at 601 + - Remove branch 5 in find at 532 + - Replaced (x_O_9 = x_O_10[ri_68]) with false at 710 + - Remove branch 5 in find at 652 + - Replaced (x_O_10 = x_O_9[ri_61]) with false at 775 + - Remove branch 4 in find at 727 + - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 762 + - Remove branch 3 in find at 727 + - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 747 + - Remove branch 2 in find at 727 + - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 732 + - Remove branch 1 in find at 727 +yields + +Game 65 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_104 = ri_96 <= Qeperuser, u_105 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_104, u_105] orfind u_102 = ri_94 <= Qdperuser, u_103 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_102, u_103] orfind u_101 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_101] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {246}find [unique] u_98 = ri_90 <= Qeperuser, u_99 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_98, u_99] orfind u_94 = ri_86 <= Qdperuser, u_95 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_94, u_95] orfind u_93 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_93] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {472}find [unique] u_90 = ri_82 <= Qeperuser, u_91 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_90, u_91] orfind u_88 = ri_80 <= Qeperuser, u_89 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_88, u_89] orfind u_86 = ri_78 <= Qdperuser, u_87 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_86, u_87] orfind u_85 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_85] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_82, u_83] orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_80, u_81] orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_78, u_79] orfind u_77 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_77] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; find [unique] u_68 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_68] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2 + #OADecap * N) * PCollKey] + - Expand if/find/let + - Remove branch 2 in find at 472 + - Remove branch 1 in find at 472 + - Remove branch 2 in find at 246 + - Remove branch 1 in find at 246 + - Remove branch 2 in find at 104 + - Remove branch 1 in find at 104 +yields + +Game 66 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + find [unique] u_101 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then + zz_16: eae_output_t <- r_9[u_101]; + return(AuthEncap_tuple(zz_16, enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + find [unique] u_93 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then + zz_17: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(zz_17, enc_10)) + else + r_6 <-R eae_output_t; + zz_17: eae_output_t <- r_6; + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + find [unique] u_86 = ri_78 <= Qdperuser, u_87 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then + zz_8: eae_output_t <- r_8[u_86, u_87]; + return(AuthDecap_Some(zz_8)) + orfind u_85 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then + zz_8: eae_output_t <- r_9[u_85]; + return(AuthDecap_Some(zz_8)) + else + r_8 <-R eae_output_t; + zz_8: eae_output_t <- r_8; + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- x1_1; + find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then + return(r_6[u_82, u_83]) + orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then + return(r_7[u_80, u_81]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- x1_1; + find [unique] u_68 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_10 (definition point kept, all usages removed) + - Remove assignments on x_O_9 (definition point kept, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on zz_17 (definition removed, all usages removed) + - Remove assignments on zz_17 (definition removed, all usages removed) + - Remove assignments on zz_16 (definition kept, array references kept) + - Remove assignments on zz_16 (definition kept, array references kept) +yields + +Game 67 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + {103} find [unique] u_101 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {107}(x_O_7 = x1_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_101]; + return(AuthEncap_tuple(r_9[u_101], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + {224} find [unique] u_93 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {228}(x_O_6 = x1_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + {418} find [unique] u_86 = ri_78 <= Qdperuser, u_87 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {423}(x_O_8 = x_O_8[ri_78, ri_79]) then + return(AuthDecap_Some(r_8[u_86, u_87])) + orfind u_85 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {444}(x_O_8 = x1_1[ri_77]) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + {493} find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {498}(x1_1 = x_O_6[ri_74, ri_75]) then + return(r_6[u_82, u_83]) + orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {516}(x1_1 = x_O_7[ri_72, ri_73]) then + return(r_7[u_80, u_81]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {534}(x1_1 = x_O_8[ri_70, ri_71]) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {551}(x1_1 = x1_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + {571} find [unique] u_68 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify [probability (N^2 + #OADecap * N) * PCollKey] + - Simplification pass + - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 571 + - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 551 + - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 493 + - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 534 + - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 493 + - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 516 + - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_8[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73] in find at 493 + - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 498 + - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75] in find at 493 + - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 444 + - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 418 + - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_10 = pkE_10[ri_78, ri_79])) at 423 + - In branch 1 of find at 418, substituting u_87 with i_1 + - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78] in find at 418 + - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 228 + - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 224 + - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_8], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_8], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 107 + - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 103 +yields + +Game 68 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + find [unique] u_101 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_8], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_8], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_101]; + return(AuthEncap_tuple(r_9[u_101], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + find [unique] u_93 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + find [unique] u_86 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && {605}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) then + u_87 <= N <- i_1; + return(AuthDecap_Some(r_8[u_86])) + orfind u_85 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_82, u_83]) + orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_8[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_80, u_81]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_68 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78])) at 605 +yields + +Game 69 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + find [unique] u_101 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_8], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_8], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_101]; + return(AuthEncap_tuple(r_9[u_101], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + find [unique] u_93 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + find [unique] u_86 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + u_87 <= N <- i_1; + return(AuthDecap_Some(r_8[u_86])) + orfind u_85 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_82, u_83]) + orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_8[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_80, u_81]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_68 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying move all binders + - Move assignment to x_O_10 + - Move assignment to x_O_9 + - Move assignment to x_O_8 + - Move assignment to info_3 + - Move assignment to key_3 + - Move assignment to kemContext_8 + - Move assignment to x_O_6 + - Move assignment to info_10 + - Move assignment to key_10 + - Move assignment to kemContext_15 + - Move assignment to x_O_7 + - Move assignment to info_9 + - Move assignment to key_9 + - Move assignment to kemContext_14 +yields + +Game 70 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_8], z_4)), exp(g, mult(sk_1[i1_8], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_101 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_8], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_8], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_101]; + return(AuthEncap_tuple(r_9[u_101], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_93 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_86 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + u_87 <= N <- i_1; + return(AuthDecap_Some(r_8[u_86])) + orfind u_85 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_82, u_83]) + orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_8[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_80, u_81]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_68 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_8 (definition removed, all usages removed) + - Remove assignments on u_87 (definition removed, all usages removed) + - Remove assignments on dh_16 (definition removed, all usages removed) + - Remove assignments on dh_15 (definition removed, all usages removed) +yields + +Game 71 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_101 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_8], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_8], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_101]; + return(AuthEncap_tuple(r_9[u_101], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_93 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_86 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_86])) + orfind u_85 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_82, u_83]) + orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_8[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_8[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_80, u_81]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_68 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying equivalence gdh(exp) [probability Adv_sqGDH(time_2, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk_1 -> a, z_4 -> a +yields + +Game 72 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (m_28: G_t <- pk_R_1; (m_28 = exp(g, sk_1[i1_9]))) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + {49} find [unique] u_101 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (m_29: G_t <- dh2_1[ri_93]; false) && (m_17: G_t <- dh1_1[ri_93]; false) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_101]; + return(AuthEncap_tuple(r_9[u_101], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_93 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_13: G_t <- pk_R_1; (m_27 = exp(m'_13, sk_1))) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (m_21: G_t <- pk_S_1; (m_21 = exp(g, sk_1[u_3]))) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; (m_20 = exp(g, sk_1[i1]))) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_86 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_86])) + orfind u_85 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_9: G_t <- pk_S_1; (m_19 = exp(m'_9, sk_1))) && (m_18: G_t <- dh1_1[ri_77]; m'_8: G_t <- pkE_10; (m_18 = exp(m'_8, sk_1))) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + {615} find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22: G_t <- dh2_1; m'_10: G_t <- pk_R_1[ri_74, ri_75]; (m_22 = exp(m'_10, sk_1[ri_75]))) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_82, u_83]) + orfind u_80 = ri_72 <= Qeperuser, u_81 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_24: G_t <- dh2_1; false) && (m_23: G_t <- dh1_1; false) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_80, u_81]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26: G_t <- dh2_1; m'_12: G_t <- pk_S_1[ri_70, ri_71]; (m_26 = exp(m'_12, sk_1[ri_71]))) && (m_25: G_t <- dh1_1; m'_11: G_t <- pkE_10[ri_70, ri_71]; (m_25 = exp(m'_11, sk_1[ri_71]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_68 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 2 in find at 615 + - Remove branch 1 in find at 49 + - Find at 49 removed (else branch kept if any) +yields + +Game 73 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (m_28: G_t <- pk_R_1; (m_28 = exp(g, sk_1[i1_9]))) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_93 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_13: G_t <- pk_R_1; ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27 = exp(m'_13, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]))) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(zz_16[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (m_21: G_t <- pk_S_1; ((m_21 = exp(g, sk_1[u_3])) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10))) then + return(AuthDecap_Some(zz_16[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; (m_20 = exp(g, sk_1[i1]))) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_86 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_86])) + orfind u_85 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_9: G_t <- pk_S_1; m_18: G_t <- dh1_1[ri_77]; m'_8: G_t <- pkE_10; ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19 = exp(m'_9, sk_1)) && (m_18 = exp(m'_8, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]))) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (m_22: G_t <- dh2_1; m'_10: G_t <- pk_R_1[ri_74, ri_75]; ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22 = exp(m'_10, sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then + return(r_6[u_82, u_83]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (m_26: G_t <- dh2_1; m'_12: G_t <- pk_S_1[ri_70, ri_71]; m_25: G_t <- dh1_1; m'_11: G_t <- pkE_10[ri_70, ri_71]; ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26 = exp(m'_12, sk_1[ri_71])) && (m_25 = exp(m'_11, sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_68 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_22 (definition removed, all usages removed) + - Remove assignments on m'_10 (definition removed, all usages removed) + - Remove assignments on m_26 (definition removed, all usages removed) + - Remove assignments on m'_12 (definition removed, all usages removed) + - Remove assignments on m_25 (definition removed, all usages removed) + - Remove assignments on m'_11 (definition removed, all usages removed) + - Remove assignments on m_19 (definition removed, all usages removed) + - Remove assignments on m'_9 (definition removed, all usages removed) + - Remove assignments on m_18 (definition removed, all usages removed) + - Remove assignments on m'_8 (definition removed, all usages removed) + - Remove assignments on m_20 (definition removed, all usages removed) + - Remove assignments on m_21 (definition removed, all usages removed) + - Remove assignments on m_27 (definition removed, all usages removed) + - Remove assignments on m'_13 (definition removed, all usages removed) + - Remove assignments on zz_16 (definition removed, all usages removed) + - Remove assignments on m_28 (definition removed, all usages removed) +yields + +Game 74 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_8 = i1_9 <= N suchthat defined(sk_1[i1_9]) && (pk_R_1 = exp(g, sk_1[i1_9])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_93 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (dh2_1[ri_85] = exp(pk_R_1, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_93], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(r_7[u_2, u_3], pkE_7[u_2, u_3], i1_8[u_2, u_3], sk_1[u_3]) && (pk_S_1 = exp(g, sk_1[u_3])) && (i1_8[u_2, u_3] = i_1) && (pkE_7[u_2, u_3] = pkE_10) then + return(AuthDecap_Some(r_7[u, u_1])) + orfind u_4 = u_6 <= Qdperuser suchthat defined(pkE_10[u_6], k'[u_6], pk_S_1[u_6]) && (pk_S_1[u_6] = pk_S_1) && (pkE_10[u_6] = pkE_10) then + return(AuthDecap_Some(k'[u_4])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_86 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_86])) + orfind u_85 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (dh2_1[ri_77] = exp(pk_S_1, sk_1)) && (dh1_1[ri_77] = exp(pkE_10, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_85])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_82 = ri_74 <= Qeperuser, u_83 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_82, u_83]) + orfind u_78 = ri_70 <= Qdperuser, u_79 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_78, u_79]) + orfind u_77 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_77]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_68 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_68]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Proved indistinguishability between game 74 and game 1 +Game 74 is the same as game 40. +Adv[Game 1: indistinguishability from game 40] <= Adv_sqGDH(time_1, 7 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OADecap * N + #OAEncap * #OADecap + 8 * #OAEncap^2 + 2 * #OAEncap * N + 5 * N^2) * PCollKey + Adv[Game 40: indistinguishability from game 40] +Adv[Game 41: indistinguishability from game 74] <= Adv_sqGDH(time_2, 5 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OADecap * N + #OAEncap * #OADecap + 8 * #OAEncap^2 + 2 * #OAEncap * N + 7 * N^2) * PCollKey + Adv[Game 74: indistinguishability from game 74] +RESULT Proved indistinguishability between game 41 and game 1 up to probability Adv_sqGDH(time_2, 5 * Qh) + Adv_sqGDH(time_1, 7 * Qh) + (2 * #OAEncap + 2 * N) * PDistRerandom + (4 * #OADecap * N + 2 * #OAEncap * #OADecap + 16 * #OAEncap^2 + 4 * #OAEncap * N + 12 * N^2) * PCollKey +RESULT time_1 = #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_7)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_8)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 3 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + N + 2 * #OAEncap) * time(exp) + time +RESULT time_2 = #OAEncap * time(AuthEncap_tuple, maxlength(game 71: enc_9)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 71: enc_10)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + N + 2 * #OAEncap) * time(exp) + time +All queries proved. diff --git a/dhkem.auth.outsider-cca-lr.m4.ocv b/dhkem.auth.outsider-cca-lr.m4.ocv index edb2915..ed72ea2 100644 --- a/dhkem.auth.outsider-cca-lr.m4.ocv +++ b/dhkem.auth.outsider-cca-lr.m4.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { allowed_collisions default^4/large; (* We allow eliminating collisions with probability in power 4 of @@ -38,7 +50,7 @@ proof { at the 3rd term/occurrence number within the match (zz_3). *) replace at_nth 1 3 "return{[0-9]*}({[0-9]*}AuthDecap_Some({[0-9]*}zz_3))" - "zz_10[ie1_2, i1_8]"; + "zz_10[ie1, i1_4]"; all_simplify; (* Make it possible to reason about the composition of the random oracle inputs, specifically the group elements, @@ -86,32 +98,17 @@ proof { label2: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in"; crypto rom(ExtractAndExpand_inner); + remove_assign binder E_1; out_game "r2.out.cv"; success } -include(`common.dhkem.dh.ocv') - -proba Adv_GDH. -proba PDistRerandom. -expand GDH_RSR_minimal( - (* types *) - G_t, (* Group elements *) - Z_t, (* Exponents *) - (* variables *) - g, (* a generator of the group *) - exp, (* exponentiation function *) - mult, (* multiplication function for exponents *) - (* probabilities *) - Adv_GDH, (* probability of breaking the GDH assumption *) - PDistRerandom (* probability of distinguishing a key that comes from - rerandomization from an honestly chosen key *) -). - -include(`common.dhkem.ocv') +include(`common.dhkem.ocvl') param N, Qeperuser, Qdperuser. +table E(G_t, G_t, bitstring, eae_output_t). + equivalence Ostart() := key_extr <-R hash_key_t; @@ -141,6 +138,7 @@ equivalence find i1 <= N suchthat defined(sk[i1]) && pk_R = pkgen(sk[i1]) then ( let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = AuthEncap(key_extr, pk_R, skgen(sk)) in ( k' <-R eae_output_t; + insert E(pkgen(sk), pk_R, ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( @@ -152,15 +150,8 @@ equivalence )) | foreach id <= Qdperuser do ( OADecap(pk_S: G_t, cd: bitstring) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - encryption queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(sk[i1], pk_R[ie1, i1], k'[ie1, i1], ce[ie1, i1]) && - pkgen(sk) = pk_R[ie1, i1] && pkgen(sk[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k'[ie1, i1])) + get E(=pk_S, =pkgen(sk), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(key_extr, cd, skgen(sk), pk_S)) )) | @@ -168,3 +159,8 @@ equivalence )) | run ExtractAndExpand_inner_orcl(key_extr) ) + +(* EXPECTED FILENAME: examples/hpke/dhkem.auth.outsider-cca-lr.m4.ocv TAG: 1 +All queries proved. +0.496s (user 0.492s + system 0.004s), max rss 26796K +END *) diff --git a/dhkem.auth.outsider-cca-lr.ocv b/dhkem.auth.outsider-cca-lr.ocv index 5f05e3d..e3b3d88 100644 --- a/dhkem.auth.outsider-cca-lr.ocv +++ b/dhkem.auth.outsider-cca-lr.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { allowed_collisions default^4/large; (* We allow eliminating collisions with probability in power 4 of @@ -38,7 +50,7 @@ proof { at the 3rd term/occurrence number within the match (zz_3). *) replace at_nth 1 3 "return{[0-9]*}({[0-9]*}AuthDecap_Some({[0-9]*}zz_3))" - "zz_10[ie1_2, i1_8]"; + "zz_10[ie1, i1_4]"; all_simplify; (* Make it possible to reason about the composition of the random oracle inputs, specifically the group elements, @@ -86,10 +98,24 @@ proof { label2: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in"; crypto rom(ExtractAndExpand_inner); + remove_assign binder E_1; out_game "r2.out.cv"; success } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + + type G_t [bounded]. fun Serialize(G_t): bitstring [data]. type Z_t [bounded,nonuniform]. @@ -105,6 +131,7 @@ expand DH_proba_collision_minimal( ). + proba Adv_GDH. proba PDistRerandom. expand GDH_RSR_minimal( @@ -121,6 +148,8 @@ expand GDH_RSR_minimal( rerandomization from an honestly chosen key *) ). + + (* For a group of prime order q: PColl1Rand(Z_t) = PColl2Rand(Z_t) = 1/(q-1) PCollKey1 = PCollKey2 = 1/(q-1) @@ -161,7 +190,7 @@ const lbytes_empty: extract_salt_t. fun eae_input(extract_salt_t, extract_key_t, expand_info_t): eae_input_t [data]. (* The core of ExtractAndExpand, a.k.a. HKDF. -(* Usage of the RO assumption is for example justified in Lemma 6 of +Usage of the RO assumption is for example justified in Lemma 6 of Benjamin Lipp, Bruno Blanchet, Karthikeyan Bhargavan, A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol, EuroSP2019 *) @@ -278,6 +307,8 @@ letfun AuthDecap(key_extr: hash_key_t, enc: bitstring, skR: Z_t, pkS: G_t) = param N, Qeperuser, Qdperuser. +table E(G_t, G_t, bitstring, eae_output_t). + equivalence Ostart() := key_extr <-R hash_key_t; @@ -307,6 +338,7 @@ equivalence find i1 <= N suchthat defined(sk[i1]) && pk_R = pkgen(sk[i1]) then ( let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = AuthEncap(key_extr, pk_R, skgen(sk)) in ( k' <-R eae_output_t; + insert E(pkgen(sk), pk_R, ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( @@ -318,15 +350,8 @@ equivalence )) | foreach id <= Qdperuser do ( OADecap(pk_S: G_t, cd: bitstring) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - encryption queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(sk[i1], pk_R[ie1, i1], k'[ie1, i1], ce[ie1, i1]) && - pkgen(sk) = pk_R[ie1, i1] && pkgen(sk[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k'[ie1, i1])) + get E(=pk_S, =pkgen(sk), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(key_extr, cd, skgen(sk), pk_S)) )) | @@ -334,3 +359,8 @@ equivalence )) | run ExtractAndExpand_inner_orcl(key_extr) ) + +(* EXPECTED FILENAME: examples/hpke/dhkem.auth.outsider-cca-lr.m4.ocv TAG: 1 +All queries proved. +0.496s (user 0.492s + system 0.004s), max rss 26796K +END *) diff --git a/dhkem.auth.outsider-cca-lr.proof b/dhkem.auth.outsider-cca-lr.proof index 0d9a521..c1fda0c 100644 --- a/dhkem.auth.outsider-cca-lr.proof +++ b/dhkem.auth.outsider-cca-lr.proof @@ -1,3350 +1,3487 @@ -Initial state -Game 1 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 - - Remove else branch of let at 23 -yields - -Game 2 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - skS: Z_t <- sk; - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - skE: Z_t <- z; - dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, skS); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - skR: Z_t <- sk; - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); - pkR_1: G_t <- exp(g, skR); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR (definition removed, all usages removed) - - Remove assignments on skS (definition removed, all usages removed) - - Remove assignments on skE (definition removed, all usages removed) -yields - -Game 3 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - {18} z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk[i1]) - && pk_R = exp(g, sk[i1]) then at occurrence 18 -yields - -Game 4 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename z - - Rename variable z into z_6, z_5 -yields - -Game 5 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- {36}concatDH(exp(pk_R, z_5), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pk_R, z_5), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))) at 36 -yields - -Game 6 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename enc_1 - - Rename variable enc_1 into enc_9, enc_8 -yields - -Game 7 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_8)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename zz_2 - - Rename variable zz_2 into zz_11, zz_10 -yields - -Game 8 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename pkE_2 - - Rename variable pkE_2 into pkE_11, pkE_10 -yields - -Game 9 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename pkS - - Rename variable pkS into pkS_5, pkS_4 -yields - -Game 10 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename dh_2 - - Rename variable dh_2 into dh_11, dh_10 -yields - -Game 11 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename kemContext_2 - - Rename variable kemContext_2 into kemContext_11, kemContext_10 -yields - -Game 12 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename key - - Rename variable key into key_6, key_5 -yields - -Game 13 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename info - - Rename variable info into info_6, info_5 -yields - -Game 14 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - {218} let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find ie1 <= Qeperuser, i1 <= N suchthat - defined(sk[i1], pk_R[ie1, i1], zz_10[ie1, i1], z_5[ie1, i1], enc_8[ie1, i1]) - && exp(g, sk) = pk_R[ie1, i1] - && pk_S = exp(g, sk[i1]) - && enc_8[ie1, i1] = enc_2 then at occurrence 218 -yields - -Game 15 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(sk[i1_9], pk_R[ie1_3, i1_9], zz_10[ie1_3, i1_9], z_5[ie1_3, i1_9], enc_8[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some({319}zz_3)) - else - return(AuthDecap_None) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying replace term at occurrence 319 with zz_10[ie1_2, i1_8] [probability N^2 * PCollKey] -yields - -Game 16 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - return(AuthDecap_None) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on key_1 (definition removed, all usages removed) - - Remove assignments on info_1 (definition removed, all usages removed) - - Remove assignments on dh_3 (definition removed, all usages removed) - - Remove assignments on kemContext_3 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) -yields - -Game 17 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - {218} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {226}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) then - {251} let Serialize(pkE_3: G_t) = {252}enc_2 in - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - return(AuthDecap_None) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) with ((i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) at 226 - - Replaced enc_2 with Serialize(pkE_10[ie1_2, i1_8]) at 252 - - Remove else branch of let at 251 - - Simplify pattern Serialize(pkE_3: G_t) (tuple expanded) at 251 - - Replaced defined condition zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9] in find at 218 -yields - -Game 18 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - pkE_3: G_t <- pkE_10[ie1_2, i1_8]; - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on pkE_3 (definition removed, all usages removed) -yields - -Game 19 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - {353} return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand( - l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 353 -yields - -Game 20 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return(ExtractAndExpand_inner(key_extr_3, x1)) - else - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk -yields - -Game 21 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && {109}(x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_33] orfind u_32 = ri_32 <= Qh suchthat defined(x_O_4[ri_32], r_4[ri_32]) && {173}(x_O_1 = x_O_4[ri_32]) then r_4[u_32] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {276}find [unique] u_30 = ri_30 <= Qeperuser, u_31 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_30, u_31] orfind u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O_1[ri_28, ri_29], r_1[ri_28, ri_29]) && {299}(x_O = x_O_1[ri_28, ri_29]) then r_1[u_28, u_29] orfind u_26 = ri_26 <= Qdperuser, u_27 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_26, u_27] orfind u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_25] orfind u_24 = ri_24 <= Qh suchthat defined(x_O_4[ri_24], r_4[ri_24]) && {345}(x_O = x_O_4[ri_24]) then r_4[u_24] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {484}find [unique] u_22 = ri_22 <= Qeperuser, u_23 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_22, u_23] orfind u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_20, u_21] orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_18, u_19] orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_17] orfind u_16 = ri_16 <= Qh suchthat defined(x_O_4[ri_16], r_4[ri_16]) && {553}(x_O_2 = x_O_4[ri_16]) then r_4[u_16] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_3: eae_input_t <- x1; {604}find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_14, u_15] orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_12, u_13] orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_10, u_11] orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_9] orfind u_8 = ri_8 <= Qh suchthat defined(x_O_4[ri_8], r_4[ri_8]) && {662}(x_O_3 = x_O_4[ri_8]) then r_4[u_8] else r_3 <-R eae_output_t; r_3)) - else - return((x_O_4: eae_input_t <- x1; {679}find [unique] u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O[ri_6, ri_7], r[ri_6, ri_7]) && {684}(x_O_4 = x_O[ri_6, ri_7]) then r[u_6, u_7] orfind u_4 = ri_4 <= Qeperuser, u_5 = ri_5 <= N suchthat defined(x_O_1[ri_4, ri_5], r_1[ri_4, ri_5]) && {699}(x_O_4 = x_O_1[ri_4, ri_5]) then r_1[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_2[ri_2, ri_3], r_2[ri_2, ri_3]) && {714}(x_O_4 = x_O_2[ri_2, ri_3]) then r_2[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_3[ri_1], r_3[ri_1]) && {727}(x_O_4 = x_O_3[ri_1]) then r_3[u_1] orfind u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u] else r_4 <-R eae_output_t; r_4)) - )) - - -Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] - - Simplification pass - - Replaced (x_O_1 = x_O_4[ri_32]) with false at 173 - - Remove branch 5 in find at 104 - - Replaced (x_O_1 = x_O[ri_38, ri_39]) with false at 109 - - Remove branch 1 in find at 104 - - Replaced (x_O = x_O_4[ri_24]) with false at 345 - - Remove branch 5 in find at 276 - - Replaced (x_O = x_O_1[ri_28, ri_29]) with false at 299 - - Remove branch 2 in find at 276 - - Replaced (x_O_2 = x_O_4[ri_16]) with false at 553 - - Remove branch 5 in find at 484 - - Replaced (x_O_3 = x_O_4[ri_8]) with false at 662 - - Remove branch 5 in find at 604 - - Replaced (x_O_4 = x_O_3[ri_1]) with false at 727 - - Remove branch 4 in find at 679 - - Replaced (x_O_4 = x_O_2[ri_2, ri_3]) with false at 714 - - Remove branch 3 in find at 679 - - Replaced (x_O_4 = x_O_1[ri_4, ri_5]) with false at 699 - - Remove branch 2 in find at 679 - - Replaced (x_O_4 = x_O[ri_6, ri_7]) with false at 684 - - Remove branch 1 in find at 679 -yields - -Game 22 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_33] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {246}find [unique] u_30 = ri_30 <= Qeperuser, u_31 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_30, u_31] orfind u_26 = ri_26 <= Qdperuser, u_27 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_26, u_27] orfind u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_25] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {424}find [unique] u_22 = ri_22 <= Qeperuser, u_23 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_22, u_23] orfind u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_20, u_21] orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_18, u_19] orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_17] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_3: eae_input_t <- x1; find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_14, u_15] orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_12, u_13] orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_10, u_11] orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_9] else r_3 <-R eae_output_t; r_3)) - else - return((x_O_4: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u] else r_4 <-R eae_output_t; r_4)) - )) - - -Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2) * PCollKey] - - Expand if/find/let - - Remove branch 2 in find at 424 - - Remove branch 1 in find at 424 - - Remove branch 2 in find at 246 - - Remove branch 1 in find at 246 - - Remove branch 2 in find at 104 - - Remove branch 1 in find at 104 -yields - -Game 23 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(zz_10, enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then - zz_11: eae_output_t <- r_3[u_25]; - return(AuthEncap_tuple(zz_11, enc_9)) - else - r <-R eae_output_t; - zz_11: eae_output_t <- r; - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - find [unique] u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then - zz_3: eae_output_t <- r_2[u_18, u_19]; - return(AuthDecap_Some(zz_3)) - orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then - zz_3: eae_output_t <- r_3[u_17]; - return(AuthDecap_Some(zz_3)) - else - r_2 <-R eae_output_t; - zz_3: eae_output_t <- r_2; - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- x1; - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- x1; - find [unique] u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_4 (definition point kept, all usages removed) - - Remove assignments on x_O_3 (definition point kept, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition kept, array references kept) - - Remove assignments on zz_10 (definition kept, array references kept) -yields - -Game 24 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - {103} find [unique] u_33 = ri_33 <= Qh suchthat defined(x1[ri_33], x_O_3[ri_33], r_3[ri_33]) && {107}(x_O_1 = x1[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - {224} find [unique] u_25 = ri_25 <= Qh suchthat defined(x1[ri_25], x_O_3[ri_25], r_3[ri_25]) && {228}(x_O = x1[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - {370} find [unique] u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && {375}(x_O_2 = x_O_2[ri_18, ri_19]) then - return(AuthDecap_Some(r_2[u_18, u_19])) - orfind u_17 = ri_17 <= Qh suchthat defined(x1[ri_17], x_O_3[ri_17], r_3[ri_17]) && {396}(x_O_2 = x1[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- cst_eae_input_t; - {445} find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && {450}(x1 = x_O[ri_14, ri_15]) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && {468}(x1 = x_O_1[ri_12, ri_13]) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && {486}(x1 = x_O_2[ri_10, ri_11]) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(x1[ri_9], x_O_3[ri_9], r_3[ri_9]) && {503}(x1 = x1[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- cst_eae_input_t; - {523} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_4[ri], r_4[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced defined condition x1[ri], x_O_4[ri], r_4[ri] with r_4[ri], x1[ri] in find at 523 - - Replaced (x1 = x1[ri_9]) with ((pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9])) at 503 - - Replaced defined condition x1[ri_9], x_O_3[ri_9], r_3[ri_9] with r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9] in find at 445 - - Replaced (x1 = x_O_2[ri_10, ri_11]) with ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 486 - - Replaced defined condition x_O_2[ri_10, ri_11], r_2[ri_10, ri_11] with r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11] in find at 445 - - Replaced (x1 = x_O_1[ri_12, ri_13]) with ((pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 468 - - Replaced defined condition x_O_1[ri_12, ri_13], r_1[ri_12, ri_13] with r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13] in find at 445 - - Replaced (x1 = x_O[ri_14, ri_15]) with ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 450 - - Replaced defined condition x_O[ri_14, ri_15], r[ri_14, ri_15] with r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15] in find at 445 - - Replaced (x_O_2 = x1[ri_17]) with ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17])) at 396 - - Replaced defined condition x1[ri_17], x_O_3[ri_17], r_3[ri_17] with r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17] in find at 370 - - Replaced (x_O_2 = x_O_2[ri_18, ri_19]) with ((pk_S = pk_S[ri_18, ri_19]) && (i = ri_19) && (pkE_3 = pkE_3[ri_18, ri_19])) at 375 - - In branch 1 of find at 370, substituting u_19 with i - - Replaced defined condition x_O_2[ri_18, ri_19], r_2[ri_18, ri_19] with r_2[ri_18], pkE_3[ri_18], pk_S[ri_18] in find at 370 - - Replaced (x_O = x1[ri_25]) with ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25])) at 228 - - Replaced defined condition x1[ri_25], x_O_3[ri_25], r_3[ri_25] with r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25] in find at 224 - - Replaced (x_O_1 = x1[ri_33]) with ((pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33])) at 107 - - Replaced defined condition x1[ri_33], x_O_3[ri_33], r_3[ri_33] with r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33] in find at 103 -yields - -Game 25 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && {557}((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) then - u_19 <= N <- i; - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- cst_eae_input_t; - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying simplify - - Simplification pass - - Replaced ((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) with ((pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18])) at 557 -yields - -Game 26 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - u_19 <= N <- i; - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- cst_eae_input_t; - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying move all binders - - Move assignment to x_O_4 - - Move assignment to x_O_3 - - Move assignment to x_O_2 - - Move assignment to info_1 - - Move assignment to key_1 - - Move assignment to kemContext_3 - - Move assignment to x_O - - Move assignment to info_6 - - Move assignment to key_6 - - Move assignment to kemContext_11 - - Move assignment to x_O_1 - - Move assignment to info_5 - - Move assignment to key_5 - - Move assignment to kemContext_10 -yields - -Game 27 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - u_19 <= N <- i; - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_3 (definition removed, all usages removed) - - Remove assignments on u_19 (definition removed, all usages removed) - - Remove assignments on dh_11 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) -yields - -Game 28 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying equivalence gdh(exp) with variables: sk -> a, z_5 -> b [probability Adv_GDH(time_1, 5 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] - - Equivalence gdh(exp) with variables: sk -> a, z_5 -> b -yields - -Game 29 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_7]))) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - {49} find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (m_10: G_t <- dh2[ri_33]; (m_10 = exp(g, mult(sk[i1_6], sk)))) && (m_5: G_t <- dh1[ri_33]; false) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (m_13: G_t <- pk_S; (m_13 = exp(g, sk[i1_9]))) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_12: G_t <- dh2[ri_17]; m'_3: G_t <- pk_S; (m_12 = exp(m'_3, sk))) && (m_11: G_t <- dh1[ri_17]; m'_2: G_t <- pkE_3; (m_11 = exp(m'_2, sk))) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - {575} find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14: G_t <- dh2; m'_4: G_t <- pk_R[ri_14, ri_15]; (m_14 = exp(m'_4, sk[ri_15]))) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_21: G_t <- dh2; (m_21 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13])))) && (m_16: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_23: G_t <- dh2; m'_6: G_t <- pk_S[ri_10, ri_11]; (m_23 = exp(m'_6, sk[ri_11]))) && (m_22: G_t <- dh1; m'_5: G_t <- pkE_3[ri_10, ri_11]; (m_22 = exp(m'_5, sk[ri_11]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 2 in find at 575 - - Remove branch 1 in find at 49 - - Find at 49 removed (else branch kept if any) -yields - -Game 30 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_7]))) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m = exp(m', sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]))) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (m_13: G_t <- pk_S; ((i = i1_6[ie1_3, i1_9]) && (m_13 = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2))) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (m_12: G_t <- dh2[ri_17]; m'_3: G_t <- pk_S; m_11: G_t <- dh1[ri_17]; m'_2: G_t <- pkE_3; ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_12 = exp(m'_3, sk)) && (m_11 = exp(m'_2, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]))) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (m_14: G_t <- dh2; m'_4: G_t <- pk_R[ri_14, ri_15]; ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14 = exp(m'_4, sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r[u_14, u_15]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (m_23: G_t <- dh2; m'_6: G_t <- pk_S[ri_10, ri_11]; m_22: G_t <- dh1; m'_5: G_t <- pkE_3[ri_10, ri_11]; ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_23 = exp(m'_6, sk[ri_11])) && (m_22 = exp(m'_5, sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_14 (definition removed, all usages removed) - - Remove assignments on m'_4 (definition removed, all usages removed) - - Remove assignments on m_23 (definition removed, all usages removed) - - Remove assignments on m'_6 (definition removed, all usages removed) - - Remove assignments on m_22 (definition removed, all usages removed) - - Remove assignments on m'_5 (definition removed, all usages removed) - - Remove assignments on m_12 (definition removed, all usages removed) - - Remove assignments on m'_3 (definition removed, all usages removed) - - Remove assignments on m_11 (definition removed, all usages removed) - - Remove assignments on m'_2 (definition removed, all usages removed) - - Remove assignments on m_13 (definition removed, all usages removed) - - Remove assignments on m (definition removed, all usages removed) - - Remove assignments on m' (definition removed, all usages removed) - - Remove assignments on pkS_4 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on m_1 (definition removed, all usages removed) -yields - -Game 31 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (dh2[ri_25] = exp(pk_R, sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(r_1[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (dh2[ri_17] = exp(pk_S, sk)) && (dh1[ri_17] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - -Initial state -Game 32 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = (exponent_15: Z_t <- sk_1[i1]; exp(g, exponent_15))) then - {33} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {37}let (skE_1: Z_t, pkE_8: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_7: bitstring <- Serialize(pkE_8); pkS_3: G_t <- exp(g, skS_1); kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_8, enc_7) else AuthEncap_None) in - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - else - return(AuthEncap_None) - else - return((skS_1: Z_t <- sk_1; {143}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_2: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2], ce[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && ((exponent_16: Z_t <- sk_1[i1_2]; exp(g, exponent_16)) = pk_S_1) && (ce[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - return((skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying expand [probability N^2 * PCollKey] - - Expand if/find/let - - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 143 - - Remove else branch of let at 143 - - Simplify pattern (skE_1: Z_t, pkE_8: G_t) (tuple expanded) at 37 - - Remove else branch of let at 37 - - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 33 - - Remove else branch of let at 33 -yields - -Game 33 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_15: Z_t <- sk_1[i1]; (pk_R_1 = exp(g, exponent_15))) then - skS_1: Z_t <- sk_1; - z_1 <-R Z_t; - pkE_8: G_t <- exp(g, z_1); - skE_1: Z_t <- z_1; - dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); - enc_7: bitstring <- Serialize(pkE_8); - pkS_3: G_t <- exp(g, skS_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3)); - ce: bitstring <- enc_7; - k: eae_output_t <- zz_8; - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - else - skS_1: Z_t <- sk_1; - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - skE_1: Z_t <- z_1; - dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, skS_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2], ce[ie1, i1_2]) && (exponent_16: Z_t <- sk_1[i1_2]; ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, exponent_16) = pk_S_1) && (ce[ie1, i1_2] = cd))) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - skR_1: Z_t <- sk_1; - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); - pkR_4: G_t <- exp(g, skR_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on exponent_16 (definition removed, all usages removed) - - Remove assignments on skS_1 (definition removed, all usages removed) - - Remove assignments on skE_1 (definition removed, all usages removed) - - Remove assignments on skS_1 (definition removed, all usages removed) - - Remove assignments on skE_1 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) - - Remove assignments on k (definition removed, all usages removed) - - Remove assignments on exponent_15 (definition removed, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on key_3 (definition removed, all usages removed) - - Remove assignments on info_3 (definition removed, all usages removed) - - Remove assignments on dh_8 (definition removed, all usages removed) - - Remove assignments on kemContext_8 (definition removed, all usages removed) - - Remove assignments on pkS_3 (definition removed, all usages removed) -yields - -Game 34 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_1 <-R Z_t; - pkE_8: G_t <- exp(g, z_1); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {147} find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2]) && {155}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) with ((i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) at 155 - - Replaced defined condition enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2] with k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2] in find at 147 -yields - -Game 35 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_1 <-R Z_t; - pkE_8: G_t <- exp(g, z_1); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying remove assignments of findcond - - Rename variable z_1 into z_4, z_3 -yields - -Game 36 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - {280} return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand(l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 280 -yields - -Game 37 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - else - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_11 -> hk -yields - -Game 38 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {123}find [unique] u_62 = ri_62 <= Qeperuser, u_63 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_62, u_63] orfind u_60 = ri_60 <= Qdperuser, u_61 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_60, u_61] orfind u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_59] orfind u_58 = ri_58 <= Qh suchthat defined(x_O_8[ri_58], r_8[ri_58]) && {174}(x_O_5 = x_O_8[ri_58]) then r_8[u_58] else r_5 <-R eae_output_t; r_5); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {313}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_54, u_55] orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_53] orfind u_52 = ri_52 <= Qh suchthat defined(x_O_8[ri_52], r_8[ri_52]) && {364}(x_O_6 = x_O_8[ri_52]) then r_8[u_52] else r_6 <-R eae_output_t; r_6); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_7: eae_input_t <- x1_1; {415}find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_50, u_51] orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_48, u_49] orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_47] orfind u_46 = ri_46 <= Qh suchthat defined(x_O_8[ri_46], r_8[ri_46]) && {458}(x_O_7 = x_O_8[ri_46]) then r_8[u_46] else r_7 <-R eae_output_t; r_7)) - else - return((x_O_8: eae_input_t <- x1_1; {475}find [unique] u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_5[ri_44, ri_45], r_5[ri_44, ri_45]) && {480}(x_O_8 = x_O_5[ri_44, ri_45]) then r_5[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_6[ri_42, ri_43], r_6[ri_42, ri_43]) && {495}(x_O_8 = x_O_6[ri_42, ri_43]) then r_6[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_7[ri_41], r_7[ri_41]) && {508}(x_O_8 = x_O_7[ri_41]) then r_7[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_40] else r_8 <-R eae_output_t; r_8)) - )) - - -Applying simplify (non-expanded game) [probability (N^2 + #OAEncap^2) * PCollKey] - - Simplification pass - - Replaced (x_O_5 = x_O_8[ri_58]) with false at 174 - - Remove branch 4 in find at 123 - - Replaced (x_O_6 = x_O_8[ri_52]) with false at 364 - - Remove branch 4 in find at 313 - - Replaced (x_O_7 = x_O_8[ri_46]) with false at 458 - - Remove branch 4 in find at 415 - - Replaced (x_O_8 = x_O_7[ri_41]) with false at 508 - - Remove branch 3 in find at 475 - - Replaced (x_O_8 = x_O_6[ri_42, ri_43]) with false at 495 - - Remove branch 2 in find at 475 - - Replaced (x_O_8 = x_O_5[ri_44, ri_45]) with false at 480 - - Remove branch 1 in find at 475 -yields - -Game 39 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {123}find [unique] u_62 = ri_62 <= Qeperuser, u_63 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_62, u_63] orfind u_60 = ri_60 <= Qdperuser, u_61 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_60, u_61] orfind u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_59] else r_5 <-R eae_output_t; r_5); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {301}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_54, u_55] orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_53] else r_6 <-R eae_output_t; r_6); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_7: eae_input_t <- x1_1; find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_50, u_51] orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_48, u_49] orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_47] else r_7 <-R eae_output_t; r_7)) - else - return((x_O_8: eae_input_t <- x1_1; find [unique] u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_40] else r_8 <-R eae_output_t; r_8)) - )) - - -Applying expand [probability (#OAEncap^2 + #OAEncap * N + N^2) * PCollKey] - - Expand if/find/let - - Remove branch 1 in find at 301 - - Remove branch 2 in find at 123 - - Remove branch 1 in find at 123 -yields - -Game 40 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then - zz_7: eae_output_t <- r_7[u_59]; - return(AuthEncap_tuple(zz_7, enc_6)) - else - r_5 <-R eae_output_t; - zz_7: eae_output_t <- r_5; - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then - zz_9: eae_output_t <- r_6[u_54, u_55]; - return(AuthDecap_Some(zz_9)) - orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then - zz_9: eae_output_t <- r_7[u_53]; - return(AuthDecap_Some(zz_9)) - else - r_6 <-R eae_output_t; - zz_9: eae_output_t <- r_6; - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- x1_1; - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- x1_1; - find [unique] u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_8 (definition point kept, all usages removed) - - Remove assignments on x_O_7 (definition point kept, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on zz_7 (definition removed, all usages removed) - - Remove assignments on zz_7 (definition removed, all usages removed) -yields - -Game 41 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - {122} find [unique] u_59 = ri_59 <= Qh suchthat defined(x1_1[ri_59], x_O_7[ri_59], r_7[ri_59]) && {126}(x_O_5 = x1_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - {268} find [unique] u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && {273}(x_O_6 = x_O_6[ri_54, ri_55]) then - return(AuthDecap_Some(r_6[u_54, u_55])) - orfind u_53 = ri_53 <= Qh suchthat defined(x1_1[ri_53], x_O_7[ri_53], r_7[ri_53]) && {294}(x_O_6 = x1_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- cst_eae_input_t; - {343} find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && {348}(x1_1 = x_O_5[ri_50, ri_51]) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && {366}(x1_1 = x_O_6[ri_48, ri_49]) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(x1_1[ri_47], x_O_7[ri_47], r_7[ri_47]) && {383}(x1_1 = x1_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- cst_eae_input_t; - {403} find [unique] u_40 = ri_40 <= Qh suchthat defined(x1_1[ri_40], x_O_8[ri_40], r_8[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying simplify [probability N^2 * PCollKey] - - Simplification pass - - Replaced defined condition x1_1[ri_40], x_O_8[ri_40], r_8[ri_40] with r_8[ri_40], x1_1[ri_40] in find at 403 - - Replaced (x1_1 = x1_1[ri_47]) with ((pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47])) at 383 - - Replaced defined condition x1_1[ri_47], x_O_7[ri_47], r_7[ri_47] with r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47] in find at 343 - - Replaced (x1_1 = x_O_6[ri_48, ri_49]) with ((pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 366 - - Replaced defined condition x_O_6[ri_48, ri_49], r_6[ri_48, ri_49] with r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49] in find at 343 - - Replaced (x1_1 = x_O_5[ri_50, ri_51]) with ((pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 348 - - Replaced defined condition x_O_5[ri_50, ri_51], r_5[ri_50, ri_51] with r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51] in find at 343 - - Replaced (x_O_6 = x1_1[ri_53]) with ((pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53])) at 294 - - Replaced defined condition x1_1[ri_53], x_O_7[ri_53], r_7[ri_53] with r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53] in find at 268 - - Replaced (x_O_6 = x_O_6[ri_54, ri_55]) with ((pk_S_1 = pk_S_1[ri_54, ri_55]) && (i_1 = ri_55) && (pkE_9 = pkE_9[ri_54, ri_55])) at 273 - - In branch 1 of find at 268, substituting u_55 with i_1 - - Replaced defined condition x_O_6[ri_54, ri_55], r_6[ri_54, ri_55] with r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54] in find at 268 - - Replaced (x_O_5 = x1_1[ri_59]) with ((pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59])) at 126 - - Replaced defined condition x1_1[ri_59], x_O_7[ri_59], r_7[ri_59] with r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59] in find at 122 -yields - -Game 42 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && {362}((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) then - u_55 <= N <- i_1; - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- cst_eae_input_t; - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- cst_eae_input_t; - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying simplify - - Simplification pass - - Replaced ((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) with ((pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54])) at 362 -yields - -Game 43 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then - u_55 <= N <- i_1; - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- cst_eae_input_t; - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- cst_eae_input_t; - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying move all binders - - Move assignment to x_O_8 - - Move assignment to x_O_7 - - Move assignment to x_O_6 - - Move assignment to info_4 - - Move assignment to key_4 - - Move assignment to kemContext_9 - - Move assignment to x_O_5 - - Move assignment to info_2 - - Move assignment to key_2 - - Move assignment to kemContext_7 -yields - -Game 44 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then - u_55 <= N <- i_1; - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_9 (definition removed, all usages removed) - - Remove assignments on u_55 (definition removed, all usages removed) - - Remove assignments on dh_7 (definition removed, all usages removed) -yields - -Game 45 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - pkR_4: G_t <- exp(g, sk_1); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Proved indistinguishability between game 45 and game 1 -Game 45 is the same as game 31. -Adv[Game 1: indistinguishability from game 31] <= Adv_GDH(time_1, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (#OAEncap * #OADecap + #OAEncap * N + 8 * #OAEncap^2 + 6 * N^2) * PCollKey + Adv[Game 31: indistinguishability from game 31] -Adv[Game 31: indistinguishability from game 31] <= 0 -Adv[Game 32: indistinguishability from game 45] <= (#OAEncap * N + 2 * #OAEncap^2 + 5 * N^2) * PCollKey + Adv[Game 45: indistinguishability from game 45] -Adv[Game 45: indistinguishability from game 45] <= 0 -RESULT Proved indistinguishability between game 32 and game 1 up to probability Adv_GDH(time_1, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (#OAEncap * #OADecap + 2 * #OAEncap * N + 10 * #OAEncap^2 + 11 * N^2) * PCollKey -RESULT time_1 = #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_8)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OADecap * #OAEncap * time(= bitstring, maxlength(game 28: enc_8), maxlength(game 28: enc_2)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + 2 * #OAEncap + N) * time(exp) + time -All queries proved. +Initial state +Game 1 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 + - Remove else branch of let at 23 +yields + +Game 2 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + skS: Z_t <- sk; + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + skE: Z_t <- z; + dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, skS); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + skR: Z_t <- sk; + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); + pkR_1: G_t <- exp(g, skR); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR (definition removed, all usages removed) + - Remove assignments on skS (definition removed, all usages removed) + - Remove assignments on skE (definition removed, all usages removed) +yields + +Game 3 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + {18} z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk[i1]) + && pk_R = exp(g, sk[i1]) then at occurrence 18 +yields + +Game 4 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename z + - Rename variable z into z_6, z_5 +yields + +Game 5 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- {36}concatDH(exp(pk_R, z_5), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R, z_5), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))) at 36 +yields + +Game 6 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename enc_1 + - Rename variable enc_1 into enc_9, enc_8 +yields + +Game 7 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_8)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename zz_2 + - Rename variable zz_2 into zz_11, zz_10 +yields + +Game 8 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename pkE_2 + - Rename variable pkE_2 into pkE_11, pkE_10 +yields + +Game 9 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename pkS + - Rename variable pkS into pkS_5, pkS_4 +yields + +Game 10 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename dh_2 + - Rename variable dh_2 into dh_11, dh_10 +yields + +Game 11 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename kemContext_2 + - Rename variable kemContext_2 into kemContext_11, kemContext_10 +yields + +Game 12 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename key + - Rename variable key into key_6, key_5 +yields + +Game 13 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename info + - Rename variable info into info_6, info_5 +yields + +Game 14 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + {218} let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find ie1 <= Qeperuser, i1 <= N suchthat + defined(sk[i1], pk_R[ie1, i1], zz_10[ie1, i1], z_5[ie1, i1], enc_8[ie1, i1]) + && exp(g, sk) = pk_R[ie1, i1] + && pk_S = exp(g, sk[i1]) + && enc_8[ie1, i1] = enc_2 then at occurrence 218 +yields + +Game 15 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(sk[i1_5], pk_R[ie1_1, i1_5], zz_10[ie1_1, i1_5], z_5[ie1_1, i1_5], enc_8[ie1_1, i1_5]) && (exp(g, sk) = pk_R[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some({319}zz_3)) + else + return(AuthDecap_None) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying replace term at occurrence 319 with zz_10[ie1, i1_4] [probability N^2 * PCollKey] +yields + +Game 16 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], pk_R[ie1_1, i1_5]) && (exp(g, sk) = pk_R[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + return(AuthDecap_None) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on key_1 (definition removed, all usages removed) + - Remove assignments on info_1 (definition removed, all usages removed) + - Remove assignments on dh_3 (definition removed, all usages removed) + - Remove assignments on kemContext_3 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) +yields + +Game 17 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + {218} find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], pk_R[ie1_1, i1_5]) && {226}((exp(g, sk) = pk_R[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2)) then + {251} let Serialize(pkE_3: G_t) = {252}enc_2 in + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + return(AuthDecap_None) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk) = pk_R[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2)) with ((i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2)) at 226 + - Replaced enc_2 with Serialize(pkE_10[ie1, i1_4]) at 252 + - Remove else branch of let at 251 + - Simplify pattern Serialize(pkE_3: G_t) (tuple expanded) at 251 + - Replaced defined condition zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], pk_R[ie1_1, i1_5] with zz_10[ie1_1, i1_5], pkE_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5] in find at 218 +yields + +Game 18 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], pkE_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + pkE_3: G_t <- pkE_10[ie1, i1_4]; + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on pkE_3 (definition removed, all usages removed) +yields + +Game 19 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], pkE_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + {353} return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand( + l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 353 +yields + +Game 20 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], pkE_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return(ExtractAndExpand_inner(key_extr_3, x1)) + else + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk +yields + +Game 21 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_42 = ri_38 <= Qeperuser, u_43 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && {109}(x_O_1 = x_O[ri_38, ri_39]) then r[u_42, u_43] orfind u_40 = ri_36 <= Qeperuser, u_41 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_40, u_41] orfind u_38 = ri_34 <= Qdperuser, u_39 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_38, u_39] orfind u_37 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_37] orfind u_36 = ri_32 <= Qh suchthat defined(x_O_4[ri_32], r_4[ri_32]) && {173}(x_O_1 = x_O_4[ri_32]) then r_4[u_36] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {276}find [unique] u_34 = ri_30 <= Qeperuser, u_35 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_34, u_35] orfind u_32 = ri_28 <= Qeperuser, u_33 = ri_29 <= N suchthat defined(x_O_1[ri_28, ri_29], r_1[ri_28, ri_29]) && {299}(x_O = x_O_1[ri_28, ri_29]) then r_1[u_32, u_33] orfind u_30 = ri_26 <= Qdperuser, u_31 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_30, u_31] orfind u_29 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_29] orfind u_28 = ri_24 <= Qh suchthat defined(x_O_4[ri_24], r_4[ri_24]) && {345}(x_O = x_O_4[ri_24]) then r_4[u_28] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {484}find [unique] u_26 = ri_22 <= Qeperuser, u_27 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_26, u_27] orfind u_24 = ri_20 <= Qeperuser, u_25 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_24, u_25] orfind u_22 = ri_18 <= Qdperuser, u_23 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_22, u_23] orfind u_21 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_21] orfind u_20 = ri_16 <= Qh suchthat defined(x_O_4[ri_16], r_4[ri_16]) && {553}(x_O_2 = x_O_4[ri_16]) then r_4[u_20] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_3: eae_input_t <- x1; {604}find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_18, u_19] orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_16, u_17] orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_14, u_15] orfind u_13 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_13] orfind u_12 = ri_8 <= Qh suchthat defined(x_O_4[ri_8], r_4[ri_8]) && {662}(x_O_3 = x_O_4[ri_8]) then r_4[u_12] else r_3 <-R eae_output_t; r_3)) + else + return((x_O_4: eae_input_t <- x1; {679}find [unique] u_10 = ri_6 <= Qeperuser, u_11 = ri_7 <= N suchthat defined(x_O[ri_6, ri_7], r[ri_6, ri_7]) && {684}(x_O_4 = x_O[ri_6, ri_7]) then r[u_10, u_11] orfind u_8 = ri_4 <= Qeperuser, u_9 = ri_5 <= N suchthat defined(x_O_1[ri_4, ri_5], r_1[ri_4, ri_5]) && {699}(x_O_4 = x_O_1[ri_4, ri_5]) then r_1[u_8, u_9] orfind u_6 = ri_2 <= Qdperuser, u_7 = ri_3 <= N suchthat defined(x_O_2[ri_2, ri_3], r_2[ri_2, ri_3]) && {714}(x_O_4 = x_O_2[ri_2, ri_3]) then r_2[u_6, u_7] orfind u_5 = ri_1 <= Qh suchthat defined(x_O_3[ri_1], r_3[ri_1]) && {727}(x_O_4 = x_O_3[ri_1]) then r_3[u_5] orfind u_4 = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u_4] else r_4 <-R eae_output_t; r_4)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_1 = x_O_4[ri_32]) with false at 173 + - Remove branch 5 in find at 104 + - Replaced (x_O_1 = x_O[ri_38, ri_39]) with false at 109 + - Remove branch 1 in find at 104 + - Replaced (x_O = x_O_4[ri_24]) with false at 345 + - Remove branch 5 in find at 276 + - Replaced (x_O = x_O_1[ri_28, ri_29]) with false at 299 + - Remove branch 2 in find at 276 + - Replaced (x_O_2 = x_O_4[ri_16]) with false at 553 + - Remove branch 5 in find at 484 + - Replaced (x_O_3 = x_O_4[ri_8]) with false at 662 + - Remove branch 5 in find at 604 + - Replaced (x_O_4 = x_O_3[ri_1]) with false at 727 + - Remove branch 4 in find at 679 + - Replaced (x_O_4 = x_O_2[ri_2, ri_3]) with false at 714 + - Remove branch 3 in find at 679 + - Replaced (x_O_4 = x_O_1[ri_4, ri_5]) with false at 699 + - Remove branch 2 in find at 679 + - Replaced (x_O_4 = x_O[ri_6, ri_7]) with false at 684 + - Remove branch 1 in find at 679 +yields + +Game 22 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_40 = ri_36 <= Qeperuser, u_41 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_40, u_41] orfind u_38 = ri_34 <= Qdperuser, u_39 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_38, u_39] orfind u_37 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_37] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {246}find [unique] u_34 = ri_30 <= Qeperuser, u_35 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_34, u_35] orfind u_30 = ri_26 <= Qdperuser, u_31 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_30, u_31] orfind u_29 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_29] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {424}find [unique] u_26 = ri_22 <= Qeperuser, u_27 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_26, u_27] orfind u_24 = ri_20 <= Qeperuser, u_25 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_24, u_25] orfind u_22 = ri_18 <= Qdperuser, u_23 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_22, u_23] orfind u_21 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_21] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_3: eae_input_t <- x1; find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_18, u_19] orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_16, u_17] orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_14, u_15] orfind u_13 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_13] else r_3 <-R eae_output_t; r_3)) + else + return((x_O_4: eae_input_t <- x1; find [unique] u_4 = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u_4] else r_4 <-R eae_output_t; r_4)) + )) + + +Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 2 in find at 424 + - Remove branch 1 in find at 424 + - Remove branch 2 in find at 246 + - Remove branch 1 in find at 246 + - Remove branch 2 in find at 104 + - Remove branch 1 in find at 104 +yields + +Game 23 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_37 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then + zz_10: eae_output_t <- r_3[u_37]; + return(AuthEncap_tuple(zz_10, enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_29 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then + zz_11: eae_output_t <- r_3[u_29]; + return(AuthEncap_tuple(zz_11, enc_9)) + else + r <-R eae_output_t; + zz_11: eae_output_t <- r; + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + find [unique] u_22 = ri_18 <= Qdperuser, u_23 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then + zz_3: eae_output_t <- r_2[u_22, u_23]; + return(AuthDecap_Some(zz_3)) + orfind u_21 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then + zz_3: eae_output_t <- r_3[u_21]; + return(AuthDecap_Some(zz_3)) + else + r_2 <-R eae_output_t; + zz_3: eae_output_t <- r_2; + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- x1; + find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then + return(r[u_18, u_19]) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- x1; + find [unique] u_4 = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_4 (definition point kept, all usages removed) + - Remove assignments on x_O_3 (definition point kept, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition kept, array references kept) + - Remove assignments on zz_10 (definition kept, array references kept) +yields + +Game 24 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + {103} find [unique] u_37 = ri_33 <= Qh suchthat defined(x1[ri_33], x_O_3[ri_33], r_3[ri_33]) && {107}(x_O_1 = x1[ri_33]) then + zz_10: eae_output_t <- r_3[u_37]; + return(AuthEncap_tuple(r_3[u_37], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + {224} find [unique] u_29 = ri_25 <= Qh suchthat defined(x1[ri_25], x_O_3[ri_25], r_3[ri_25]) && {228}(x_O = x1[ri_25]) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + {370} find [unique] u_22 = ri_18 <= Qdperuser, u_23 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && {375}(x_O_2 = x_O_2[ri_18, ri_19]) then + return(AuthDecap_Some(r_2[u_22, u_23])) + orfind u_21 = ri_17 <= Qh suchthat defined(x1[ri_17], x_O_3[ri_17], r_3[ri_17]) && {396}(x_O_2 = x1[ri_17]) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- cst_eae_input_t; + {445} find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && {450}(x1 = x_O[ri_14, ri_15]) then + return(r[u_18, u_19]) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && {468}(x1 = x_O_1[ri_12, ri_13]) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && {486}(x1 = x_O_2[ri_10, ri_11]) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(x1[ri_9], x_O_3[ri_9], r_3[ri_9]) && {503}(x1 = x1[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- cst_eae_input_t; + {523} find [unique] u_4 = ri <= Qh suchthat defined(x1[ri], x_O_4[ri], r_4[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1[ri], x_O_4[ri], r_4[ri] with r_4[ri], x1[ri] in find at 523 + - Replaced (x1 = x1[ri_9]) with ((pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9])) at 503 + - Replaced defined condition x1[ri_9], x_O_3[ri_9], r_3[ri_9] with r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9] in find at 445 + - Replaced (x1 = x_O_2[ri_10, ri_11]) with ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 486 + - Replaced defined condition x_O_2[ri_10, ri_11], r_2[ri_10, ri_11] with r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11] in find at 445 + - Replaced (x1 = x_O_1[ri_12, ri_13]) with ((pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_2[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 468 + - Replaced defined condition x_O_1[ri_12, ri_13], r_1[ri_12, ri_13] with r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13] in find at 445 + - Replaced (x1 = x_O[ri_14, ri_15]) with ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 450 + - Replaced defined condition x_O[ri_14, ri_15], r[ri_14, ri_15] with r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15] in find at 445 + - Replaced (x_O_2 = x1[ri_17]) with ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17])) at 396 + - Replaced defined condition x1[ri_17], x_O_3[ri_17], r_3[ri_17] with r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17] in find at 370 + - Replaced (x_O_2 = x_O_2[ri_18, ri_19]) with ((pk_S = pk_S[ri_18, ri_19]) && (i = ri_19) && (pkE_3 = pkE_3[ri_18, ri_19])) at 375 + - In branch 1 of find at 370, substituting u_23 with i + - Replaced defined condition x_O_2[ri_18, ri_19], r_2[ri_18, ri_19] with r_2[ri_18], pkE_3[ri_18], pk_S[ri_18] in find at 370 + - Replaced (x_O = x1[ri_25]) with ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25])) at 228 + - Replaced defined condition x1[ri_25], x_O_3[ri_25], r_3[ri_25] with r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25] in find at 224 + - Replaced (x_O_1 = x1[ri_33]) with ((pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_2], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33])) at 107 + - Replaced defined condition x1[ri_33], x_O_3[ri_33], r_3[ri_33] with r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33] in find at 103 +yields + +Game 25 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_37 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_2], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_37]; + return(AuthEncap_tuple(r_3[u_37], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_29 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + find [unique] u_22 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && {557}((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) then + u_23 <= N <- i; + return(AuthDecap_Some(r_2[u_22])) + orfind u_21 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- cst_eae_input_t; + find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_2[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_4 = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) with ((pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18])) at 557 +yields + +Game 26 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_37 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_2], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_37]; + return(AuthEncap_tuple(r_3[u_37], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_29 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + find [unique] u_22 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + u_23 <= N <- i; + return(AuthDecap_Some(r_2[u_22])) + orfind u_21 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- cst_eae_input_t; + find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_2[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_4 = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying move all binders + - Move assignment to x_O_4 + - Move assignment to x_O_3 + - Move assignment to x_O_2 + - Move assignment to info_1 + - Move assignment to key_1 + - Move assignment to kemContext_3 + - Move assignment to x_O + - Move assignment to info_6 + - Move assignment to key_6 + - Move assignment to kemContext_11 + - Move assignment to x_O_1 + - Move assignment to info_5 + - Move assignment to key_5 + - Move assignment to kemContext_10 +yields + +Game 27 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_5)), exp(g, mult(sk[i1_2], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + find [unique] u_37 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_2], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_37]; + return(AuthEncap_tuple(r_3[u_37], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_29 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + find [unique] u_22 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + u_23 <= N <- i; + return(AuthDecap_Some(r_2[u_22])) + orfind u_21 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_2[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_3 (definition removed, all usages removed) + - Remove assignments on u_23 (definition removed, all usages removed) + - Remove assignments on dh_11 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) +yields + +Game 28 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + find [unique] u_37 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_2], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_37]; + return(AuthEncap_tuple(r_3[u_37], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_29 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_22 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_22])) + orfind u_21 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_2[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying equivalence gdh(exp) with variables: sk -> a, z_5 -> b [probability Adv_GDH(time_1, 5 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk -> a, z_5 -> b +yields + +Game 29 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_3]))) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + {49} find [unique] u_37 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (m_10: G_t <- dh2[ri_33]; (m_10 = exp(g, mult(sk[i1_2], sk)))) && (m_5: G_t <- dh1[ri_33]; false) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_37]; + return(AuthEncap_tuple(r_3[u_37], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_29 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (m_13: G_t <- pk_S; (m_13 = exp(g, sk[i1_5]))) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_22 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_22])) + orfind u_21 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_12: G_t <- dh2[ri_17]; m'_3: G_t <- pk_S; (m_12 = exp(m'_3, sk))) && (m_11: G_t <- dh1[ri_17]; m'_2: G_t <- pkE_3; (m_11 = exp(m'_2, sk))) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + {575} find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14: G_t <- dh2; m'_4: G_t <- pk_R[ri_14, ri_15]; (m_14 = exp(m'_4, sk[ri_15]))) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], sk[ri_13], sk[i1_2[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_21: G_t <- dh2; (m_21 = exp(g, mult(sk[i1_2[ri_12, ri_13]], sk[ri_13])))) && (m_16: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_23: G_t <- dh2; m'_6: G_t <- pk_S[ri_10, ri_11]; (m_23 = exp(m'_6, sk[ri_11]))) && (m_22: G_t <- dh1; m'_5: G_t <- pkE_3[ri_10, ri_11]; (m_22 = exp(m'_5, sk[ri_11]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 2 in find at 575 + - Remove branch 1 in find at 49 + - Find at 49 removed (else branch kept if any) +yields + +Game 30 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_3]))) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_29 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m = exp(m', sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]))) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(zz_10[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (m_13: G_t <- pk_S; ((i = i1_2[ie1_1, i1_5]) && (m_13 = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2))) then + return(AuthDecap_Some(zz_10[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_22 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_22])) + orfind u_21 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (m_12: G_t <- dh2[ri_17]; m'_3: G_t <- pk_S; m_11: G_t <- dh1[ri_17]; m'_2: G_t <- pkE_3; ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_12 = exp(m'_3, sk)) && (m_11 = exp(m'_2, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]))) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (m_14: G_t <- dh2; m'_4: G_t <- pk_R[ri_14, ri_15]; ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14 = exp(m'_4, sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r[u_18, u_19]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (m_23: G_t <- dh2; m'_6: G_t <- pk_S[ri_10, ri_11]; m_22: G_t <- dh1; m'_5: G_t <- pkE_3[ri_10, ri_11]; ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_23 = exp(m'_6, sk[ri_11])) && (m_22 = exp(m'_5, sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_14 (definition removed, all usages removed) + - Remove assignments on m'_4 (definition removed, all usages removed) + - Remove assignments on m_23 (definition removed, all usages removed) + - Remove assignments on m'_6 (definition removed, all usages removed) + - Remove assignments on m_22 (definition removed, all usages removed) + - Remove assignments on m'_5 (definition removed, all usages removed) + - Remove assignments on m_12 (definition removed, all usages removed) + - Remove assignments on m'_3 (definition removed, all usages removed) + - Remove assignments on m_11 (definition removed, all usages removed) + - Remove assignments on m'_2 (definition removed, all usages removed) + - Remove assignments on m_13 (definition removed, all usages removed) + - Remove assignments on m (definition removed, all usages removed) + - Remove assignments on m' (definition removed, all usages removed) + - Remove assignments on pkS_4 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on m_1 (definition removed, all usages removed) +yields + +Game 31 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_29 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (dh2[ri_25] = exp(pk_R, sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_29], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1 = ie1_1 <= Qeperuser, i1_4 = i1_5 <= N suchthat defined(r_1[ie1_1, i1_5], enc_8[ie1_1, i1_5], sk[i1_5], i1_2[ie1_1, i1_5]) && (i = i1_2[ie1_1, i1_5]) && (pk_S = exp(g, sk[i1_5])) && (enc_8[ie1_1, i1_5] = enc_2) then + return(AuthDecap_Some(r_1[ie1, i1_4])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_22 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_22])) + orfind u_21 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (dh2[ri_17] = exp(pk_S, sk)) && (dh1[ri_17] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_14 = ri_10 <= Qdperuser, u_15 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_13 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_13]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u_4 = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u_4]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + +Initial state +Game 32 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = (exponent_16: Z_t <- sk_1[i1]; exp(g, exponent_16))) then + let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; let (skE_1: Z_t, pkE_8: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_7: bitstring <- Serialize(pkE_8); pkS_3: G_t <- exp(g, skS_1); kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_8, enc_7) else AuthEncap_None) in + k' <-R eae_output_t; + insert E(exp(g, sk_1), pk_R_1, ce, k'); + return(AuthEncap_tuple(k', ce)) + else + return(AuthEncap_None) + else + return((skS_1: Z_t <- sk_1; let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_2: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + get E(=pk_S_1, =exp(g, sk_1), =cd, k'': eae_output_t) in + return(AuthDecap_Some(k'')) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 33 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = (exponent_16: Z_t <- sk_1[i1]; exp(g, exponent_16))) then + {33} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {37}let (skE_1: Z_t, pkE_8: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_7: bitstring <- Serialize(pkE_8); pkS_3: G_t <- exp(g, skS_1); kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_8, enc_7) else AuthEncap_None) in + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + E_2: G_t <- pk_R_1; + E_3: bitstring <- ce; + E_4: eae_output_t <- k'; + return(AuthEncap_tuple(k', ce)) + else + return(AuthEncap_None) + else + return((skS_1: Z_t <- sk_1; {164}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_2: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (E_2[u_2, u_3] = exp(g, sk_1)) && (E_3[u_2, u_3] = cd) then + return(AuthDecap_Some(E_4[u, u_1])) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying expand [probability N^2 * PCollKey] + - Expand if/find/let + - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 164 + - Remove else branch of let at 164 + - Simplify pattern (skE_1: Z_t, pkE_8: G_t) (tuple expanded) at 37 + - Remove else branch of let at 37 + - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 33 + - Remove else branch of let at 33 +yields + +Game 34 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_16: Z_t <- sk_1[i1]; (pk_R_1 = exp(g, exponent_16))) then + skS_1: Z_t <- sk_1; + z_1 <-R Z_t; + pkE_8: G_t <- exp(g, z_1); + skE_1: Z_t <- z_1; + dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); + enc_7: bitstring <- Serialize(pkE_8); + pkS_3: G_t <- exp(g, skS_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3)); + ce: bitstring <- enc_7; + k: eae_output_t <- zz_8; + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + E_2: G_t <- pk_R_1; + E_3: bitstring <- ce; + E_4: eae_output_t <- k'; + return(AuthEncap_tuple(k', ce)) + else + skS_1: Z_t <- sk_1; + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + skE_1: Z_t <- z_1; + dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, skS_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (E_2[u_2, u_3] = exp(g, sk_1)) && (E_3[u_2, u_3] = cd) then + return(AuthDecap_Some(E_4[u, u_1])) + else + skR_1: Z_t <- sk_1; + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); + pkR_4: G_t <- exp(g, skR_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on skS_1 (definition removed, all usages removed) + - Remove assignments on skE_1 (definition removed, all usages removed) + - Remove assignments on skS_1 (definition removed, all usages removed) + - Remove assignments on skE_1 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) + - Remove assignments on k (definition removed, all usages removed) + - Remove assignments on E_2 (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on exponent_16 (definition removed, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on key_3 (definition removed, all usages removed) + - Remove assignments on info_3 (definition removed, all usages removed) + - Remove assignments on dh_8 (definition removed, all usages removed) + - Remove assignments on kemContext_8 (definition removed, all usages removed) + - Remove assignments on pkS_3 (definition removed, all usages removed) +yields + +Game 35 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_1 <-R Z_t; + pkE_8: G_t <- exp(g, z_1); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + {153} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(pk_R_1[u_2, u_3], enc_7[u_2, u_3], k'[u_2, u_3], E_1[u_2, u_3]) && {162}((E_1[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_7[u_2, u_3] = cd)) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((E_1[u_2, u_3] = pk_S_1) && (pk_R_1[u_2, u_3] = exp(g, sk_1)) && (enc_7[u_2, u_3] = cd)) with ((E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd)) at 162 + - Replaced defined condition pk_R_1[u_2, u_3], enc_7[u_2, u_3], k'[u_2, u_3], E_1[u_2, u_3] with k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3] in find at 153 +yields + +Game 36 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_1 <-R Z_t; + pkE_8: G_t <- exp(g, z_1); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying remove assignments of findcond + - Rename variable z_1 into z_4, z_3 +yields + +Game 37 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + {286} return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand(l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 286 +yields + +Game 38 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + else + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_11 -> hk +yields + +Game 39 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {129}find [unique] u_66 = ri_62 <= Qeperuser, u_67 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_66, u_67] orfind u_64 = ri_60 <= Qdperuser, u_65 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_64, u_65] orfind u_63 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_63] orfind u_62 = ri_58 <= Qh suchthat defined(x_O_8[ri_58], r_8[ri_58]) && {180}(x_O_5 = x_O_8[ri_58]) then r_8[u_62] else r_5 <-R eae_output_t; r_5); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {319}find [unique] u_60 = ri_56 <= Qeperuser, u_61 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_60, u_61] orfind u_58 = ri_54 <= Qdperuser, u_59 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_58, u_59] orfind u_57 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_57] orfind u_56 = ri_52 <= Qh suchthat defined(x_O_8[ri_52], r_8[ri_52]) && {370}(x_O_6 = x_O_8[ri_52]) then r_8[u_56] else r_6 <-R eae_output_t; r_6); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_7: eae_input_t <- x1_1; {421}find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_54, u_55] orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_52, u_53] orfind u_51 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_51] orfind u_50 = ri_46 <= Qh suchthat defined(x_O_8[ri_46], r_8[ri_46]) && {464}(x_O_7 = x_O_8[ri_46]) then r_8[u_50] else r_7 <-R eae_output_t; r_7)) + else + return((x_O_8: eae_input_t <- x1_1; {481}find [unique] u_48 = ri_44 <= Qeperuser, u_49 = ri_45 <= N suchthat defined(x_O_5[ri_44, ri_45], r_5[ri_44, ri_45]) && {486}(x_O_8 = x_O_5[ri_44, ri_45]) then r_5[u_48, u_49] orfind u_46 = ri_42 <= Qdperuser, u_47 = ri_43 <= N suchthat defined(x_O_6[ri_42, ri_43], r_6[ri_42, ri_43]) && {501}(x_O_8 = x_O_6[ri_42, ri_43]) then r_6[u_46, u_47] orfind u_45 = ri_41 <= Qh suchthat defined(x_O_7[ri_41], r_7[ri_41]) && {514}(x_O_8 = x_O_7[ri_41]) then r_7[u_45] orfind u_44 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_44] else r_8 <-R eae_output_t; r_8)) + )) + + +Applying simplify (non-expanded game) [probability (N^2 + #OAEncap^2) * PCollKey] + - Simplification pass + - Replaced (x_O_5 = x_O_8[ri_58]) with false at 180 + - Remove branch 4 in find at 129 + - Replaced (x_O_6 = x_O_8[ri_52]) with false at 370 + - Remove branch 4 in find at 319 + - Replaced (x_O_7 = x_O_8[ri_46]) with false at 464 + - Remove branch 4 in find at 421 + - Replaced (x_O_8 = x_O_7[ri_41]) with false at 514 + - Remove branch 3 in find at 481 + - Replaced (x_O_8 = x_O_6[ri_42, ri_43]) with false at 501 + - Remove branch 2 in find at 481 + - Replaced (x_O_8 = x_O_5[ri_44, ri_45]) with false at 486 + - Remove branch 1 in find at 481 +yields + +Game 40 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {129}find [unique] u_66 = ri_62 <= Qeperuser, u_67 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_66, u_67] orfind u_64 = ri_60 <= Qdperuser, u_65 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_64, u_65] orfind u_63 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_63] else r_5 <-R eae_output_t; r_5); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {307}find [unique] u_60 = ri_56 <= Qeperuser, u_61 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_60, u_61] orfind u_58 = ri_54 <= Qdperuser, u_59 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_58, u_59] orfind u_57 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_57] else r_6 <-R eae_output_t; r_6); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_7: eae_input_t <- x1_1; find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_54, u_55] orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_52, u_53] orfind u_51 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_51] else r_7 <-R eae_output_t; r_7)) + else + return((x_O_8: eae_input_t <- x1_1; find [unique] u_44 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_44] else r_8 <-R eae_output_t; r_8)) + )) + + +Applying expand [probability (#OAEncap^2 + #OAEncap * N + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 1 in find at 307 + - Remove branch 2 in find at 129 + - Remove branch 1 in find at 129 +yields + +Game 41 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_63 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then + zz_7: eae_output_t <- r_7[u_63]; + return(AuthEncap_tuple(zz_7, enc_6)) + else + r_5 <-R eae_output_t; + zz_7: eae_output_t <- r_5; + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_58 = ri_54 <= Qdperuser, u_59 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then + zz_9: eae_output_t <- r_6[u_58, u_59]; + return(AuthDecap_Some(zz_9)) + orfind u_57 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then + zz_9: eae_output_t <- r_7[u_57]; + return(AuthDecap_Some(zz_9)) + else + r_6 <-R eae_output_t; + zz_9: eae_output_t <- r_6; + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- x1_1; + find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then + return(r_5[u_54, u_55]) + orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then + return(r_6[u_52, u_53]) + orfind u_51 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then + return(r_7[u_51]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- x1_1; + find [unique] u_44 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then + return(r_8[u_44]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_8 (definition point kept, all usages removed) + - Remove assignments on x_O_7 (definition point kept, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on zz_7 (definition removed, all usages removed) + - Remove assignments on zz_7 (definition removed, all usages removed) +yields + +Game 42 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + {128} find [unique] u_63 = ri_59 <= Qh suchthat defined(x1_1[ri_59], x_O_7[ri_59], r_7[ri_59]) && {132}(x_O_5 = x1_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_63], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + {274} find [unique] u_58 = ri_54 <= Qdperuser, u_59 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && {279}(x_O_6 = x_O_6[ri_54, ri_55]) then + return(AuthDecap_Some(r_6[u_58, u_59])) + orfind u_57 = ri_53 <= Qh suchthat defined(x1_1[ri_53], x_O_7[ri_53], r_7[ri_53]) && {300}(x_O_6 = x1_1[ri_53]) then + return(AuthDecap_Some(r_7[u_57])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- cst_eae_input_t; + {349} find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && {354}(x1_1 = x_O_5[ri_50, ri_51]) then + return(r_5[u_54, u_55]) + orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && {372}(x1_1 = x_O_6[ri_48, ri_49]) then + return(r_6[u_52, u_53]) + orfind u_51 = ri_47 <= Qh suchthat defined(x1_1[ri_47], x_O_7[ri_47], r_7[ri_47]) && {389}(x1_1 = x1_1[ri_47]) then + return(r_7[u_51]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- cst_eae_input_t; + {409} find [unique] u_44 = ri_40 <= Qh suchthat defined(x1_1[ri_40], x_O_8[ri_40], r_8[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_44]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1_1[ri_40], x_O_8[ri_40], r_8[ri_40] with r_8[ri_40], x1_1[ri_40] in find at 409 + - Replaced (x1_1 = x1_1[ri_47]) with ((pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47])) at 389 + - Replaced defined condition x1_1[ri_47], x_O_7[ri_47], r_7[ri_47] with r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47] in find at 349 + - Replaced (x1_1 = x_O_6[ri_48, ri_49]) with ((pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 372 + - Replaced defined condition x_O_6[ri_48, ri_49], r_6[ri_48, ri_49] with r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49] in find at 349 + - Replaced (x1_1 = x_O_5[ri_50, ri_51]) with ((pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 354 + - Replaced defined condition x_O_5[ri_50, ri_51], r_5[ri_50, ri_51] with r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51] in find at 349 + - Replaced (x_O_6 = x1_1[ri_53]) with ((pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53])) at 300 + - Replaced defined condition x1_1[ri_53], x_O_7[ri_53], r_7[ri_53] with r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53] in find at 274 + - Replaced (x_O_6 = x_O_6[ri_54, ri_55]) with ((pk_S_1 = pk_S_1[ri_54, ri_55]) && (i_1 = ri_55) && (pkE_9 = pkE_9[ri_54, ri_55])) at 279 + - In branch 1 of find at 274, substituting u_59 with i_1 + - Replaced defined condition x_O_6[ri_54, ri_55], r_6[ri_54, ri_55] with r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54] in find at 274 + - Replaced (x_O_5 = x1_1[ri_59]) with ((pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59])) at 132 + - Replaced defined condition x1_1[ri_59], x_O_7[ri_59], r_7[ri_59] with r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59] in find at 128 +yields + +Game 43 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_63 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_63], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_58 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && {368}((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) then + u_59 <= N <- i_1; + return(AuthDecap_Some(r_6[u_58])) + orfind u_57 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_57])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- cst_eae_input_t; + find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_54, u_55]) + orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_52, u_53]) + orfind u_51 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_51]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- cst_eae_input_t; + find [unique] u_44 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_44]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) with ((pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54])) at 368 +yields + +Game 44 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_63 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_63], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_58 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then + u_59 <= N <- i_1; + return(AuthDecap_Some(r_6[u_58])) + orfind u_57 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_57])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- cst_eae_input_t; + find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_54, u_55]) + orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_52, u_53]) + orfind u_51 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_51]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- cst_eae_input_t; + find [unique] u_44 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_44]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying move all binders + - Move assignment to x_O_8 + - Move assignment to x_O_7 + - Move assignment to x_O_6 + - Move assignment to info_4 + - Move assignment to key_4 + - Move assignment to kemContext_9 + - Move assignment to x_O_5 + - Move assignment to info_2 + - Move assignment to key_2 + - Move assignment to kemContext_7 +yields + +Game 45 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + find [unique] u_63 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_63], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + find [unique] u_58 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then + u_59 <= N <- i_1; + return(AuthDecap_Some(r_6[u_58])) + orfind u_57 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_57])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_54, u_55]) + orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_52, u_53]) + orfind u_51 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_51]) + else + r_7 <-R eae_output_t; + return(r_7) + else + find [unique] u_44 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_44]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_9 (definition removed, all usages removed) + - Remove assignments on u_59 (definition removed, all usages removed) + - Remove assignments on dh_7 (definition removed, all usages removed) +yields + +Game 46 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + E_1: G_t <- exp(g, sk_1); + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + find [unique] u_63 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_63], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3], E_1[u_2, u_3]) && (E_1[u_2, u_3] = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + pkR_4: G_t <- exp(g, sk_1); + find [unique] u_58 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then + return(AuthDecap_Some(r_6[u_58])) + orfind u_57 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_57])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_54, u_55]) + orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_52, u_53]) + orfind u_51 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_51]) + else + r_7 <-R eae_output_t; + return(r_7) + else + find [unique] u_44 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_44]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying remove assignments of binder E_1 + - Remove assignments on E_1 (definition removed, all usages removed) +yields + +Game 47 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + find [unique] u_63 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_63], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(sk_1[u_3], k'[u_2, u_3], enc_7[u_2, u_3], i1_1[u_2, u_3]) && (exp(g, sk_1[u_3]) = pk_S_1) && (i1_1[u_2, u_3] = i_1) && (enc_7[u_2, u_3] = cd) then + return(AuthDecap_Some(k'[u, u_1])) + else + let Serialize(pkE_9: G_t) = cd in + pkR_4: G_t <- exp(g, sk_1); + find [unique] u_58 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then + return(AuthDecap_Some(r_6[u_58])) + orfind u_57 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_57])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_54 = ri_50 <= Qeperuser, u_55 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_54, u_55]) + orfind u_52 = ri_48 <= Qdperuser, u_53 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_52, u_53]) + orfind u_51 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_51]) + else + r_7 <-R eae_output_t; + return(r_7) + else + find [unique] u_44 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_44]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Proved indistinguishability between game 47 and game 1 +Game 47 is the same as game 31. +Adv[Game 1: indistinguishability from game 31] <= Adv_GDH(time_1, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (#OAEncap * #OADecap + #OAEncap * N + 8 * #OAEncap^2 + 6 * N^2) * PCollKey + Adv[Game 31: indistinguishability from game 31] +Adv[Game 32: indistinguishability from game 47] <= (#OAEncap * N + 2 * #OAEncap^2 + 5 * N^2) * PCollKey + Adv[Game 47: indistinguishability from game 47] +RESULT Proved indistinguishability between game 32 and game 1 up to probability Adv_GDH(time_1, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (#OAEncap * #OADecap + 2 * #OAEncap * N + 10 * #OAEncap^2 + 11 * N^2) * PCollKey +RESULT time_1 = #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_8)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OADecap * #OAEncap * time(= bitstring, maxlength(game 28: enc_8), maxlength(game 28: enc_2)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + 2 * #OAEncap + N) * time(exp) + time +All queries proved. diff --git a/hpke.auth.insider-cca.m4.ocv b/hpke.auth.insider-cca.m4.ocv index 6f5c20b..188d096 100644 --- a/hpke.auth.insider-cca.m4.ocv +++ b/hpke.auth.insider-cca.m4.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { out_game "g00.out.cv"; remove_assign binder the_sk; @@ -28,9 +40,10 @@ proba P_pk_coll. proba Adv_Insider_CCA. fun kemkey2bitstr(kemkey_t): bitstring [data]. fun kemciph2bitstr(kemciph_t): bitstring [data]. -expand Insider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Insider_CCA). +expand Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +expand Insider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Insider_CCA). -include(`common.hpke.ocv') +include(`common.hpke.ocvl') (* Define a function for choosing from two attacker-provided plaintexts based on a bit. Also, defines some equations on it so CryptoVerif is able @@ -70,13 +83,13 @@ process Ostart() := b <-R bool; return(); (* The adversary can generate up to N honest keypairs/users by calling - (* the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() - (* will be available for each keypair. *) + the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() + will be available for each keypair. *) (foreach i <= N do Osetup() := let (the_sk: skey_t, the_pk: pkey_t) = GenerateKeyPair() in (* The public key of each honest keypair is made available - (* to the adversary. *) + to the adversary. *) return(the_pk); ( @@ -106,10 +119,15 @@ process insert E(pkgen(s'), the_pk, enc_star, c_star, aad, info); return((enc_star, c_star)) (* SealAuth does not fail, but CryptoVerif's language - (* requires we indicate the else branch. It will be - (* removed with the eliminate_failing step. *) + requires we indicate the else branch. It will be + removed with the eliminate_failing step. *) ) else return(bottom) ) else return(bottom) (* ends the condition on m0 and m1 lengths *) ) (* ends the definition of the Ocall() oracle *) ) (* This ends the block of oracles that are defined for each keypair *) ) (* This ends the definition of the Osetup() oracle and its nested oracles *) + +(* EXPECTED FILENAME: examples/hpke/hpke.auth.insider-cca.m4.ocv TAG: 1 +All queries proved. +0.252s (user 0.252s + system 0.000s), max rss 24992K +END *) diff --git a/hpke.auth.insider-cca.ocv b/hpke.auth.insider-cca.ocv index a5a9ddf..c43fb69 100644 --- a/hpke.auth.insider-cca.ocv +++ b/hpke.auth.insider-cca.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { out_game "g00.out.cv"; remove_assign binder the_sk; @@ -28,8 +40,20 @@ proba P_pk_coll. proba Adv_Insider_CCA. fun kemkey2bitstr(kemkey_t): bitstring [data]. fun kemciph2bitstr(kemciph_t): bitstring [data]. -expand Insider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Insider_CCA). +expand Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +expand Insider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Insider_CCA). +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) type key_t [large,fixed]. @@ -80,9 +104,9 @@ expand multikey_AEAD( Seal_inner, Open_inner, injbot, (* injection from plaintext to bitstringbot: - (* injbot(plaintext): bitstringbot *) - Length, (* returns a plaintext of same length, consisting of zeros: - (* Length(plaintext): plaintext *) + injbot(plaintext): bitstringbot *) + Length, (* returns a plaintext of same length, consisting of zeros: + Length(plaintext): plaintext *) (* probabilities *) Adv_cpa, Adv_ctxt @@ -256,13 +280,13 @@ process Ostart() := b <-R bool; return(); (* The adversary can generate up to N honest keypairs/users by calling - (* the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() - (* will be available for each keypair. *) + the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() + will be available for each keypair. *) (foreach i <= N do Osetup() := let (the_sk: skey_t, the_pk: pkey_t) = GenerateKeyPair() in (* The public key of each honest keypair is made available - (* to the adversary. *) + to the adversary. *) return(the_pk); ( @@ -292,10 +316,15 @@ process insert E(pkgen(s'), the_pk, enc_star, c_star, aad, info); return((enc_star, c_star)) (* SealAuth does not fail, but CryptoVerif's language - (* requires we indicate the else branch. It will be - (* removed with the eliminate_failing step. *) + requires we indicate the else branch. It will be + removed with the eliminate_failing step. *) ) else return(bottom) ) else return(bottom) (* ends the condition on m0 and m1 lengths *) ) (* ends the definition of the Ocall() oracle *) ) (* This ends the block of oracles that are defined for each keypair *) ) (* This ends the definition of the Osetup() oracle and its nested oracles *) + +(* EXPECTED FILENAME: examples/hpke/hpke.auth.insider-cca.m4.ocv TAG: 1 +All queries proved. +0.252s (user 0.252s + system 0.000s), max rss 24992K +END *) diff --git a/hpke.auth.insider-cca.proof b/hpke.auth.insider-cca.proof index 627a477..6e6f719 100644 --- a/hpke.auth.insider-cca.proof +++ b/hpke.auth.insider-cca.proof @@ -1,3255 +1,3356 @@ -Initial state -Game 1 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - insert E(pkgen(s'), the_pk, enc_star, c_star, aad_11, info_8); - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand get, insert and prove unique annotations - - Expand get/insert for table E -yields - -Game 2 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then -{289} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); {304}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in {316}let KeySchedule_Some(ctx_10: context_t) = {317}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {354}let Context_Seal_Some(ct_10: bitstring) = {355}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - E_1: pkey_t <- pkgen(s'); - E_2: pkey_t <- the_pk; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 - - Remove let at 289 - - Remove let at 304 - - Remove let at 289 - - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 317 - - Remove else branch of let at 317 - - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 316 - - Remove else branch of let at 316 - - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 304 - - Remove else branch of let at 304 - - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 355 - - Remove else branch of let at 355 - - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 354 - - Remove else branch of let at 354 - - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 289 - - Remove else branch of let at 289 - - Remove let at 194 - - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 - - Remove else branch of let at 206 - - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 - - Remove else branch of let at 205 - - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 - - Remove else branch of let at 194 - - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 - - Remove else branch of let at 241 - - Remove let at 29 - - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 - - Remove else branch of let at 42 - - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 - - Remove else branch of let at 41 - - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 - - Remove else branch of let at 29 - - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 - - Remove else branch of let at 80 - - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 - - Remove else branch of let at 79 -yields - -Game 3 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); - ctx_7: context_t <- ctx_6; - enc_6: kemciph_t <- enc_5; - seq_3: nonce_t <- nonce_zero; - nonce_7: nonce_t <- nonce_6; - key_7: key_t <- key_6; - nonce_8: nonce_t <- xor(nonce_7, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); - ct_8: bitstring <- ct_7; - return(SealAuth_Some(enc_6, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - info_hash: bitstring <- info_7; - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); - ctx_9: context_t <- ctx_8; - seq_4: nonce_t <- nonce_zero; - nonce_10: nonce_t <- nonce_9; - key_9: key_t <- key_8; - nonce_11: nonce_t <- xor(nonce_10, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); - ctx_11: context_t <- ctx_10; - enc_9: kemciph_t <- enc_8; - seq_5: nonce_t <- nonce_zero; - nonce_13: nonce_t <- nonce_12; - key_11: key_t <- key_10; - nonce_14: nonce_t <- xor(nonce_13, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); - ct_10: bitstring <- ct_9; - c_star: bitstring <- ct_10; - enc_star: kemciph_t <- enc_9; - E_1: pkey_t <- pkgen(s'); - E_2: pkey_t <- the_pk; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on ctx_11 (definition removed, all usages removed) - - Remove assignments on enc_9 (definition removed, all usages removed) - - Remove assignments on nonce_13 (definition removed, all usages removed) - - Remove assignments on key_11 (definition removed, all usages removed) - - Remove assignments on ct_10 (definition removed, all usages removed) - - Remove assignments on c_star (definition removed, all usages removed) - - Remove assignments on enc_star (definition removed, all usages removed) - - Remove assignments on E_2 (definition removed, all usages removed) - - Remove assignments on E_3 (definition removed, all usages removed) - - Remove assignments on E_4 (definition removed, all usages removed) - - Remove assignments on E_5 (definition removed, all usages removed) - - Remove assignments on E_6 (definition removed, all usages removed) - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on ctx_9 (definition removed, all usages removed) - - Remove assignments on nonce_10 (definition removed, all usages removed) - - Remove assignments on key_9 (definition removed, all usages removed) - - Remove assignments on ctx_7 (definition removed, all usages removed) - - Remove assignments on enc_6 (definition removed, all usages removed) - - Remove assignments on nonce_7 (definition removed, all usages removed) - - Remove assignments on key_7 (definition removed, all usages removed) - - Remove assignments on ct_8 (definition removed, all usages removed) - - Remove assignments on ctx_10 (definition removed, all usages removed) - - Remove assignments on ctx_8 (definition removed, all usages removed) - - Remove assignments on ctx_6 (definition removed, all usages removed) -yields - -Game 4 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_1[u_2, u_3]) && {116}((E_1[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- {196}xor(nonce_9, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- {299}xor(nonce_12, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced xor(nonce_12, seq_5) with nonce_12 at 299 - - Replaced xor(nonce_9, seq_4) with nonce_9 at 196 - - Replaced ((E_1[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((E_1[u_2, u_3] = pk_4) && (u_3 = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 116 - - In branch 1 of find at 104, substituting u_1 with i - - Replaced defined condition the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_1[u_2, u_3] with info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2] in find at 104 - - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 -yields - -Game 5 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && {111}((E_1[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) then - u_1 <= N <- i; - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((E_1[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) with ((E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) at 111 -yields - -Game 6 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - u_1 <= N <- i; - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to pt_8 - - Move assignment to seq_4 -yields - -Game 7 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - u_1 <= N <- i; - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on seq_5 (definition removed, all usages removed) - - Remove assignments on nonce_14 (definition removed, all usages removed) - - Remove assignments on nonce_11 (definition removed, all usages removed) - - Remove assignments on u_1 (definition removed, all usages removed) - - Remove assignments on seq_3 (definition removed, all usages removed) - - Remove assignments on nonce_8 (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_sk - - Remove assignments on the_sk (definition removed, all usages removed) -yields - -Game 9 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_pk - - Remove assignments on the_pk (definition removed, all usages removed) -yields - -Game 10 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pkgen(s), skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence insider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec)] - - Equivalence insider_cca(AuthEncap) with variables: k_3 -> ks', k_2 -> ks, s -> s_1 -yields - -Game 11 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; AuthEncap_r(k_4, pk_R, skgen(s))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{144} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1], s'_1[ri, ri_1]) && (ce[ri, ri_1] = cd) && (pkgen(s'_1[ri, ri_1]) = pk_S) && (pkgen(s[ri_1]) = pkgen(s)) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd, skgen(s), pk_S)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; -{278} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (s'_1: keypairseed_t <- s'; let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N^2 * P_pk_coll] - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 278 - - Remove else branch of let at 278 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 144 - - Remove else branch of let at 144 -yields - -Game 12 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - pk_R: pkey_t <- pk_3; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_R, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - pk_S: pkey_t <- pk_4; - cd: kemciph_t <- enc_7; - find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1], s'_1[ri, ri_1]) && (ce[ri, ri_1] = cd) && (pkgen(s'_1[ri, ri_1]) = pk_S) && (pkgen(s[ri_1]) = pkgen(s)) then - shared_secret_4: kemkey_t <- k'_1[u_4, u_5]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - s'_1: keypairseed_t <- s'; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - shared_secret_5: kemkey_t <- k'_1; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on skS_2 (definition removed, all usages removed) - - Remove assignments on s'_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on enc_8 (definition kept, array references kept) - - Remove assignments on pk_S (definition removed, all usages removed) - - Remove assignments on cd (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R (definition removed, all usages removed) -yields - -Game 13 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{140} find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(s'[ri, ri_1], k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1]) && {150}((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (pkgen(s[ri_1]) = pkgen(s))) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced ((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (pkgen(s[ri_1]) = pkgen(s))) with ((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (ri_1 = i)) at 150 - - In branch 1 of find at 140, substituting u_5 with i - - Replaced defined condition s'[ri, ri_1], k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1] with k'[ri], k'_1[ri], s'[ri], ce[ri] in find at 140 -yields - -Game 14 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && {149}((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) && (i = i)) then - u_5 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) && (i = i)) with ((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4)) at 149 -yields - -Game 15 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - u_5 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move random number generation k'_1 -yields - -Game 16 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - u_5 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - k'_1 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_1 <-R kemkey_t; - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_5 (definition removed, all usages removed) -yields - -Game 17 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - k'_1 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_1 <-R kemkey_t; - return(bottom) - else - return(bottom) - )) - - -Applying equivalence eliminate_failing(AuthEncap) - - Equivalence eliminate_failing(AuthEncap) -yields - -Game 18 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - {21} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_7: kemseed_t <- k_4; pk_5: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_5, sk_2), AuthEncap_enc_r(k_7, pk_5, sk_2))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; -{314} let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pkgen(s); sk_3: skey_t <- skgen(s'); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_6, sk_3), AuthEncap_enc_r(k_8, pk_6, sk_3))) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - k'_1 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_1 <-R kemkey_t; - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) (tuple expanded) at 314 - - Remove else branch of let at 314 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 21 - - Remove else branch of let at 21 -yields - -Game 19 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - k_7: kemseed_t <- k_4; - pk_5: pkey_t <- pk_3; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_7, pk_5, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_7, pk_5, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k_8: kemseed_t <- k_6; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_8, pk_6, sk_3); - k_5: kemkey_t <- AuthEncap_key_r(k_8, pk_6, sk_3); - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k_8 (definition removed, all usages removed) - - Remove assignments on k_5 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) - - Remove assignments on enc_8 (definition removed, all usages removed) - - Remove assignments on k_7 (definition removed, all usages removed) - - Remove assignments on pk_5 (definition removed, all usages removed) -yields - -Game 20 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence prf(KeySchedule_auth) with k'_1 [probability Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec)] - - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1 -yields - -Game 21 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; {386}find [unique] u_6 = ri_4 <= Qdperuser, u_7 = ri_5 <= N suchthat defined(u_4[ri_4, ri_5], x[ri_4, ri_5], r_6[ri_4, ri_5]) && {393}((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) then r_6[u_6, u_7] else r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Replaced ((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) with false at 393 - - Remove branch 1 in find at 386 - - Find at 386 removed (else branch kept if any) -yields - -Game 22 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 23 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- info_7; - find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then - r_4: keys_t <- r_6[u_8, u_9]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then - r_4: keys_t <- r_7[u_4]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - r_4: keys_t <- r_6; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1: kemkey_t <- cst_kemkey_t; - x_1: bitstring <- info_8; - r_7 <-R keys_t; - r_5: keys_t <- r_7; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k'_1 (definition removed, all usages removed) - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) -yields - -Game 24 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{154} find u_4 = ri <= Qcperuser suchthat defined(s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- cst_bitstring; -{177} find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(info_7[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (info_7 = info_7[ri_8, ri_9]) then - nonce_9: nonce_t <- get2(r_6[u_8, u_9]); - key_8: key_t <- get1(r_6[u_8, u_9]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_8[u_4], ce[u_4], r_7[u_4]) && (info_7 = info_8[u_4]) then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition info_8[u_4], ce[u_4], r_7[u_4] with an empty condition in find at 177 - - In branch 1 of find at 177, substituting u_9 with i - - Replaced defined condition info_7[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9], u_4[ri_8, ri_9] with r_6[ri_8], info_7[ri_8], u_4[ri_8] in find at 177 - - Replaced defined condition s'[ri], ce[ri] with r_7[ri], info_8[ri], s'[ri], ce[ri] in find at 154 -yields - -Game 25 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- cst_bitstring; - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && {188}((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) then - u_9 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) with ((u_4[ri_8] = u_4) && (info_7 = info_7[ri_8])) at 188 -yields - -Game 26 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- cst_bitstring; - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - u_9 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to x -yields - -Game 27 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - u_9 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_9 (definition removed, all usages removed) -yields - -Game 28 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_7 -> r -yields - -Game 29 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- part2[u_4]; - key_8: key_t <- part1[u_4]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_6 -> r -yields - -Game 30 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - nonce_9: nonce_t <- part2_1[u_8]; - key_8: key_t <- part1_1[u_8]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- part2[u_4]; - key_8: key_t <- part1[u_4]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_6: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_7 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_6 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) -yields - -Game 31 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_4], part2[u_4]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time_3, #Ochall, #Oadec)] - - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 32 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then -{243} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then injbot(x_2[u_4]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove let at 243 - - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 243 - - Remove else branch of let at 243 -yields - -Game 33 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - y: bitstring <- c; - c_d: bitstring <- aad_10; - if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then - pt_7: bitstring <- x_2[u_4]; - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - x_2: bitstring <- pt_8; - d: bitstring <- aad_11; - r_8: bitstring <- Seal_inner(x_2, d, part1, part2); - ct_9: bitstring <- r_8; - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_2 (definition removed, all usages removed) - - Remove assignments on d (definition removed, all usages removed) - - Remove assignments on ct_9 (definition removed, all usages removed) - - Remove assignments on y (definition removed, all usages removed) - - Remove assignments on c_d (definition removed, all usages removed) - - Remove assignments on pt_7 (definition removed, all usages removed) -yields - -Game 34 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then -{179} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then -{243} if defined(aad_11[u_4], pt_8[u_4], r_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Simplified find at 243 in branch of find at 179 -yields - -Game 35 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then -{179} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(aad_11[u_4], pt_8[u_4], r_8[u_4]) && {246}((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) - else -{285} if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Transformed find at 285 into a test - - Replaced ((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) with false at 246 - - Remove branch 2 in find at 179 -yields - -Game 36 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time_4, #Ochall)] - - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 37 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 38 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - x_3: bitstring <- pt_8; - d_1: bitstring <- aad_11; - r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); - r_8: bitstring <- r_9; - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on part1 (definition removed, all usages removed) - - Remove assignments on x_3 (definition removed, all usages removed) - - Remove assignments on d_1 (definition removed, all usages removed) - - Remove assignments on r_8 (definition removed, all usages removed) -yields - -Game 39 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- {388}enc'(Length(pt_8), aad_11, part1_2, part2_2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 388 -yields - -Game 40 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pt_8 (definition removed, all usages removed) -yields - -Game 41 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_9)) - else - return(bottom) - )) - - -Proved secrecy of b in game 41 -Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec) + 6 * N^2 * P_pk_coll + Adv[Game 41: secrecy of b] -Adv[Game 41: secrecy of b] <= 0 -RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec) + 6 * N^2 * P_pk_coll -RESULT time_1 = time + time(context for game 10) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: ct_9), maxlength(game 10: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: aad_11), maxlength(game 10: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: info_8), maxlength(game 10: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_7)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_10)) + #Oadec * time(let injbot, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 10: m0)), length(Length, maxlength(game 10: m1))) + #Ochall * time(Length, maxlength(game 10: m1)) + #Ochall * time(Length, maxlength(game 10: m0)) + #Ochall * time(skgen) + #Ochall * time(KeySchedule_auth, maxlength(game 10: info_8)) + #Ochall * time(test, maxlength(game 10: m0), maxlength(game 10: m1)) + #Ochall * time(Seal_inner, maxlength(game 10: pt_8), maxlength(game 10: aad_11)) + #Ochall * time(pkgen) + time -RESULT time_2 = time + time(context for game 20) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 20: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 20: m), maxlength(game 20: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 20: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 20: ct_9), maxlength(game 20: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 20: aad_11), maxlength(game 20: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 20: info_8), maxlength(game 20: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 20: info_7)) + #Oadec * time(Open_inner, maxlength(game 20: c), maxlength(game 20: aad_10)) + #Oadec * time(let injbot, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 20: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 20: m0)), length(Length, maxlength(game 20: m1))) + #Ochall * time(Length, maxlength(game 20: m1)) + #Ochall * time(Length, maxlength(game 20: m0)) + #Ochall * time(test, maxlength(game 20: m0), maxlength(game 20: m1)) + #Ochall * time(Seal_inner, maxlength(game 20: pt_8), maxlength(game 20: aad_11)) + time -RESULT time_3 = time + time(context for game 31) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 31: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 31: m), maxlength(game 31: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 31: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 31: ct_9), maxlength(game 31: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 31: aad_11), maxlength(game 31: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 31: info_8), maxlength(game 31: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 31: info_7), maxlength(game 31: info_7)) + #Oadec * time(= bitstring, maxlength(game 31: info_7), maxlength(game 31: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 31: info_7)) + #Oadec * time(Open_inner, maxlength(game 31: c), maxlength(game 31: aad_10)) + #Oadec * time(let injbot, maxlength(game 31: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 31: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 31: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 31: m0)), length(Length, maxlength(game 31: m1))) + #Ochall * time(Length, maxlength(game 31: m1)) + #Ochall * time(Length, maxlength(game 31: m0)) + #Ochall * time(test, maxlength(game 31: m0), maxlength(game 31: m1)) + time -RESULT time_4 = time + time(context for game 36) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 36: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 36: m), maxlength(game 36: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 36: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 36: r_8), maxlength(game 36: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 36: aad_11), maxlength(game 36: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 36: info_8), maxlength(game 36: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 36: info_7), maxlength(game 36: info_7)) + #Oadec * time(= bitstring, maxlength(game 36: info_7), maxlength(game 36: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 36: info_7)) + #Oadec * time(Open_inner, maxlength(game 36: c), maxlength(game 36: aad_10)) + #Oadec * time(let injbot, maxlength(game 36: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 36: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 36: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 36: m0)), length(Length, maxlength(game 36: m1))) + #Ochall * time(Length, maxlength(game 36: m1)) + #Ochall * time(Length, maxlength(game 36: m0)) + #Ochall * time(test, maxlength(game 36: m0), maxlength(game 36: m1)) + time -All queries proved. +Initial state +Game 1 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + insert E(pkgen(s'), the_pk, enc_star, c_star, aad_11, info_8); + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 2 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3]) && (E_2[u_2, u_3] = pk_4) && (E_3[u_2, u_3] = the_pk) && (E_4[u_2, u_3] = enc_7) && (E_5[u_2, u_3] = c) && (E_6[u_2, u_3] = aad_10) && (E_7[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then +{289} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); {304}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in {316}let KeySchedule_Some(ctx_10: context_t) = {317}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {354}let Context_Seal_Some(ct_10: bitstring) = {355}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + E_2: pkey_t <- pkgen(s'); + E_3: pkey_t <- the_pk; + E_4: kemciph_t <- enc_star; + E_5: bitstring <- c_star; + E_6: bitstring <- aad_11; + E_7: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 + - Remove let at 289 + - Remove let at 304 + - Remove let at 289 + - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 317 + - Remove else branch of let at 317 + - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 316 + - Remove else branch of let at 316 + - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 304 + - Remove else branch of let at 304 + - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 355 + - Remove else branch of let at 355 + - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 354 + - Remove else branch of let at 354 + - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 289 + - Remove else branch of let at 289 + - Remove let at 194 + - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 + - Remove else branch of let at 206 + - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 + - Remove else branch of let at 205 + - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 + - Remove else branch of let at 194 + - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 + - Remove else branch of let at 241 + - Remove let at 29 + - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 + - Remove else branch of let at 42 + - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 + - Remove else branch of let at 41 + - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 + - Remove else branch of let at 29 + - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 + - Remove else branch of let at 80 + - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 + - Remove else branch of let at 79 +yields + +Game 3 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); + ctx_7: context_t <- ctx_6; + enc_6: kemciph_t <- enc_5; + seq_3: nonce_t <- nonce_zero; + nonce_7: nonce_t <- nonce_6; + key_7: key_t <- key_6; + nonce_8: nonce_t <- xor(nonce_7, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); + ct_8: bitstring <- ct_7; + return(SealAuth_Some(enc_6, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3]) && (E_2[u_2, u_3] = pk_4) && (E_3[u_2, u_3] = the_pk) && (E_4[u_2, u_3] = enc_7) && (E_5[u_2, u_3] = c) && (E_6[u_2, u_3] = aad_10) && (E_7[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + info_hash: bitstring <- info_7; + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); + ctx_9: context_t <- ctx_8; + seq_4: nonce_t <- nonce_zero; + nonce_10: nonce_t <- nonce_9; + key_9: key_t <- key_8; + nonce_11: nonce_t <- xor(nonce_10, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); + ctx_11: context_t <- ctx_10; + enc_9: kemciph_t <- enc_8; + seq_5: nonce_t <- nonce_zero; + nonce_13: nonce_t <- nonce_12; + key_11: key_t <- key_10; + nonce_14: nonce_t <- xor(nonce_13, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); + ct_10: bitstring <- ct_9; + c_star: bitstring <- ct_10; + enc_star: kemciph_t <- enc_9; + E_2: pkey_t <- pkgen(s'); + E_3: pkey_t <- the_pk; + E_4: kemciph_t <- enc_star; + E_5: bitstring <- c_star; + E_6: bitstring <- aad_11; + E_7: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on ctx_11 (definition removed, all usages removed) + - Remove assignments on enc_9 (definition removed, all usages removed) + - Remove assignments on nonce_13 (definition removed, all usages removed) + - Remove assignments on key_11 (definition removed, all usages removed) + - Remove assignments on ct_10 (definition removed, all usages removed) + - Remove assignments on c_star (definition removed, all usages removed) + - Remove assignments on enc_star (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on E_5 (definition removed, all usages removed) + - Remove assignments on E_6 (definition removed, all usages removed) + - Remove assignments on E_7 (definition removed, all usages removed) + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on ctx_9 (definition removed, all usages removed) + - Remove assignments on nonce_10 (definition removed, all usages removed) + - Remove assignments on key_9 (definition removed, all usages removed) + - Remove assignments on ctx_7 (definition removed, all usages removed) + - Remove assignments on enc_6 (definition removed, all usages removed) + - Remove assignments on nonce_7 (definition removed, all usages removed) + - Remove assignments on key_7 (definition removed, all usages removed) + - Remove assignments on ct_8 (definition removed, all usages removed) + - Remove assignments on ctx_10 (definition removed, all usages removed) + - Remove assignments on ctx_8 (definition removed, all usages removed) + - Remove assignments on ctx_6 (definition removed, all usages removed) +yields + +Game 4 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := +{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_2[u_2, u_3]) && {116}((E_2[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- {196}xor(nonce_9, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- {299}xor(nonce_12, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced xor(nonce_12, seq_5) with nonce_12 at 299 + - Replaced xor(nonce_9, seq_4) with nonce_9 at 196 + - Replaced ((E_2[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((E_2[u_2, u_3] = pk_4) && (u_3 = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 116 + - In branch 1 of find at 104, substituting u_1 with i + - Replaced defined condition the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_2[u_2, u_3] with info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2] in find at 104 + - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 +yields + +Game 5 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && {111}((E_2[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) then + u_1 <= N <- i; + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((E_2[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) with ((E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) at 111 +yields + +Game 6 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + u_1 <= N <- i; + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to pt_8 + - Move assignment to seq_4 +yields + +Game 7 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + u_1 <= N <- i; + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on seq_5 (definition removed, all usages removed) + - Remove assignments on nonce_14 (definition removed, all usages removed) + - Remove assignments on nonce_11 (definition removed, all usages removed) + - Remove assignments on u_1 (definition removed, all usages removed) + - Remove assignments on seq_3 (definition removed, all usages removed) + - Remove assignments on nonce_8 (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_sk + - Remove assignments on the_sk (definition removed, all usages removed) +yields + +Game 9 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_pk + - Remove assignments on the_pk (definition removed, all usages removed) +yields + +Game 10 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pkgen(s), skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence insider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec)] + - Equivalence insider_cca(AuthEncap) with variables: k_3 -> ks', k_2 -> ks, s -> s_1 +yields + +Game 11 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; AuthEncap_r(k_4, pk_R, skgen(s))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else +{144} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'_1[ri, ri_1], ce[ri, ri_1], E_8[ri, ri_1], E_9[ri, ri_1]) && (E_9[ri, ri_1] = pk_S) && (E_8[ri, ri_1] = pkgen(s)) && (ce[ri, ri_1] = cd) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd, skgen(s), pk_S)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; +{276} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (s'_1: keypairseed_t <- s'; let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in k': kemkey_t <- cst_kemkey_t; E_9: pkey_t <- pkgen(s'_1); E_8: pkey_t <- pkgen(s); AuthEncap_tuple(k'_1, ce) else AuthEncap_None) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 276 + - Remove else branch of let at 276 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 144 + - Remove else branch of let at 144 +yields + +Game 12 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + pk_R: pkey_t <- pk_3; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_R, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + pk_S: pkey_t <- pk_4; + cd: kemciph_t <- enc_7; + find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'_1[ri, ri_1], ce[ri, ri_1], E_8[ri, ri_1], E_9[ri, ri_1]) && (E_9[ri, ri_1] = pk_S) && (E_8[ri, ri_1] = pkgen(s)) && (ce[ri, ri_1] = cd) then + shared_secret_4: kemkey_t <- k'_1[u_4, u_5]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + s'_1: keypairseed_t <- s'; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in + k': kemkey_t <- cst_kemkey_t; + E_9: pkey_t <- pkgen(s'_1); + E_8: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce; + shared_secret_5: kemkey_t <- k'_1; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on skS_2 (definition removed, all usages removed) + - Remove assignments on s'_1 (definition removed, all usages removed) + - Remove assignments on k' (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on enc_8 (definition kept, array references kept) + - Remove assignments on pk_S (definition removed, all usages removed) + - Remove assignments on cd (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R (definition removed, all usages removed) +yields + +Game 13 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else +{140} find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'_1[ri, ri_1], ce[ri, ri_1], E_8[ri, ri_1], E_9[ri, ri_1]) && {149}((E_9[ri, ri_1] = pk_4) && (E_8[ri, ri_1] = pkgen(s)) && (ce[ri, ri_1] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + E_9: pkey_t <- pkgen(s'); + E_8: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((E_9[ri, ri_1] = pk_4) && (E_8[ri, ri_1] = pkgen(s)) && (ce[ri, ri_1] = enc_7)) with ((E_9[ri, ri_1] = pk_4) && (ri_1 = i) && (ce[ri, ri_1] = enc_7)) at 149 + - In branch 1 of find at 140, substituting u_5 with i + - Replaced defined condition k'_1[ri, ri_1], ce[ri, ri_1], E_8[ri, ri_1], E_9[ri, ri_1] with k'_1[ri], ce[ri], E_8[ri], E_9[ri] in find at 140 +yields + +Game 14 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_8[ri], E_9[ri]) && {149}((E_9[ri] = pk_4) && (i = i) && (ce[ri] = enc_7)) then + u_5 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + E_9: pkey_t <- pkgen(s'); + E_8: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((E_9[ri] = pk_4) && (i = i) && (ce[ri] = enc_7)) with ((E_9[ri] = pk_4) && (ce[ri] = enc_7)) at 149 +yields + +Game 15 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_8[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + u_5 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + E_9: pkey_t <- pkgen(s'); + E_8: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move random number generation k'_1 +yields + +Game 16 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_8[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + u_5 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + E_9: pkey_t <- pkgen(s'); + E_8: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_1 <-R kemkey_t; + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on E_8 (definition removed, all usages removed) + - Remove assignments on u_5 (definition removed, all usages removed) +yields + +Game 17 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + E_9: pkey_t <- pkgen(s'); + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_1 <-R kemkey_t; + return(bottom) + else + return(bottom) + )) + + +Applying equivalence eliminate_failing(AuthEncap) + - Equivalence eliminate_failing(AuthEncap) +yields + +Game 18 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + {21} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_7: kemseed_t <- k_4; pk_5: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_5, sk_2), AuthEncap_enc_r(k_7, pk_5, sk_2))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; +{313} let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pkgen(s); sk_3: skey_t <- skgen(s'); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_6, sk_3), AuthEncap_enc_r(k_8, pk_6, sk_3))) in + E_9: pkey_t <- pkgen(s'); + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_1 <-R kemkey_t; + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) (tuple expanded) at 313 + - Remove else branch of let at 313 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 21 + - Remove else branch of let at 21 +yields + +Game 19 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + k_7: kemseed_t <- k_4; + pk_5: pkey_t <- pk_3; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_7, pk_5, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_7, pk_5, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k_8: kemseed_t <- k_6; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_8, pk_6, sk_3); + k_5: kemkey_t <- AuthEncap_key_r(k_8, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k_8 (definition removed, all usages removed) + - Remove assignments on k_5 (definition removed, all usages removed) + - Remove assignments on enc_8 (definition removed, all usages removed) + - Remove assignments on k_7 (definition removed, all usages removed) + - Remove assignments on pk_5 (definition removed, all usages removed) +yields + +Game 20 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := +{100} find u = u_2 <= Qcperuser suchthat defined(ce[u_2], E_9[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition ce[u_2], E_9[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_2[u_2] with info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2] in find at 100 +yields + +Game 21 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence prf(KeySchedule_auth) with k'_1 [probability Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec)] + - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1 +yields + +Game 22 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + k'_1: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; {390}find [unique] u_6 = ri_4 <= Qdperuser, u_7 = ri_5 <= N suchthat defined(u_4[ri_4, ri_5], x[ri_4, ri_5], r_6[ri_4, ri_5]) && {397}((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) then r_6[u_6, u_7] else r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Replaced ((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) with false at 397 + - Remove branch 1 in find at 390 + - Find at 390 removed (else branch kept if any) +yields + +Game 23 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + k'_1: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 24 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + x: bitstring <- info_7; + find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then + r_4: keys_t <- r_6[u_8, u_9]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then + r_4: keys_t <- r_7[u_4]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + r_4: keys_t <- r_6; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + k'_1: kemkey_t <- cst_kemkey_t; + x_1: bitstring <- info_8; + r_7 <-R keys_t; + r_5: keys_t <- r_7; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k'_1 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) +yields + +Game 25 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else +{154} find u_4 = ri <= Qcperuser suchthat defined(ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + x: bitstring <- cst_bitstring; +{176} find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(info_7[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (info_7 = info_7[ri_8, ri_9]) then + nonce_9: nonce_t <- get2(r_6[u_8, u_9]); + key_8: key_t <- get1(r_6[u_8, u_9]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_8[u_4], E_9[u_4], r_7[u_4]) && (info_7 = info_8[u_4]) then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition info_8[u_4], E_9[u_4], r_7[u_4] with an empty condition in find at 176 + - In branch 1 of find at 176, substituting u_9 with i + - Replaced defined condition info_7[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9], u_4[ri_8, ri_9] with r_6[ri_8], info_7[ri_8], u_4[ri_8] in find at 176 + - Replaced defined condition ce[ri], E_9[ri] with r_7[ri], info_8[ri], ce[ri], E_9[ri] in find at 154 +yields + +Game 26 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + x: bitstring <- cst_bitstring; + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && {187}((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) then + u_9 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) with ((u_4[ri_8] = u_4) && (info_7 = info_7[ri_8])) at 187 +yields + +Game 27 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + x: bitstring <- cst_bitstring; + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + u_9 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to x +yields + +Game 28 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + u_9 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_9 (definition removed, all usages removed) +yields + +Game 29 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_7 -> r +yields + +Game 30 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- part2[u_4]; + key_8: key_t <- part1[u_4]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_6 -> r +yields + +Game 31 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + nonce_9: nonce_t <- part2_1[u_8]; + key_8: key_t <- part1_1[u_8]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- part2[u_4]; + key_8: key_t <- part1[u_4]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_6: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_7 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_6 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) +yields + +Game 32 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_4], part2[u_4]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time_3, #Ochall, #Oadec)] + - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 33 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then +{242} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then injbot(x_2[u_4]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Remove let at 242 + - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 242 + - Remove else branch of let at 242 +yields + +Game 34 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + y: bitstring <- c; + c_d: bitstring <- aad_10; + if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then + pt_7: bitstring <- x_2[u_4]; + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + x_2: bitstring <- pt_8; + d: bitstring <- aad_11; + r_8: bitstring <- Seal_inner(x_2, d, part1, part2); + ct_9: bitstring <- r_8; + E_2: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_2 (definition removed, all usages removed) + - Remove assignments on d (definition removed, all usages removed) + - Remove assignments on ct_9 (definition removed, all usages removed) + - Remove assignments on y (definition removed, all usages removed) + - Remove assignments on c_d (definition removed, all usages removed) + - Remove assignments on pt_7 (definition removed, all usages removed) +yields + +Game 35 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then +{178} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then +{242} if defined(aad_11[u_4], pt_8[u_4], r_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_2: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Simplified find at 242 in branch of find at 178 +yields + +Game 36 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then +{178} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(aad_11[u_4], pt_8[u_4], r_8[u_4]) && {245}((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) + else +{284} if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_2: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Transformed find at 284 into a test + - Replaced ((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) with false at 245 + - Remove branch 2 in find at 178 +yields + +Game 37 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_2: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time_4, #Ochall)] + - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 38 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); + E_2: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 39 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + x_3: bitstring <- pt_8; + d_1: bitstring <- aad_11; + r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); + r_8: bitstring <- r_9; + E_2: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on part1 (definition removed, all usages removed) + - Remove assignments on x_3 (definition removed, all usages removed) + - Remove assignments on d_1 (definition removed, all usages removed) + - Remove assignments on r_8 (definition removed, all usages removed) +yields + +Game 40 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- {392}enc'(Length(pt_8), aad_11, part1_2, part2_2); + E_2: pkey_t <- pkgen(s'); + return((ce, r_9)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 392 +yields + +Game 41 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + E_2: pkey_t <- pkgen(s'); + return((ce, r_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pt_8 (definition removed, all usages removed) +yields + +Game 42 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_2[u_2]) && (E_2[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], ce[ri], E_9[ri]) && (E_9[ri] = pk_4) && (ce[ri] = enc_7) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + E_9: pkey_t <- pkgen(s'); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + E_2: pkey_t <- pkgen(s'); + return((ce, r_9)) + else + return(bottom) + )) + + +Proved secrecy of b in game 42 +Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec) + 6 * N^2 * P_pk_coll + Adv[Game 42: secrecy of b] +Adv[Game 42: secrecy of b] <= 0 +RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec) + 6 * N^2 * P_pk_coll +RESULT time_1 = time + time(context for game 10) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: ct_9), maxlength(game 10: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: aad_11), maxlength(game 10: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: info_8), maxlength(game 10: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_7)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_10)) + #Oadec * time(let injbot, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 10: m0)), length(Length, maxlength(game 10: m1))) + #Ochall * time(Length, maxlength(game 10: m1)) + #Ochall * time(Length, maxlength(game 10: m0)) + #Ochall * time(skgen) + #Ochall * time(KeySchedule_auth, maxlength(game 10: info_8)) + #Ochall * time(test, maxlength(game 10: m0), maxlength(game 10: m1)) + #Ochall * time(Seal_inner, maxlength(game 10: pt_8), maxlength(game 10: aad_11)) + #Ochall * time(pkgen) + time +RESULT time_2 = time + time(context for game 21) = (N + 3 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 21: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 21: m), maxlength(game 21: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 21: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 21: ct_9), maxlength(game 21: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 21: aad_11), maxlength(game 21: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 21: info_8), maxlength(game 21: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 21: info_7)) + #Oadec * time(Open_inner, maxlength(game 21: c), maxlength(game 21: aad_10)) + #Oadec * time(let injbot, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 21: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 21: m0)), length(Length, maxlength(game 21: m1))) + #Ochall * time(Length, maxlength(game 21: m1)) + #Ochall * time(Length, maxlength(game 21: m0)) + #Ochall * time(test, maxlength(game 21: m0), maxlength(game 21: m1)) + #Ochall * time(Seal_inner, maxlength(game 21: pt_8), maxlength(game 21: aad_11)) + time +RESULT time_3 = time + time(context for game 32) = (N + 3 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 32: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 32: m), maxlength(game 32: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 32: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 32: ct_9), maxlength(game 32: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 32: aad_11), maxlength(game 32: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 32: info_8), maxlength(game 32: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 32: info_7), maxlength(game 32: info_7)) + #Oadec * time(= bitstring, maxlength(game 32: info_7), maxlength(game 32: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 32: info_7)) + #Oadec * time(Open_inner, maxlength(game 32: c), maxlength(game 32: aad_10)) + #Oadec * time(let injbot, maxlength(game 32: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 32: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 32: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 32: m0)), length(Length, maxlength(game 32: m1))) + #Ochall * time(Length, maxlength(game 32: m1)) + #Ochall * time(Length, maxlength(game 32: m0)) + #Ochall * time(test, maxlength(game 32: m0), maxlength(game 32: m1)) + time +RESULT time_4 = time + time(context for game 37) = (N + 3 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 37: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 37: m), maxlength(game 37: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 37: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 37: r_8), maxlength(game 37: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 37: aad_11), maxlength(game 37: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 37: info_8), maxlength(game 37: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 37: info_7), maxlength(game 37: info_7)) + #Oadec * time(= bitstring, maxlength(game 37: info_7), maxlength(game 37: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 37: info_7)) + #Oadec * time(Open_inner, maxlength(game 37: c), maxlength(game 37: aad_10)) + #Oadec * time(let injbot, maxlength(game 37: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 37: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 37: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 37: m0)), length(Length, maxlength(game 37: m1))) + #Ochall * time(Length, maxlength(game 37: m1)) + #Ochall * time(Length, maxlength(game 37: m0)) + #Ochall * time(test, maxlength(game 37: m0), maxlength(game 37: m1)) + time +All queries proved. diff --git a/hpke.auth.outsider-auth.m4.ocv b/hpke.auth.outsider-auth.m4.ocv index c9717fa..e63bec2 100644 --- a/hpke.auth.outsider-auth.m4.ocv +++ b/hpke.auth.outsider-auth.m4.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { out_game "g00.out.cv"; remove_assign binder the_sk; @@ -33,9 +45,11 @@ proba Adv_Outsider_CCA. proba Adv_Outsider_Auth. fun kemkey2bitstr(kemkey_t): bitstring [data]. fun kemciph2bitstr(kemciph_t): bitstring [data]. -expand Outsider_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA, Adv_Outsider_Auth). +expand Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_CCA). +expand Outsider_Auth_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_Auth). -include(`common.hpke.ocv') +include(`common.hpke.ocvl') (* a set E used within the proof, containing 6-tuples of the following type: *) @@ -61,17 +75,17 @@ query event(adv_wins). process (* The adversary can generate up to N honest keypairs/users by calling - (* the Osetup() oracle. The nested oracles Oaenc() and Oadec() - (* will be available for each honest keypair. *) + the Osetup() oracle. The nested oracles Oaenc() and Oadec() + will be available for each honest keypair. *) (foreach i <= N do Osetup() := let (the_sk: skey_t, the_pk: pkey_t) = GenerateKeyPair() in (* The public key of each honest keypair is made available - (* to the adversary. *) + to the adversary. *) return(the_pk); (* This block defines the oracles Oaenc() and Oadec() which - (* are available for each honest keypair. *) + are available for each honest keypair. *) ( (* This defines the Oaenc() oracle with up to Qeperuser calls per keypair *) (foreach iae <= Qeperuser do @@ -113,3 +127,7 @@ process ) ) else return(bottom) +(* EXPECTED FILENAME: examples/hpke/hpke.auth.outsider-auth.m4.ocv TAG: 1 +All queries proved. +0.696s (user 0.692s + system 0.004s), max rss 33280K +END *) diff --git a/hpke.auth.outsider-auth.ocv b/hpke.auth.outsider-auth.ocv index 755ade3..de699a1 100644 --- a/hpke.auth.outsider-auth.ocv +++ b/hpke.auth.outsider-auth.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { out_game "g00.out.cv"; remove_assign binder the_sk; @@ -33,8 +45,21 @@ proba Adv_Outsider_CCA. proba Adv_Outsider_Auth. fun kemkey2bitstr(kemkey_t): bitstring [data]. fun kemciph2bitstr(kemciph_t): bitstring [data]. -expand Outsider_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA, Adv_Outsider_Auth). +expand Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_CCA). +expand Outsider_Auth_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_Auth). + +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) type key_t [large,fixed]. @@ -85,9 +110,9 @@ expand multikey_AEAD( Seal_inner, Open_inner, injbot, (* injection from plaintext to bitstringbot: - (* injbot(plaintext): bitstringbot *) - Length, (* returns a plaintext of same length, consisting of zeros: - (* Length(plaintext): plaintext *) + injbot(plaintext): bitstringbot *) + Length, (* returns a plaintext of same length, consisting of zeros: + Length(plaintext): plaintext *) (* probabilities *) Adv_cpa, Adv_ctxt @@ -247,17 +272,17 @@ query event(adv_wins). process (* The adversary can generate up to N honest keypairs/users by calling - (* the Osetup() oracle. The nested oracles Oaenc() and Oadec() - (* will be available for each honest keypair. *) + the Osetup() oracle. The nested oracles Oaenc() and Oadec() + will be available for each honest keypair. *) (foreach i <= N do Osetup() := let (the_sk: skey_t, the_pk: pkey_t) = GenerateKeyPair() in (* The public key of each honest keypair is made available - (* to the adversary. *) + to the adversary. *) return(the_pk); (* This block defines the oracles Oaenc() and Oadec() which - (* are available for each honest keypair. *) + are available for each honest keypair. *) ( (* This defines the Oaenc() oracle with up to Qeperuser calls per keypair *) (foreach iae <= Qeperuser do @@ -299,3 +324,7 @@ process ) ) else return(bottom) +(* EXPECTED FILENAME: examples/hpke/hpke.auth.outsider-auth.m4.ocv TAG: 1 +All queries proved. +0.696s (user 0.692s + system 0.004s), max rss 33280K +END *) diff --git a/hpke.auth.outsider-auth.proof b/hpke.auth.outsider-auth.proof index 2357d78..86cdb75 100644 --- a/hpke.auth.outsider-auth.proof +++ b/hpke.auth.outsider-auth.proof @@ -1,7690 +1,7747 @@ -Initial state -Game 1 is - (( - foreach i <= N do - Osetup() := - let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = (let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_9: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in - insert E(the_pk, pk_2, enc_6, ct_10, aad_8, info_5); - return(SealAuth_Some(enc_6, ct_10)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - return((let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - get E(=pk_S, =pk_R, =enc_star, =ciph_star, =aad_star, =info_star) in - return(bottom) - else - let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - )) - - -Applying expand get, insert and prove unique annotations - - Expand get/insert for table E -yields - -Game 2 is - (( - foreach i <= N do - Osetup() := - {5} let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - {23} let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = {24}(let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in {44}let KeySchedule_Some(ctx_6: context_t) = {45}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {82}let Context_Seal_Some(ct_9: bitstring) = {83}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_2; - E_3: kemciph_t <- enc_6; - E_4: bitstring <- ct_10; - E_5: bitstring <- aad_8; - E_6: bitstring <- info_5; - return(SealAuth_Some(enc_6, ct_10)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - return({172}(let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in {183}let KeySchedule_Some(ctx_8: context_t) = {184}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({219}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - {255} find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_S) && (E_2[u_2, u_3] = pk_R) && (E_3[u_2, u_3] = enc_star) && (E_4[u_2, u_3] = ciph_star) && (E_5[u_2, u_3] = aad_star) && (E_6[u_2, u_3] = info_star) then - return(bottom) - else - {321} let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; {325}let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in {331}let KeySchedule_Some(ctx_10: context_t) = {332}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({353}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove let at 321 - - Remove let at 325 - - Remove let at 321 - - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 332 - - Remove else branch of let at 332 - - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 331 - - Remove else branch of let at 331 - - Simplify pattern SetupAuthR_Some(ctx_11: context_t) (tuple expanded) at 325 - - Remove else branch of let at 325 - - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 353 - - Remove else branch of let at 353 - - Simplify pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 - - Remove let at 321 - - Simplify pattern Context_Open_Some(pt_8: bitstring) (tuple expanded), pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 - - Remove else branch of let at 321 - - Replaced defined condition the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i''] with the_sk[i''], the_pk[i''], the_pk[i'] in find at 255 - - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 5 - - Remove let at 172 - - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 184 - - Remove else branch of let at 184 - - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 183 - - Remove else branch of let at 183 - - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 172 - - Remove else branch of let at 172 - - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 219 - - Remove else branch of let at 219 - - Remove let at 23 - - Remove let at 24 - - Remove let at 23 - - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 45 - - Remove else branch of let at 45 - - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 44 - - Remove else branch of let at 44 - - Simplify pattern SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) (tuple expanded) at 24 - - Remove else branch of let at 24 - - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 83 - - Remove else branch of let at 83 - - Simplify pattern Context_Seal_Some(ct_9: bitstring) (tuple expanded) at 82 - - Remove else branch of let at 82 - - Simplify pattern SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) (tuple expanded) at 23 - - Remove else branch of let at 23 -yields - -Game 3 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - pk_1: pkey_t <- pk_2; - sk: skey_t <- the_sk; - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_1, sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); - ctx_7: context_t <- ctx_6; - enc_5: kemciph_t <- enc_4; - seq_3: nonce_t <- nonce_zero; - nonce_7: nonce_t <- nonce_6; - key_7: key_t <- key_6; - nonce_8: nonce_t <- xor(nonce_7, seq_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_7, nonce_8); - ct_9: bitstring <- ct_8; - ct_10: bitstring <- ct_9; - enc_6: kemciph_t <- enc_5; - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_2; - E_3: kemciph_t <- enc_6; - E_4: bitstring <- ct_10; - E_5: bitstring <- aad_8; - E_6: bitstring <- info_5; - return(SealAuth_Some(enc_6, ct_10)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); - ctx_9: context_t <- ctx_8; - seq_4: nonce_t <- nonce_zero; - nonce_10: nonce_t <- nonce_9; - key_9: key_t <- key_8; - nonce_11: nonce_t <- xor(nonce_10, seq_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_9, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_S) && (E_2[u_2, u_3] = pk_R) && (E_3[u_2, u_3] = enc_star) && (E_4[u_2, u_3] = ciph_star) && (E_5[u_2, u_3] = aad_star) && (E_6[u_2, u_3] = info_star) then - return(bottom) - else - skR_2: skey_t <- the_sk[i''_1]; - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); - ctx_11: context_t <- ctx_10; - seq_5: nonce_t <- nonce_zero; - nonce_13: nonce_t <- nonce_12; - key_11: key_t <- key_10; - nonce_14: nonce_t <- xor(nonce_13, seq_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_11, nonce_14) in - pt_8: bitstring <- pt_7; - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_2 (definition removed, all usages removed) - - Remove assignments on ctx_11 (definition removed, all usages removed) - - Remove assignments on nonce_13 (definition removed, all usages removed) - - Remove assignments on key_11 (definition removed, all usages removed) - - Remove assignments on pt_8 (definition removed, all usages removed) - - Remove assignments on ctx_9 (definition removed, all usages removed) - - Remove assignments on nonce_10 (definition removed, all usages removed) - - Remove assignments on key_9 (definition removed, all usages removed) - - Remove assignments on pk_1 (definition removed, all usages removed) - - Remove assignments on sk (definition removed, all usages removed) - - Remove assignments on ctx_7 (definition removed, all usages removed) - - Remove assignments on enc_5 (definition removed, all usages removed) - - Remove assignments on nonce_7 (definition removed, all usages removed) - - Remove assignments on key_7 (definition removed, all usages removed) - - Remove assignments on ct_9 (definition removed, all usages removed) - - Remove assignments on ct_10 (definition removed, all usages removed) - - Remove assignments on enc_6 (definition removed, all usages removed) - - Remove assignments on E_1 (definition removed, all usages removed) - - Remove assignments on E_2 (definition removed, all usages removed) - - Remove assignments on E_3 (definition removed, all usages removed) - - Remove assignments on E_4 (definition removed, all usages removed) - - Remove assignments on E_5 (definition removed, all usages removed) - - Remove assignments on E_6 (definition removed, all usages removed) - - Remove assignments on ctx_10 (definition removed, all usages removed) - - Remove assignments on ctx_8 (definition removed, all usages removed) - - Remove assignments on ctx_6 (definition removed, all usages removed) -yields - -Game 4 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- {55}xor(nonce_6, seq_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- {131}xor(nonce_9, seq_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - {190} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3]) && {202}((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- {259}xor(nonce_12, seq_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced xor(nonce_12, seq_5) with nonce_12 at 259 - - Replaced ((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) with ((u_3 = i'_1) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) at 202 - - In branch 1 of find at 190, substituting u_1 with i'_1 - - Replaced defined condition the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3] with info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1] in find at 190 - - Replaced xor(nonce_9, seq_4) with nonce_9 at 131 - - Replaced xor(nonce_6, seq_3) with nonce_6 at 55 -yields - -Game 5 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && {193}((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) then - u_1 <= N <- i'_1; - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) with ((pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) at 193 -yields - -Game 6 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - u_1 <= N <- i'_1; - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to seq_5 - - Move assignment to seq_4 -yields - -Game 7 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - nonce_11: nonce_t <- nonce_9; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - u_1 <= N <- i'_1; - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - nonce_14: nonce_t <- nonce_12; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on nonce_14 (definition removed, all usages removed) - - Remove assignments on u_1 (definition removed, all usages removed) - - Remove assignments on nonce_11 (definition removed, all usages removed) - - Remove assignments on seq_3 (definition removed, all usages removed) - - Remove assignments on nonce_8 (definition removed, all usages removed) -yields - -Game 8 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_sk - - Remove assignments on the_sk (definition removed, all usages removed) -yields - -Game 9 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_pk - - Remove assignments on the_pk (definition removed, all usages removed) -yields - -Game 10 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec)] - - Equivalence outsider_cca(AuthEncap) with variables: k -> ks, s -> s_1 -yields - -Game 11 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - {18} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_1: pkey_t <- pk_2; find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k, pk_R_1, skgen(s))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {117} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_1: pkey_t <- pk_3; cd: kemciph_t <- enc_7; find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], s[ri_3], pk_R_1[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && (pkgen(s) = pk_R_1[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_S_1) && (ce[ri_2, ri_3] = cd) then AuthDecap_Some(k'_1[u_6, u_7]) else AuthDecap(cd, skgen(s), pk_S_1)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - {288} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_2: pkey_t <- pk_S; cd_1: kemciph_t <- enc_star; find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], s[ri_1], pk_R_1[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && (pkgen(s[i''_1]) = pk_R_1[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S_2) && (ce[ri, ri_1] = cd_1) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N^2 * P_pk_coll] - - Expand if/find/let - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 288 - - Remove else branch of let at 288 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 117 - - Remove else branch of let at 117 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 18 - - Remove else branch of let at 18 -yields - -Game 12 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - pk_R_1: pkey_t <- pk_2; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - shared_secret_3: kemkey_t <- k'_1; - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - pk_S_1: pkey_t <- pk_3; - cd: kemciph_t <- enc_7; - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], s[ri_3], pk_R_1[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && (pkgen(s) = pk_R_1[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_S_1) && (ce[ri_2, ri_3] = cd) then - shared_secret_4: kemkey_t <- k'_1[u_6, u_7]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S_1) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - pk_S_2: pkey_t <- pk_S; - cd_1: kemciph_t <- enc_star; - find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], s[ri_1], pk_R_1[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && (pkgen(s[i''_1]) = pk_R_1[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S_2) && (ce[ri, ri_1] = cd_1) then - shared_secret_5: kemkey_t <- k'_1[u_4, u_5]; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pk_S_2 (definition removed, all usages removed) - - Remove assignments on cd_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on pk_S_1 (definition removed, all usages removed) - - Remove assignments on cd (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_3 (definition removed, all usages removed) - - Remove assignments on enc_4 (definition kept, array references kept) -yields - -Game 13 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {209} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(pk_2[ri_2, ri_3], k'[ri_2, ri_3], s[ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && {219}((pkgen(s) = pk_2[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - {416} find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(pk_2[ri, ri_1], k'[ri, ri_1], s[ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && {426}((pkgen(s[i''_1]) = pk_2[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S) && (ce[ri, ri_1] = enc_star)) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced ((pkgen(s[i''_1]) = pk_2[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S) && (ce[ri, ri_1] = enc_star)) with ((i''_1 = u_8[ri, ri_1]) && (ri_1 = i'_1) && (ce[ri, ri_1] = enc_star)) at 426 - - In branch 1 of find at 416, substituting u_5 with i'_1 - - Replaced defined condition pk_2[ri, ri_1], k'[ri, ri_1], s[ri_1], k'_1[ri, ri_1], ce[ri, ri_1] with k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1] in find at 416 - - Replaced ((pkgen(s) = pk_2[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) with ((i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) at 219 - - Replaced defined condition pk_2[ri_2, ri_3], k'[ri_2, ri_3], s[ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3] with k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 209 -yields - -Game 14 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && {423}((i''_1 = u_8[ri, i'_1]) && (i'_1 = i'_1) && (ce[ri, i'_1] = enc_star)) then - u_5 <= N <- i'_1; - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i''_1 = u_8[ri, i'_1]) && (i'_1 = i'_1) && (ce[ri, i'_1] = enc_star)) with ((i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star)) at 423 -yields - -Game 15 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - u_5 <= N <- i'_1; - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move random number generation k'_1 - - Move random number generation k -yields - -Game 16 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k <-R kemseed_t; - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - u_5 <= N <- i'_1; - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_5 (definition removed, all usages removed) - - Rename variable k into k_3, k_2 -yields - -Game 17 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence outsider_auth(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec)] - - Equivalence outsider_auth(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 -yields - -Game 18 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - {26} let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = (pk_R_3: pkey_t <- pk_2; let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in AuthEncap_tuple(k_6, ce_2) else AuthEncap_None) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - {160} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_2: pkey_t <- pk_2; let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in AuthEncap_tuple(k_5, ce_1) else AuthEncap_None) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - {321} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_3: pkey_t <- pk_3; cd_2: kemciph_t <- enc_7; {330}find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(s[ri_17], pk_S_3[ri_16, ri_17], k'_2[ri_16, ri_17], cd_2[ri_16, ri_17]) && (pkgen(s) = pkgen(s[ri_17])) && (pk_S_3[ri_16, ri_17] = pk_S_3) && (cd_2[ri_16, ri_17] = cd_2) then AuthDecap_Some(k'_2[u_20, u_21]) orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && (pkgen(s) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_3) && (cd_3 = cd_2) then AuthDecap_Some(k'_3) orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(s[ri_15], pk_R_2[ri_14, ri_15], k_5[ri_14, ri_15], ce_1[ri_14, ri_15]) && (pkgen(s) = pk_R_2[ri_14, ri_15]) && (pkgen(s[ri_15]) = pk_S_3) && (ce_1[ri_14, ri_15] = cd_2) then AuthDecap_Some(k_5[u_18, u_19]) orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(s[ri_13], pk_R_3[ri_12, ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && (pkgen(s) = pk_R_3[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_S_3) && (ce_2[ri_12, ri_13] = cd_2) then AuthDecap_Some(k_6[u_16, u_17]) else find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in k'_2 <-R kemkey_t; AuthDecap_Some(k'_2) else AuthDecap_None else AuthDecap(cd_2, skgen(s), pk_S_3)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - {658} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_4: pkey_t <- pk_S; cd_3: kemciph_t <- enc_star; {663}find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(s[ri_10], pk_S_3[ri_9, ri_10], k'_2[ri_9, ri_10], cd_2[ri_9, ri_10]) && (pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_S_3[ri_9, ri_10] = pk_S_4) && (cd_2[ri_9, ri_10] = cd_3) then AuthDecap_Some(k'_2[u_13, u_14]) orfind u_11 = ri_7 <= Qeperuser, u_12 = ri_8 <= N suchthat defined(s[ri_8], pk_R_2[ri_7, ri_8], k_5[ri_7, ri_8], ce_1[ri_7, ri_8]) && (pkgen(s[i''_1]) = pk_R_2[ri_7, ri_8]) && (pkgen(s[ri_8]) = pk_S_4) && (ce_1[ri_7, ri_8] = cd_3) then AuthDecap_Some(k_5[u_11, u_12]) orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(s[ri_6], pk_R_3[ri_5, ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && (pkgen(s[i''_1]) = pk_R_3[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S_4) && (ce_2[ri_5, ri_6] = cd_3) then AuthDecap_Some(k_6[u_9, u_10]) else {754}find u_15 = ri_11 <= N suchthat defined(s[ri_11]) && (pk_S_4 = pkgen(s[ri_11])) then let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in k'_3 <-R kemkey_t; AuthDecap_Some(k'_3) else AuthDecap_None else AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability (#Oaenc * N + N^2) * P_pk_coll] - - Expand if/find/let - - Remove else branch of find at 754 - - Remove let at 658 - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 658 - - Remove else branch of let at 658 - - A single branch always succeeds in find at 754 - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 658 - - Remove else branch of let at 658 - - Remove branch 2 in find at 663 - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 658 - - Remove else branch of let at 658 - - Remove let at 321 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 - - Remove else branch of let at 321 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 - - Remove else branch of let at 321 - - Remove branch 3 in find at 330 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 - - Remove else branch of let at 321 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 - - Remove else branch of let at 321 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 160 - - Remove else branch of let at 160 - - Simplify pattern AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) (tuple expanded) at 26 - - Remove else branch of let at 26 -yields - -Game 19 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - pk_R_3: pkey_t <- pk_2; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in - ce: kemciph_t <- ce_2; - k_1: kemkey_t <- k_6; - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - pk_R_2: pkey_t <- pk_2; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - shared_secret_3: kemkey_t <- k_5; - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- pk_3; - cd_2: kemciph_t <- enc_7; - find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(s[ri_17], pk_S_3[ri_16, ri_17], k'_2[ri_16, ri_17], cd_2[ri_16, ri_17]) && (pkgen(s) = pkgen(s[ri_17])) && (pk_S_3[ri_16, ri_17] = pk_S_3) && (cd_2[ri_16, ri_17] = cd_2) then - shared_secret_4: kemkey_t <- k'_2[u_20, u_21]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && (pkgen(s) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_3) && (cd_3 = cd_2) then - shared_secret_4: kemkey_t <- k'_3; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(s[ri_13], pk_R_3[ri_12, ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && (pkgen(s) = pk_R_3[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_S_3) && (ce_2[ri_12, ri_13] = cd_2) then - shared_secret_4: kemkey_t <- k_6[u_16, u_17]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in - k'_2 <-R kemkey_t; - shared_secret_4: kemkey_t <- k'_2; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- pk_S; - cd_3: kemciph_t <- enc_star; - find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(s[ri_10], pk_S_3[ri_9, ri_10], k'_2[ri_9, ri_10], cd_2[ri_9, ri_10]) && (pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_S_3[ri_9, ri_10] = pk_S_4) && (cd_2[ri_9, ri_10] = cd_3) then - shared_secret_5: kemkey_t <- k'_2[u_13, u_14]; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(s[ri_6], pk_R_3[ri_5, ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && (pkgen(s[i''_1]) = pk_R_3[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S_4) && (ce_2[ri_5, ri_6] = cd_3) then - shared_secret_5: kemkey_t <- k_6[u_9, u_10]; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in - k'_3 <-R kemkey_t; - shared_secret_5: kemkey_t <- k'_3; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pk_S_4 (definition point kept, all usages removed) - - Remove assignments on cd_3 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on pk_S_3 (definition point kept, all usages removed) - - Remove assignments on cd_2 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R_2 (definition removed, all usages removed) - - Remove assignments on shared_secret_3 (definition removed, all usages removed) - - Remove assignments on enc_4 (definition kept, array references kept) - - Remove assignments on pk_R_3 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) - - Remove assignments on k_1 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) - - Remove assignments on ce (definition kept, array references kept) -yields - -Game 20 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- cst_pkey_t; - {407} find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(pk_3[ri_16, ri_17], enc_7[ri_16, ri_17], pk_S_3[ri_16, ri_17], s[ri_17], k'_2[ri_16, ri_17]) && {417}((pkgen(s) = pkgen(s[ri_17])) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20, u_21], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(pk_S, enc_star, pk_S_4, s[i''_1], k'_3) && {493}((pkgen(s) = pkgen(s[i''_1])) && (pk_S = pk_3) && (enc_star = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(pk_2[ri_12, ri_13], k_3[ri_12, ri_13], s[ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && {567}((pkgen(s) = pk_2[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k_6[u_16, u_17], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- cst_pkey_t; - {884} find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(pk_3[ri_9, ri_10], enc_7[ri_9, ri_10], pk_S_3[ri_9, ri_10], s[ri_10], k'_2[ri_9, ri_10]) && {894}((pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_3[ri_9, ri_10] = pk_S) && (enc_7[ri_9, ri_10] = enc_star)) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, u_14], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(pk_2[ri_5, ri_6], k_3[ri_5, ri_6], s[ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && {948}((pkgen(s[i''_1]) = pk_2[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S) && (ce_2[ri_5, ri_6] = enc_star)) then - r_5: keys_t <- KeySchedule_auth(k_6[u_9, u_10], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced ((pkgen(s[i''_1]) = pk_2[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S) && (ce_2[ri_5, ri_6] = enc_star)) with ((i''_1 = u_8[ri_5, ri_6]) && (ri_6 = i'_1) && (ce_2[ri_5, ri_6] = enc_star)) at 948 - - Remove branch 2 in find at 884 - - Replaced ((pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_3[ri_9, ri_10] = pk_S) && (enc_7[ri_9, ri_10] = enc_star)) with ((i''_1 = ri_10) && (u_22[ri_9, ri_10] = i'_1) && (enc_7[ri_9, ri_10] = enc_star)) at 894 - - In branch 1 of find at 884, substituting u_14 with i''_1 - - Replaced defined condition pk_3[ri_9, ri_10], enc_7[ri_9, ri_10], pk_S_3[ri_9, ri_10], s[ri_10], k'_2[ri_9, ri_10] with k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] in find at 884 - - Replaced ((pkgen(s) = pk_2[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) with ((i = u_8[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) at 567 - - Remove branch 3 in find at 407 - - Replaced ((pkgen(s) = pkgen(s[i''_1])) && (pk_S = pk_3) && (enc_star = enc_7)) with ((i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7)) at 493 - - Replaced defined condition pk_S, enc_star, pk_S_4, s[i''_1], k'_3 with k'_3, enc_star, pk_S, i''_1 in find at 407 - - Replaced ((pkgen(s) = pkgen(s[ri_17])) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) with ((i = ri_17) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) at 417 - - In branch 1 of find at 407, substituting u_21 with i - - Replaced defined condition pk_3[ri_16, ri_17], enc_7[ri_16, ri_17], pk_S_3[ri_16, ri_17], s[ri_17], k'_2[ri_16, ri_17] with k'_2[ri_16], enc_7[ri_16], pk_3[ri_16] in find at 407 -yields - -Game 21 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- cst_pkey_t; - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && {414}((i = i) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) then - u_21 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- cst_pkey_t; - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && {796}((i''_1 = i''_1) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) then - u_14 <= N <- i''_1; - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i''_1 = i''_1) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) with ((u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) at 796 - - Replaced ((i = i) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) with ((pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) at 414 -yields - -Game 22 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- cst_pkey_t; - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - u_21 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- cst_pkey_t; - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - u_14 <= N <- i''_1; - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to pk_S_4 - - Move assignment to pk_S_3 -yields - -Game 23 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - u_21 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - u_14 <= N <- i''_1; - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_14 (definition removed, all usages removed) - - Remove assignments on u_21 (definition removed, all usages removed) -yields - -Game 24 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence eliminate_failing(AuthEncap) - - Equivalence eliminate_failing(AuthEncap) -yields - -Game 25 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - {26} let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = (k_8: kemseed_t <- k_3; pk_5: pkey_t <- pk_2; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_5, sk_2), AuthEncap_enc_r(k_8, pk_5, sk_2))) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - {226} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_7: kemseed_t <- k_2; pk_4: pkey_t <- pk_2; sk_1: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_4, sk_1), AuthEncap_enc_r(k_7, pk_4, sk_1))) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 226 - - Remove else branch of let at 226 - - Simplify pattern AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) (tuple expanded) at 26 - - Remove else branch of let at 26 -yields - -Game 26 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - k_8: kemseed_t <- k_3; - pk_5: pkey_t <- pk_2; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_8, pk_5, sk_2); - k_6: kemkey_t <- AuthEncap_key_r(k_8, pk_5, sk_2); - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - k_7: kemseed_t <- k_2; - pk_4: pkey_t <- pk_2; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_7, pk_4, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_7, pk_4, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k_7 (definition removed, all usages removed) - - Remove assignments on pk_4 (definition removed, all usages removed) - - Remove assignments on k_8 (definition removed, all usages removed) - - Remove assignments on pk_5 (definition removed, all usages removed) - - Remove assignments on k_6 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) -yields - -Game 27 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence prf(KeySchedule_auth) with k'_3, k'_2, k'_1 [probability Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc)] - - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1, k'_2 -> k_1, k'_3 -> k_1 -yields - -Game 28 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_3: keys_t <- (x: bitstring <- info_5; {52}find [unique] u_37 = ri_43 <= Qdperuser, u_38 = ri_44 <= N suchthat defined(u_7[ri_43, ri_44], u_6[ri_43, ri_44], x_4[ri_43, ri_44], r_10[ri_43, ri_44]) && {61}((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) then r_10[u_37, u_38] orfind suchthat defined(i'_1, u_4, x_7, r_13) && {87}((u_4 = iae) && (i'_1 = i) && (x = x_7)) then r_13 else r_6 <-R keys_t; r_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - r_4: keys_t <- (x_4: bitstring <- info_6; find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- (x_2: bitstring <- info_6; find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then r_7[u_20] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(r_12, x_6, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2: kemkey_t <- cst_kemkey_t; - r_4: keys_t <- (x_1: bitstring <- info_6; {658}find [unique] u_29 = ri_29 <= Qdperuser, u_30 = ri_30 <= N suchthat defined(u_20[ri_29, ri_30], x_2[ri_29, ri_30], r_8[ri_29, ri_30]) && {665}((u_20[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) then r_8[u_29, u_30] orfind suchthat defined(i''_1, u_13, x_6, r_12) && {689}((u_13 = iad) && (i''_1 = i) && (x_1 = x_6)) then r_12 else r_7 <-R keys_t; r_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - r_5: keys_t <- (x_7: bitstring <- info_star; find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] else r_13 <-R keys_t; r_13); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- (x_6: bitstring <- info_star; find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then r_7[u_13, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] else r_12 <-R keys_t; r_12); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_5: bitstring <- info_star; {1050}find [unique] else r_11 <-R keys_t; r_11); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced ((u_4 = iae) && (i'_1 = i) && (x = x_7)) with false at 87 - - Remove branch 2 in find at 52 - - Replaced ((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) with false at 61 - - Remove branch 1 in find at 52 - - Find at 52 removed (else branch kept if any) - - Replaced ((u_13 = iad) && (i''_1 = i) && (x_1 = x_6)) with false at 689 - - Remove branch 2 in find at 658 - - Replaced ((u_20[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) with false at 665 - - Remove branch 1 in find at 658 - - Find at 658 removed (else branch kept if any) - - Find at 1050 removed (else branch kept if any) -yields - -Game 29 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_3: keys_t <- (x: bitstring <- info_5; r_6 <-R keys_t; r_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - r_4: keys_t <- (x_4: bitstring <- info_6; find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- (x_2: bitstring <- info_6; find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then r_7[u_20] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(r_12, x_6, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2: kemkey_t <- cst_kemkey_t; - r_4: keys_t <- (x_1: bitstring <- info_6; r_7 <-R keys_t; r_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - r_5: keys_t <- (x_7: bitstring <- info_star; find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] else r_13 <-R keys_t; r_13); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- (x_6: bitstring <- info_star; find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then r_7[u_13, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] else r_12 <-R keys_t; r_12); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_5: bitstring <- info_star; r_11 <-R keys_t; r_11); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 30 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - x: bitstring <- info_5; - r_6 <-R keys_t; - r_3: keys_t <- r_6; - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- info_6; - find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then - r_4: keys_t <- r_6[u_6, u_7]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then - r_4: keys_t <- r_10[u_35, u_36]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then - r_4: keys_t <- r_13; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - r_4: keys_t <- r_10; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- info_6; - find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then - r_4: keys_t <- r_7[u_20]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then - r_4: keys_t <- r_8[u_31, u_32]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, x_6, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then - r_4: keys_t <- r_12; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - r_4: keys_t <- r_8; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- info_6; - find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then - r_4: keys_t <- r_9[u_33, u_34]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then - r_4: keys_t <- r_11; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - r_4: keys_t <- r_9; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2: kemkey_t <- cst_kemkey_t; - x_1: bitstring <- info_6; - r_7 <-R keys_t; - r_4: keys_t <- r_7; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- info_star; - find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then - r_5: keys_t <- r_6[u_4, i'_1]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then - r_5: keys_t <- r_10[u_27, u_28]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - r_5: keys_t <- r_13; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- info_star; - find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then - r_5: keys_t <- r_7[u_13, i''_1]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then - r_5: keys_t <- r_8[u_25, u_26]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - r_5: keys_t <- r_12; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3: kemkey_t <- cst_kemkey_t; - x_5: bitstring <- info_star; - r_11 <-R keys_t; - r_5: keys_t <- r_11; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k'_3 (definition removed, all usages removed) - - Remove assignments on x_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x_6 (definition point kept, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x_7 (definition point kept, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on k'_2 (definition removed, all usages removed) - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x_2 (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x_3 (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x_4 (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x (definition removed, all usages removed) - - Remove assignments on r_3 (definition removed, all usages removed) -yields - -Game 31 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {177} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- cst_bitstring; - {208} find [unique] suchthat defined(info_5[u_6, u_7], ce_2[u_6, u_7], r_6[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(info_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (info_6 = info_6[ri_39, ri_40]) then - nonce_9: nonce_t <- get2(r_10[u_35, u_36]); - key_8: key_t <- get1(r_10[u_35, u_36]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_star, x_7, r_13, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - {458} find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- cst_bitstring; - {482} find [unique] suchthat defined(info_6[u_20], r_7[u_20]) && (info_6 = info_6[u_20]) then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(info_6[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (info_6 = info_6[ri_33, ri_34]) then - nonce_9: nonce_t <- get2(r_8[u_31, u_32]); - key_8: key_t <- get1(r_8[u_31, u_32]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_star, x_6, r_12, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- cst_bitstring; - {725} find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (info_6 = info_6[ri_37, ri_38]) then - nonce_9: nonce_t <- get2(r_9[u_33, u_34]); - key_8: key_t <- get1(r_9[u_33, u_34]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_star, r_11) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else -{1053} find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- cst_bitstring; -{1073} find [unique] suchthat defined(info_5[u_4, i'_1], ce_2[u_4, i'_1], r_6[u_4, i'_1]) && (info_star = info_5[u_4, i'_1]) then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(info_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else -{1179} find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- cst_bitstring; -{1199} find [unique] suchthat defined(info_6[u_13, i''_1], r_7[u_13, i''_1]) && (info_star = info_6[u_13, i''_1]) then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(info_6[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (info_star = info_6[ri_21, ri_22]) then - nonce_12: nonce_t <- get2(r_8[u_25, u_26]); - key_10: key_t <- get1(r_8[u_25, u_26]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - In branch 2 of find at 1199, substituting u_26 with i''_1 - - Replaced defined condition info_6[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22], u_20[ri_21, ri_22] with r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1] in find at 1199 - - Replaced defined condition info_6[u_13, i''_1], r_7[u_13, i''_1] with an empty condition in find at 1199 - - Replaced defined condition r_7[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] with r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] in find at 1179 - - Replaced defined condition info_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] with r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] in find at 1073 - - Replaced defined condition info_5[u_4, i'_1], ce_2[u_4, i'_1], r_6[u_4, i'_1] with an empty condition in find at 1073 - - Replaced defined condition ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1] with r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] in find at 1053 - - Replaced defined condition info_star, r_11 with an empty condition in find at 725 - - In branch 1 of find at 725, substituting u_34 with i - - Replaced defined condition info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38] with r_9[ri_37], info_6[ri_37] in find at 725 - - Replaced defined condition r_11, enc_star, pk_S, i''_1 with r_11, info_star, enc_star, pk_S, i''_1 in find at 458 - - Replaced defined condition info_star, x_6, r_12, i''_1, u_13 with r_12, info_star, i''_1, u_13 in find at 482 - - In branch 2 of find at 482, substituting u_32 with i - - Replaced defined condition info_6[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34], u_20[ri_33, ri_34] with r_8[ri_33], info_6[ri_33], u_20[ri_33] in find at 482 - - Replaced defined condition info_6[u_20], r_7[u_20] with an empty condition in find at 482 - - Replaced defined condition r_7[ri_16], enc_7[ri_16], pk_3[ri_16] with r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16] in find at 458 - - Replaced defined condition info_star, x_7, r_13, i'_1, u_4 with r_13, info_star, i'_1, u_4 in find at 208 - - In branch 2 of find at 208, substituting u_36 with i - - Replaced defined condition info_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40] with r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39] in find at 208 - - Replaced defined condition info_5[u_6, u_7], ce_2[u_6, u_7], r_6[u_6, u_7] with an empty condition in find at 208 - - Replaced defined condition ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 177 -yields - -Game 32 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - u_36 <= N <- i; - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && {524}((u_20[ri_33] = u_20) && (i = i) && (info_6 = info_6[ri_33])) then - u_32 <= N <- i; - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- cst_bitstring; - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - u_34 <= N <- i; - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && {1199}((u_20[ri_21, i''_1] = u_13) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) then - u_26 <= N <- i''_1; - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced ((u_20[ri_21, i''_1] = u_13) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) with ((u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1])) at 1199 - - Replaced ((u_20[ri_33] = u_20) && (i = i) && (info_6 = info_6[ri_33])) with ((u_20[ri_33] = u_20) && (info_6 = info_6[ri_33])) at 524 -yields - -Game 33 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - u_36 <= N <- i; - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - u_32 <= N <- i; - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- cst_bitstring; - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - u_34 <= N <- i; - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - u_26 <= N <- i''_1; - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to x_6 - - Move assignment to x_7 - - Move assignment to x_2 - - Move assignment to x_3 - - Move assignment to x_4 -yields - -Game 34 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - u_36 <= N <- i; - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - u_32 <= N <- i; - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - u_34 <= N <- i; - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - u_26 <= N <- i''_1; - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_26 (definition removed, all usages removed) - - Remove assignments on u_32 (definition removed, all usages removed) - - Remove assignments on u_34 (definition removed, all usages removed) - - Remove assignments on u_36 (definition removed, all usages removed) - - Remove assignments on k'_1 (definition removed, all usages removed) - - Remove assignments on k'_1 (definition removed, all usages removed) -yields - -Game 35 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_11 -> r -yields - -Game 36 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_12 -> r -yields - -Game 37 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_13 -> r -yields - -Game 38 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_7 -> r -yields - -Game 39 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_9 -> r -yields - -Game 40 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_8 -> r -yields - -Game 41 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- part2_5[u_31]; - key_8: key_t <- part1_5[u_31]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - r_8: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_5; - key_8: key_t <- part1_5; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- part2_5[u_25, i''_1]; - key_10: key_t <- part1_5[u_25, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_10 -> r -yields - -Game 42 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- part2_6[u_35]; - key_8: key_t <- part1_6[u_35]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - r_10: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_6; - key_8: key_t <- part1_6; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- part2_5[u_31]; - key_8: key_t <- part1_5[u_31]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - r_8: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_5; - key_8: key_t <- part1_5; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- part2_6[u_27, u_28]; - key_10: key_t <- part1_6[u_27, u_28]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- part2_5[u_25, i''_1]; - key_10: key_t <- part1_5[u_25, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_6 -> r -yields - -Game 43 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_6: keys_t <- cst_keys_t; - nonce_6: nonce_t <- part2_7; - key_6: key_t <- part1_7; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- part2_7[u_6, u_7]; - key_8: key_t <- part1_7[u_6, u_7]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- part2_6[u_35]; - key_8: key_t <- part1_6[u_35]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - r_10: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_6; - key_8: key_t <- part1_6; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- part2_5[u_31]; - key_8: key_t <- part1_5[u_31]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - r_8: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_5; - key_8: key_t <- part1_5; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- part2_7[u_4, i'_1]; - key_10: key_t <- part1_7[u_4, i'_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- part2_6[u_27, u_28]; - key_10: key_t <- part1_6[u_27, u_28]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- part2_5[u_25, i''_1]; - key_10: key_t <- part1_5[u_25, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_11 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_12 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_13 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_7 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_9 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_10 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_6 (definition removed, all usages removed) - - Remove assignments on nonce_6 (definition removed, all usages removed) - - Remove assignments on key_6 (definition removed, all usages removed) -yields - -Game 44 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - ct_8: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_7[u_6, u_7], part2_7[u_6, u_7]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6[u_35], part2_6[u_35]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_2, part2_2) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6, part2_6) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3[u_20], part2_3[u_20]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5[u_31], part2_5[u_31]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5, part2_5) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1, part2) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3, part2_3) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_7[u_4, i'_1], part2_7[u_4, i'_1]) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_6[u_27, u_28], part2_6[u_27, u_28]) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_2, part2_2) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_3[u_13, i''_1], part2_3[u_13, i''_1]) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_5[u_25, i''_1], part2_5[u_25, i''_1]) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_1, part2_1) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1, part2) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence int_ctxt(Seal_inner) with part1, part1_1, part1_5, part1_3, part1_2, part1_6, part1_7 [probability Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec)] - - Equivalence int_ctxt(Seal_inner) with variables: part2_2 -> n, part2_6 -> n, part2 -> n, part2_1 -> n, part2_5 -> n, part2_3 -> n, part2_7 -> n, part1_7 -> k_1, part1_6 -> k_1, part1_2 -> k_1, part1_3 -> k_1, part1_5 -> k_1, part1_1 -> k_1, part1 -> k_1 -yields - -Game 45 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; {328}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; {369}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; {395}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; {453}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; {498}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; {537}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; {563}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; {652}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; {727}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; {957}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; {971}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; {1009}find else bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; {1038}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; {1052}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; {1073}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Find at 328 removed (else branch kept if any) - - Find at 369 removed (else branch kept if any) - - Find at 395 removed (else branch kept if any) - - Find at 453 removed (else branch kept if any) - - Find at 498 removed (else branch kept if any) - - Find at 537 removed (else branch kept if any) - - Find at 563 removed (else branch kept if any) - - Find at 652 removed (else branch kept if any) - - Find at 727 removed (else branch kept if any) - - Find at 957 removed (else branch kept if any) - - Find at 971 removed (else branch kept if any) - - Find at 1009 removed (else branch kept if any) - - Find at 1038 removed (else branch kept if any) - - Find at 1052 removed (else branch kept if any) - - Find at 1073 removed (else branch kept if any) -yields - -Game 46 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - {215} let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - {319} let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - {359} let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - {384} let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - {441} let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - {485} let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - {523} let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - {548} let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - {636} let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - {710} let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - {885} let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - {943} let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - {956} let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - {993} let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then -{1021} let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; -{1034} let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; -{1054} let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N^2 * P_pk_coll] - - Expand if/find/let - - Remove let at 1054 - - Remove let at 1034 - - Remove let at 1021 - - Remove let at 993 - - Remove let at 956 - - Remove let at 943 - - Remove let at 885 - - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 885 - - Remove else branch of let at 885 - - Remove let at 710 - - Remove let at 636 - - Remove let at 548 - - Remove let at 523 - - Remove let at 485 - - Remove let at 441 - - Remove let at 384 - - Remove let at 359 - - Remove let at 319 - - Remove let at 215 - - Simplify pattern injbot(pt_6: bitstring) (tuple expanded) at 215 - - Remove else branch of let at 215 -yields - -Game 47 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - x_8: bitstring <- m; - d: bitstring <- aad_8; - r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - y_7: bitstring <- c; - c_d_7: bitstring <- aad_9; - if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then - pt_6: bitstring <- x_8[u_6, u_7]; - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - y_8: bitstring <- c; - c_d_8: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - y_9: bitstring <- c; - c_d_9: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - y_6: bitstring <- c; - c_d_6: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - y_2: bitstring <- c; - c_d_2: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - y_3: bitstring <- c; - c_d_3: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - y_4: bitstring <- c; - c_d_4: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - y_1: bitstring <- c; - c_d_1: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - y_5: bitstring <- c; - c_d_5: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - y: bitstring <- c; - c_d: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - y_15: bitstring <- ciph_star; - c_d_15: bitstring <- aad_star; - if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then - pt_7: bitstring <- x_8[u_4, i'_1]; - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - y_16: bitstring <- ciph_star; - c_d_16: bitstring <- aad_star; - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - y_14: bitstring <- ciph_star; - c_d_14: bitstring <- aad_star; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - y_12: bitstring <- ciph_star; - c_d_12: bitstring <- aad_star; - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - y_13: bitstring <- ciph_star; - c_d_13: bitstring <- aad_star; - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - y_11: bitstring <- ciph_star; - c_d_11: bitstring <- aad_star; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - y_10: bitstring <- ciph_star; - c_d_10: bitstring <- aad_star; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on y_10 (definition removed, all usages removed) - - Remove assignments on c_d_10 (definition removed, all usages removed) - - Remove assignments on y_11 (definition removed, all usages removed) - - Remove assignments on c_d_11 (definition removed, all usages removed) - - Remove assignments on y_12 (definition removed, all usages removed) - - Remove assignments on c_d_12 (definition removed, all usages removed) - - Remove assignments on y_13 (definition removed, all usages removed) - - Remove assignments on c_d_13 (definition removed, all usages removed) - - Remove assignments on y_14 (definition removed, all usages removed) - - Remove assignments on c_d_14 (definition removed, all usages removed) - - Remove assignments on y_15 (definition removed, all usages removed) - - Remove assignments on c_d_15 (definition removed, all usages removed) - - Remove assignments on pt_7 (definition removed, all usages removed) - - Remove assignments on y_16 (definition removed, all usages removed) - - Remove assignments on c_d_16 (definition removed, all usages removed) - - Remove assignments on y (definition removed, all usages removed) - - Remove assignments on c_d (definition removed, all usages removed) - - Remove assignments on y_1 (definition removed, all usages removed) - - Remove assignments on c_d_1 (definition removed, all usages removed) - - Remove assignments on y_2 (definition removed, all usages removed) - - Remove assignments on c_d_2 (definition removed, all usages removed) - - Remove assignments on y_3 (definition removed, all usages removed) - - Remove assignments on c_d_3 (definition removed, all usages removed) - - Remove assignments on y_4 (definition removed, all usages removed) - - Remove assignments on c_d_4 (definition removed, all usages removed) - - Remove assignments on y_5 (definition removed, all usages removed) - - Remove assignments on c_d_5 (definition removed, all usages removed) - - Remove assignments on y_6 (definition removed, all usages removed) - - Remove assignments on c_d_6 (definition removed, all usages removed) - - Remove assignments on y_7 (definition removed, all usages removed) - - Remove assignments on c_d_7 (definition removed, all usages removed) - - Remove assignments on pt_6 (definition removed, all usages removed) - - Remove assignments on y_8 (definition removed, all usages removed) - - Remove assignments on c_d_8 (definition removed, all usages removed) - - Remove assignments on y_9 (definition removed, all usages removed) - - Remove assignments on c_d_9 (definition removed, all usages removed) - - Remove assignments on x_8 (definition removed, all usages removed) - - Remove assignments on d (definition removed, all usages removed) - - Remove assignments on ct_8 (definition kept, array references kept) -yields - -Game 48 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, r_14)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - {196} find [unique] suchthat info_6 = info_5[u_6, u_7] then - {208} if defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then - return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - {423} part2_5 <-R nonce_t; - {424} part1_5 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - {549} part2_3 <-R nonce_t; - {550} part1_3 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - {702} find [unique] suchthat info_star = info_5[u_4, i'_1] then - {708} if defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star) then - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - return(bottom) - else - {819} part2_1 <-R nonce_t; - {820} part1_1 <-R key_t; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - {832} part2 <-R nonce_t; - {833} part1 <-R key_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Transform unused random number generation at 833 into constant assignment - - Remove random number generation at 832 - - Transform unused random number generation at 820 into constant assignment - - Remove random number generation at 819 - - Simplified find at 708 in branch of find at 702 - - Transform unused random number generation at 550 into constant assignment - - Remove random number generation at 549 - - Transform unused random number generation at 424 into constant assignment - - Remove random number generation at 423 - - Simplified find at 208 in branch of find at 196 -yields - -Game 49 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, r_14)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {165} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - {196} find [unique] suchthat defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then - return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - {326} if info_6 = info_5[u_6, u_7] then - return(OpenAuth_Some(Context_Open_None)) - else - {343} part2_6 <-R nonce_t; - {344} part1_6 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - part1_5: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part1_3: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - {716} find [unique] suchthat defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && {725}((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) then - event_abort adv_wins - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - return(bottom) - else - {772} if info_star = info_5[u_4, i'_1] then - return(bottom) - else - {782} part2_2 <-R nonce_t; - {783} part1_2 <-R key_t; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - return(bottom) - else - part1_1: key_t <- cst_key_t; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part1: key_t <- cst_key_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Transformed find at 772 into a test - - Transform unused random number generation at 783 into constant assignment - - Remove random number generation at 782 - - Replaced ((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) with false at 725 - - Remove branch 1 in find at 716 - - Transformed find at 326 into a test - - Transform unused random number generation at 344 into constant assignment - - Remove random number generation at 343 - - Replaced defined condition m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7] with an empty condition in find at 196 - - Replaced defined condition part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 165 -yields - -Game 50 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, r_14)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then - return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - if info_6 = info_5[u_6, u_7] then - return(OpenAuth_Some(Context_Open_None)) - else - part1_6: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - part1_5: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part1_3: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - return(bottom) - else - if info_star = info_5[u_4, i'_1] then - return(bottom) - else - part1_2: key_t <- cst_key_t; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - return(bottom) - else - part1_1: key_t <- cst_key_t; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part1: key_t <- cst_key_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Proved event(adv_wins) ==> false in game 50 -Adv[Game 1: event(adv_wins) ==> false] <= Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec) + Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc) + (#Oaenc * N + 11 * N^2) * P_pk_coll + Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec) + Adv[Game 50: event(adv_wins) ==> false] -Adv[Game 50: event(adv_wins) ==> false] <= 0 -RESULT Proved event(adv_wins) ==> false up to probability Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec) + Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc) + (#Oaenc * N + 11 * N^2) * P_pk_coll + Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec) -RESULT time_1 = time + time(context for game 10) = #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_6)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_9)) + #Oadec * time(let injbot, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 10: ct_8), maxlength(game 10: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 10: aad_8), maxlength(game 10: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 10: info_5), maxlength(game 10: info_star)) + time(KeySchedule_auth, maxlength(game 10: info_star)) + time(Open_inner, maxlength(game 10: ciph_star), maxlength(game 10: aad_star)) + time(let injbot, maxlength(game 10: pt_7)) + time -RESULT time_2 = time + time(context for game 17) = 2 * #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 17: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 17: m), maxlength(game 17: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 17: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 17: info_6)) + #Oadec * time(Open_inner, maxlength(game 17: c), maxlength(game 17: aad_9)) + #Oadec * time(let injbot, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 17: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 17: ct_8), maxlength(game 17: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 17: aad_8), maxlength(game 17: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 17: info_5), maxlength(game 17: info_star)) + time(KeySchedule_auth, maxlength(game 17: info_star)) + time(Open_inner, maxlength(game 17: ciph_star), maxlength(game 17: aad_star)) + time(let injbot, maxlength(game 17: pt_7)) + time -RESULT time_3 = time + time(context for game 27) = (N + #Oaenc * N + #Oadec * #Oaenc + #Oadec * N + 2 * N^2) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 27: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 27: m), maxlength(game 27: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 27: ct_8)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 27: info_6)) + #Oadec * time(Open_inner, maxlength(game 27: c), maxlength(game 27: aad_9)) + #Oadec * time(let injbot, maxlength(game 27: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 27: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 27: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 27: ct_8), maxlength(game 27: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 27: aad_8), maxlength(game 27: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 27: info_5), maxlength(game 27: info_star)) + time(Open_inner, maxlength(game 27: ciph_star), maxlength(game 27: aad_star)) + time(let injbot, maxlength(game 27: pt_7)) + time -RESULT time_4 = time + time(context for game 44) = (N + #Oaenc * N + #Oadec * #Oaenc + #Oadec * N + 2 * N^2) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 44: info_5)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 44: m), maxlength(game 44: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 44: ct_8)) + #Oadec * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_5)) + (#Oadec + #Oadec * Qdperuser) * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_6)) + #Oadec * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_star)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 44: info_6)) + #Oadec * time(Open_inner, maxlength(game 44: c), maxlength(game 44: aad_9)) + #Oadec * time(let injbot, maxlength(game 44: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 44: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 44: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 44: ct_8), maxlength(game 44: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 44: aad_8), maxlength(game 44: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 44: info_5), maxlength(game 44: info_star)) + time(= bitstring, maxlength(game 44: info_star), maxlength(game 44: info_5)) + (#Oadec + 1 + Qdperuser) * time(= bitstring, maxlength(game 44: info_star), maxlength(game 44: info_6)) + time(let injbot, maxlength(game 44: pt_7)) + time -All queries proved. +Initial state +Game 1 is + (( + foreach i <= N do + Osetup() := + let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = (let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_9: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in + insert E(the_pk, pk_2, enc_6, ct_10, aad_8, info_5); + return(SealAuth_Some(enc_6, ct_10)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + return((let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + get E(=pk_S, =pk_R, =enc_star, =ciph_star, =aad_star, =info_star) in + return(bottom) + else + let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 2 is + (( + foreach i <= N do + Osetup() := + {5} let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + {23} let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = {24}(let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in {44}let KeySchedule_Some(ctx_6: context_t) = {45}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {82}let Context_Seal_Some(ct_9: bitstring) = {83}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in + E_3: pkey_t <- the_pk; + E_4: pkey_t <- pk_2; + E_5: kemciph_t <- enc_6; + E_6: bitstring <- ct_10; + E_7: bitstring <- aad_8; + E_8: bitstring <- info_5; + return(SealAuth_Some(enc_6, ct_10)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + return({172}(let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in {183}let KeySchedule_Some(ctx_8: context_t) = {184}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({219}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + {255} find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3], E_8[u_2, u_3]) && (E_3[u_2, u_3] = pk_S) && (E_4[u_2, u_3] = pk_R) && (E_5[u_2, u_3] = enc_star) && (E_6[u_2, u_3] = ciph_star) && (E_7[u_2, u_3] = aad_star) && (E_8[u_2, u_3] = info_star) then + return(bottom) + else + {321} let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; {325}let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in {331}let KeySchedule_Some(ctx_10: context_t) = {332}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({353}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Remove let at 321 + - Remove let at 325 + - Remove let at 321 + - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 332 + - Remove else branch of let at 332 + - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 331 + - Remove else branch of let at 331 + - Simplify pattern SetupAuthR_Some(ctx_11: context_t) (tuple expanded) at 325 + - Remove else branch of let at 325 + - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 353 + - Remove else branch of let at 353 + - Simplify pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 + - Remove let at 321 + - Simplify pattern Context_Open_Some(pt_8: bitstring) (tuple expanded), pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 + - Remove else branch of let at 321 + - Replaced defined condition the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i''] with the_sk[i''], the_pk[i''], the_pk[i'] in find at 255 + - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 5 + - Remove let at 172 + - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 184 + - Remove else branch of let at 184 + - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 183 + - Remove else branch of let at 183 + - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 172 + - Remove else branch of let at 172 + - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 219 + - Remove else branch of let at 219 + - Remove let at 23 + - Remove let at 24 + - Remove let at 23 + - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 45 + - Remove else branch of let at 45 + - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 44 + - Remove else branch of let at 44 + - Simplify pattern SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) (tuple expanded) at 24 + - Remove else branch of let at 24 + - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 83 + - Remove else branch of let at 83 + - Simplify pattern Context_Seal_Some(ct_9: bitstring) (tuple expanded) at 82 + - Remove else branch of let at 82 + - Simplify pattern SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) (tuple expanded) at 23 + - Remove else branch of let at 23 +yields + +Game 3 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + pk_1: pkey_t <- pk_2; + sk: skey_t <- the_sk; + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_1, sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); + ctx_7: context_t <- ctx_6; + enc_5: kemciph_t <- enc_4; + seq_3: nonce_t <- nonce_zero; + nonce_7: nonce_t <- nonce_6; + key_7: key_t <- key_6; + nonce_8: nonce_t <- xor(nonce_7, seq_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_7, nonce_8); + ct_9: bitstring <- ct_8; + ct_10: bitstring <- ct_9; + enc_6: kemciph_t <- enc_5; + E_3: pkey_t <- the_pk; + E_4: pkey_t <- pk_2; + E_5: kemciph_t <- enc_6; + E_6: bitstring <- ct_10; + E_7: bitstring <- aad_8; + E_8: bitstring <- info_5; + return(SealAuth_Some(enc_6, ct_10)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); + ctx_9: context_t <- ctx_8; + seq_4: nonce_t <- nonce_zero; + nonce_10: nonce_t <- nonce_9; + key_9: key_t <- key_8; + nonce_11: nonce_t <- xor(nonce_10, seq_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_9, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3], E_8[u_2, u_3]) && (E_3[u_2, u_3] = pk_S) && (E_4[u_2, u_3] = pk_R) && (E_5[u_2, u_3] = enc_star) && (E_6[u_2, u_3] = ciph_star) && (E_7[u_2, u_3] = aad_star) && (E_8[u_2, u_3] = info_star) then + return(bottom) + else + skR_2: skey_t <- the_sk[i''_1]; + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); + ctx_11: context_t <- ctx_10; + seq_5: nonce_t <- nonce_zero; + nonce_13: nonce_t <- nonce_12; + key_11: key_t <- key_10; + nonce_14: nonce_t <- xor(nonce_13, seq_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_11, nonce_14) in + pt_8: bitstring <- pt_7; + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_2 (definition removed, all usages removed) + - Remove assignments on ctx_11 (definition removed, all usages removed) + - Remove assignments on nonce_13 (definition removed, all usages removed) + - Remove assignments on key_11 (definition removed, all usages removed) + - Remove assignments on pt_8 (definition removed, all usages removed) + - Remove assignments on ctx_9 (definition removed, all usages removed) + - Remove assignments on nonce_10 (definition removed, all usages removed) + - Remove assignments on key_9 (definition removed, all usages removed) + - Remove assignments on pk_1 (definition removed, all usages removed) + - Remove assignments on sk (definition removed, all usages removed) + - Remove assignments on ctx_7 (definition removed, all usages removed) + - Remove assignments on enc_5 (definition removed, all usages removed) + - Remove assignments on nonce_7 (definition removed, all usages removed) + - Remove assignments on key_7 (definition removed, all usages removed) + - Remove assignments on ct_9 (definition removed, all usages removed) + - Remove assignments on ct_10 (definition removed, all usages removed) + - Remove assignments on enc_6 (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on E_5 (definition removed, all usages removed) + - Remove assignments on E_6 (definition removed, all usages removed) + - Remove assignments on E_7 (definition removed, all usages removed) + - Remove assignments on E_8 (definition removed, all usages removed) + - Remove assignments on ctx_10 (definition removed, all usages removed) + - Remove assignments on ctx_8 (definition removed, all usages removed) + - Remove assignments on ctx_6 (definition removed, all usages removed) +yields + +Game 4 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- {55}xor(nonce_6, seq_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- {131}xor(nonce_9, seq_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + {190} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3]) && {202}((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- {259}xor(nonce_12, seq_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced xor(nonce_12, seq_5) with nonce_12 at 259 + - Replaced ((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) with ((u_3 = i'_1) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) at 202 + - In branch 1 of find at 190, substituting u_1 with i'_1 + - Replaced defined condition the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3] with info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1] in find at 190 + - Replaced xor(nonce_9, seq_4) with nonce_9 at 131 + - Replaced xor(nonce_6, seq_3) with nonce_6 at 55 +yields + +Game 5 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && {193}((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) then + u_1 <= N <- i'_1; + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) with ((pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) at 193 +yields + +Game 6 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + u_1 <= N <- i'_1; + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to seq_5 + - Move assignment to seq_4 +yields + +Game 7 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + nonce_11: nonce_t <- nonce_9; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + u_1 <= N <- i'_1; + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + nonce_14: nonce_t <- nonce_12; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on nonce_14 (definition removed, all usages removed) + - Remove assignments on u_1 (definition removed, all usages removed) + - Remove assignments on nonce_11 (definition removed, all usages removed) + - Remove assignments on seq_3 (definition removed, all usages removed) + - Remove assignments on nonce_8 (definition removed, all usages removed) +yields + +Game 8 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_sk + - Remove assignments on the_sk (definition removed, all usages removed) +yields + +Game 9 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_pk + - Remove assignments on the_pk (definition removed, all usages removed) +yields + +Game 10 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec)] + - Equivalence outsider_cca(AuthEncap) with variables: k -> ks, s -> s_1 +yields + +Game 11 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + {18} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_1: pkey_t <- pk_2; find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in k': kemkey_t <- cst_kemkey_t; E_9: pkey_t <- pkgen(s); AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k, pk_R_1, skgen(s))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {121} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_1: pkey_t <- pk_3; cd: kemciph_t <- enc_7; find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], pk_R_1[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_S_1) && (pk_R_1[ri_2, ri_3] = pkgen(s)) && (ce[ri_2, ri_3] = cd) then AuthDecap_Some(k'_1[u_6, u_7]) else AuthDecap(cd, skgen(s), pk_S_1)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + {291} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_2: pkey_t <- pk_S; cd_1: kemciph_t <- enc_star; find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'_1[ri, ri_1], ce[ri, ri_1], pk_R_1[ri, ri_1], E_9[ri, ri_1]) && (E_9[ri, ri_1] = pk_S_2) && (pk_R_1[ri, ri_1] = pkgen(s[i''_1])) && (ce[ri, ri_1] = cd_1) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 291 + - Remove else branch of let at 291 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 121 + - Remove else branch of let at 121 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 18 + - Remove else branch of let at 18 +yields + +Game 12 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + pk_R_1: pkey_t <- pk_2; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + shared_secret_3: kemkey_t <- k'_1; + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + pk_S_1: pkey_t <- pk_3; + cd: kemciph_t <- enc_7; + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], pk_R_1[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_S_1) && (pk_R_1[ri_2, ri_3] = pkgen(s)) && (ce[ri_2, ri_3] = cd) then + shared_secret_4: kemkey_t <- k'_1[u_6, u_7]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S_1) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + pk_S_2: pkey_t <- pk_S; + cd_1: kemciph_t <- enc_star; + find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'_1[ri, ri_1], ce[ri, ri_1], pk_R_1[ri, ri_1], E_9[ri, ri_1]) && (E_9[ri, ri_1] = pk_S_2) && (pk_R_1[ri, ri_1] = pkgen(s[i''_1])) && (ce[ri, ri_1] = cd_1) then + shared_secret_5: kemkey_t <- k'_1[u_4, u_5]; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pk_S_2 (definition removed, all usages removed) + - Remove assignments on cd_1 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on pk_S_1 (definition removed, all usages removed) + - Remove assignments on cd (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R_1 (definition removed, all usages removed) + - Remove assignments on k' (definition removed, all usages removed) + - Remove assignments on shared_secret_3 (definition removed, all usages removed) + - Remove assignments on enc_4 (definition kept, array references kept) +yields + +Game 13 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {211} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(pk_2[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], E_9[ri_2, ri_3]) && {220}((E_9[ri_2, ri_3] = pk_3) && (pk_2[ri_2, ri_3] = pkgen(s)) && (ce[ri_2, ri_3] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + {417} find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(pk_2[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1], E_9[ri, ri_1]) && {426}((E_9[ri, ri_1] = pk_S) && (pk_2[ri, ri_1] = pkgen(s[i''_1])) && (ce[ri, ri_1] = enc_star)) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((E_9[ri, ri_1] = pk_S) && (pk_2[ri, ri_1] = pkgen(s[i''_1])) && (ce[ri, ri_1] = enc_star)) with ((ri_1 = i'_1) && (u_8[ri, ri_1] = i''_1) && (ce[ri, ri_1] = enc_star)) at 426 + - In branch 1 of find at 417, substituting u_5 with i'_1 + - Replaced defined condition pk_2[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1], E_9[ri, ri_1] with E_9[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1] in find at 417 + - Replaced ((E_9[ri_2, ri_3] = pk_3) && (pk_2[ri_2, ri_3] = pkgen(s)) && (ce[ri_2, ri_3] = enc_7)) with ((E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7)) at 220 + - Replaced defined condition pk_2[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], E_9[ri_2, ri_3] with k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3] in find at 211 +yields + +Game 14 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(E_9[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && {424}((i'_1 = i'_1) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star)) then + u_5 <= N <- i'_1; + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((i'_1 = i'_1) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star)) with ((u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star)) at 424 +yields + +Game 15 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(E_9[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + u_5 <= N <- i'_1; + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move random number generation k'_1 + - Move random number generation k +yields + +Game 16 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k <-R kemseed_t; + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(E_9[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + u_5 <= N <- i'_1; + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_5 (definition removed, all usages removed) + - Rename variable k into k_3, k_2 +yields + +Game 17 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(E_9[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence outsider_auth(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec)] + - Equivalence outsider_auth(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 +yields + +Game 18 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + {26} let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = (pk_R_3: pkey_t <- pk_2; let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in E_11: pkey_t <- pkgen(s); AuthEncap_tuple(k_6, ce_2) else AuthEncap_None) in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + {166} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_2: pkey_t <- pk_2; let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in E_10: pkey_t <- pkgen(s); AuthEncap_tuple(k_5, ce_1) else AuthEncap_None) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + {332} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_3: pkey_t <- pk_3; cd_2: kemciph_t <- enc_7; {341}find u_20 = ri_16 <= Qeperuser, u_21 = ri_17 <= N suchthat defined(pk_R_2[ri_16, ri_17], ce_1[ri_16, ri_17], k_5[ri_16, ri_17], E_10[ri_16, ri_17]) && (E_10[ri_16, ri_17] = pk_S_3) && (pk_R_2[ri_16, ri_17] = pkgen(s)) && (ce_1[ri_16, ri_17] = cd_2) then AuthDecap_Some(k_5[u_20, u_21]) orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(pk_R_3[ri_14, ri_15], ce_2[ri_14, ri_15], k_6[ri_14, ri_15], E_11[ri_14, ri_15]) && (E_11[ri_14, ri_15] = pk_S_3) && (pk_R_3[ri_14, ri_15] = pkgen(s)) && (ce_2[ri_14, ri_15] = cd_2) then AuthDecap_Some(k_6[u_18, u_19]) orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(pk_S_3[ri_12, ri_13], cd_2[ri_12, ri_13], k'_2[ri_12, ri_13], E_12[ri_12, ri_13]) && (pk_S_3[ri_12, ri_13] = pk_S_3) && (E_12[ri_12, ri_13] = pkgen(s)) && (cd_2[ri_12, ri_13] = cd_2) then AuthDecap_Some(k'_2[u_16, u_17]) orfind suchthat defined(pk_S_4, cd_3, k'_3, E_13) && (pk_S_4 = pk_S_3) && (E_13 = pkgen(s)) && (cd_3 = cd_2) then AuthDecap_Some(k'_3) else find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in k'_2 <-R kemkey_t; E_12: pkey_t <- pkgen(s); AuthDecap_Some(k'_2) else AuthDecap_None else AuthDecap(cd_2, skgen(s), pk_S_3)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + {673} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_4: pkey_t <- pk_S; cd_3: kemciph_t <- enc_star; {678}find u_13 = ri_9 <= Qeperuser, u_14 = ri_10 <= N suchthat defined(pk_R_2[ri_9, ri_10], ce_1[ri_9, ri_10], k_5[ri_9, ri_10], E_10[ri_9, ri_10]) && (E_10[ri_9, ri_10] = pk_S_4) && (pk_R_2[ri_9, ri_10] = pkgen(s[i''_1])) && (ce_1[ri_9, ri_10] = cd_3) then AuthDecap_Some(k_5[u_13, u_14]) orfind u_11 = ri_7 <= Qeperuser, u_12 = ri_8 <= N suchthat defined(pk_R_3[ri_7, ri_8], ce_2[ri_7, ri_8], k_6[ri_7, ri_8], E_11[ri_7, ri_8]) && (E_11[ri_7, ri_8] = pk_S_4) && (pk_R_3[ri_7, ri_8] = pkgen(s[i''_1])) && (ce_2[ri_7, ri_8] = cd_3) then AuthDecap_Some(k_6[u_11, u_12]) orfind u_9 = ri_5 <= Qdperuser, u_10 = ri_6 <= N suchthat defined(pk_S_3[ri_5, ri_6], cd_2[ri_5, ri_6], k'_2[ri_5, ri_6], E_12[ri_5, ri_6]) && (pk_S_3[ri_5, ri_6] = pk_S_4) && (E_12[ri_5, ri_6] = pkgen(s[i''_1])) && (cd_2[ri_5, ri_6] = cd_3) then AuthDecap_Some(k'_2[u_9, u_10]) else {772}find u_15 = ri_11 <= N suchthat defined(s[ri_11]) && (pk_S_4 = pkgen(s[ri_11])) then let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in k'_3 <-R kemkey_t; E_13: pkey_t <- pkgen(s[i''_1]); AuthDecap_Some(k'_3) else AuthDecap_None else AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability (#Oaenc * N + N^2) * P_pk_coll] + - Expand if/find/let + - Remove else branch of find at 772 + - Remove let at 673 + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 673 + - Remove else branch of let at 673 + - A single branch always succeeds in find at 772 + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 673 + - Remove else branch of let at 673 + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 673 + - Remove else branch of let at 673 + - Remove branch 1 in find at 678 + - Remove let at 332 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 332 + - Remove else branch of let at 332 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 332 + - Remove else branch of let at 332 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 332 + - Remove else branch of let at 332 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 332 + - Remove else branch of let at 332 + - Remove branch 1 in find at 341 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 166 + - Remove else branch of let at 166 + - Simplify pattern AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) (tuple expanded) at 26 + - Remove else branch of let at 26 +yields + +Game 19 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + pk_R_3: pkey_t <- pk_2; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in + E_11: pkey_t <- pkgen(s); + ce: kemciph_t <- ce_2; + k_1: kemkey_t <- k_6; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + pk_R_2: pkey_t <- pk_2; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in + E_10: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_1; + shared_secret_3: kemkey_t <- k_5; + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- pk_3; + cd_2: kemciph_t <- enc_7; + find u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(pk_R_3[ri_14, ri_15], ce_2[ri_14, ri_15], k_6[ri_14, ri_15], E_11[ri_14, ri_15]) && (E_11[ri_14, ri_15] = pk_S_3) && (pk_R_3[ri_14, ri_15] = pkgen(s)) && (ce_2[ri_14, ri_15] = cd_2) then + shared_secret_4: kemkey_t <- k_6[u_18, u_19]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(pk_S_3[ri_12, ri_13], cd_2[ri_12, ri_13], k'_2[ri_12, ri_13], E_12[ri_12, ri_13]) && (pk_S_3[ri_12, ri_13] = pk_S_3) && (E_12[ri_12, ri_13] = pkgen(s)) && (cd_2[ri_12, ri_13] = cd_2) then + shared_secret_4: kemkey_t <- k'_2[u_16, u_17]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(pk_S_4, cd_3, k'_3, E_13) && (pk_S_4 = pk_S_3) && (E_13 = pkgen(s)) && (cd_3 = cd_2) then + shared_secret_4: kemkey_t <- k'_3; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in + k'_2 <-R kemkey_t; + E_12: pkey_t <- pkgen(s); + shared_secret_4: kemkey_t <- k'_2; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- pk_S; + cd_3: kemciph_t <- enc_star; + find u_11 = ri_7 <= Qeperuser, u_12 = ri_8 <= N suchthat defined(pk_R_3[ri_7, ri_8], ce_2[ri_7, ri_8], k_6[ri_7, ri_8], E_11[ri_7, ri_8]) && (E_11[ri_7, ri_8] = pk_S_4) && (pk_R_3[ri_7, ri_8] = pkgen(s[i''_1])) && (ce_2[ri_7, ri_8] = cd_3) then + shared_secret_5: kemkey_t <- k_6[u_11, u_12]; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_9 = ri_5 <= Qdperuser, u_10 = ri_6 <= N suchthat defined(pk_S_3[ri_5, ri_6], cd_2[ri_5, ri_6], k'_2[ri_5, ri_6], E_12[ri_5, ri_6]) && (pk_S_3[ri_5, ri_6] = pk_S_4) && (E_12[ri_5, ri_6] = pkgen(s[i''_1])) && (cd_2[ri_5, ri_6] = cd_3) then + shared_secret_5: kemkey_t <- k'_2[u_9, u_10]; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in + k'_3 <-R kemkey_t; + E_13: pkey_t <- pkgen(s[i''_1]); + shared_secret_5: kemkey_t <- k'_3; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pk_S_4 (definition point kept, all usages removed) + - Remove assignments on cd_3 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on pk_S_3 (definition point kept, all usages removed) + - Remove assignments on cd_2 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R_2 (definition removed, all usages removed) + - Remove assignments on E_10 (definition removed, all usages removed) + - Remove assignments on shared_secret_3 (definition removed, all usages removed) + - Remove assignments on enc_4 (definition kept, array references kept) + - Remove assignments on pk_R_3 (definition removed, all usages removed) + - Remove assignments on k_1 (definition removed, all usages removed) + - Remove assignments on ce (definition kept, array references kept) +yields + +Game 20 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + E_11: pkey_t <- pkgen(s); + ce: kemciph_t <- ce_2; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- cst_pkey_t; + {423} find u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(pk_2[ri_14, ri_15], k_3[ri_14, ri_15], ce_2[ri_14, ri_15], k_6[ri_14, ri_15], E_11[ri_14, ri_15]) && {434}((E_11[ri_14, ri_15] = pk_3) && (pk_2[ri_14, ri_15] = pkgen(s)) && (ce_2[ri_14, ri_15] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k_6[u_18, u_19], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_16 = ri_12 <= Qdperuser, u_17 = ri_13 <= N suchthat defined(pk_3[ri_12, ri_13], enc_7[ri_12, ri_13], pk_S_3[ri_12, ri_13], k'_2[ri_12, ri_13], E_12[ri_12, ri_13]) && {519}((pk_3[ri_12, ri_13] = pk_3) && (E_12[ri_12, ri_13] = pkgen(s)) && (enc_7[ri_12, ri_13] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_16, u_17], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(pk_S, enc_star, pk_S_4, k'_3, E_13) && {594}((pk_S = pk_3) && (E_13 = pkgen(s)) && (enc_star = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + E_12: pkey_t <- pkgen(s); + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- cst_pkey_t; + {904} find u_11 = ri_7 <= Qeperuser, u_12 = ri_8 <= N suchthat defined(pk_2[ri_7, ri_8], k_3[ri_7, ri_8], ce_2[ri_7, ri_8], k_6[ri_7, ri_8], E_11[ri_7, ri_8]) && {915}((E_11[ri_7, ri_8] = pk_S) && (pk_2[ri_7, ri_8] = pkgen(s[i''_1])) && (ce_2[ri_7, ri_8] = enc_star)) then + r_5: keys_t <- KeySchedule_auth(k_6[u_11, u_12], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_9 = ri_5 <= Qdperuser, u_10 = ri_6 <= N suchthat defined(pk_3[ri_5, ri_6], enc_7[ri_5, ri_6], pk_S_3[ri_5, ri_6], k'_2[ri_5, ri_6], E_12[ri_5, ri_6]) && {970}((pk_3[ri_5, ri_6] = pk_S) && (E_12[ri_5, ri_6] = pkgen(s[i''_1])) && (enc_7[ri_5, ri_6] = enc_star)) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, u_10], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + E_13: pkey_t <- pkgen(s[i''_1]); + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((pk_3[ri_5, ri_6] = pk_S) && (E_12[ri_5, ri_6] = pkgen(s[i''_1])) && (enc_7[ri_5, ri_6] = enc_star)) with ((u_22[ri_5, ri_6] = i'_1) && (ri_6 = i''_1) && (enc_7[ri_5, ri_6] = enc_star)) at 970 + - In branch 2 of find at 904, substituting u_10 with i''_1 + - Replaced defined condition pk_3[ri_5, ri_6], enc_7[ri_5, ri_6], pk_S_3[ri_5, ri_6], k'_2[ri_5, ri_6], E_12[ri_5, ri_6] with E_12[ri_5, i''_1], k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1] in find at 904 + - Replaced ((E_11[ri_7, ri_8] = pk_S) && (pk_2[ri_7, ri_8] = pkgen(s[i''_1])) && (ce_2[ri_7, ri_8] = enc_star)) with ((ri_8 = i'_1) && (u_8[ri_7, ri_8] = i''_1) && (ce_2[ri_7, ri_8] = enc_star)) at 915 + - Remove branch 1 in find at 904 + - Replaced ((pk_S = pk_3) && (E_13 = pkgen(s)) && (enc_star = enc_7)) with ((pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7)) at 594 + - Replaced defined condition pk_S, enc_star, pk_S_4, k'_3, E_13 with E_13, k'_3, enc_star, i''_1, pk_S in find at 423 + - Replaced ((pk_3[ri_12, ri_13] = pk_3) && (E_12[ri_12, ri_13] = pkgen(s)) && (enc_7[ri_12, ri_13] = enc_7)) with ((pk_3[ri_12, ri_13] = pk_3) && (ri_13 = i) && (enc_7[ri_12, ri_13] = enc_7)) at 519 + - In branch 2 of find at 423, substituting u_17 with i + - Replaced defined condition pk_3[ri_12, ri_13], enc_7[ri_12, ri_13], pk_S_3[ri_12, ri_13], k'_2[ri_12, ri_13], E_12[ri_12, ri_13] with E_12[ri_12], k'_2[ri_12], enc_7[ri_12], pk_3[ri_12] in find at 423 + - Replaced ((E_11[ri_14, ri_15] = pk_3) && (pk_2[ri_14, ri_15] = pkgen(s)) && (ce_2[ri_14, ri_15] = enc_7)) with ((E_11[ri_14, ri_15] = pk_3) && (u_8[ri_14, ri_15] = i) && (ce_2[ri_14, ri_15] = enc_7)) at 434 + - Remove branch 1 in find at 423 +yields + +Game 21 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + E_11: pkey_t <- pkgen(s); + ce: kemciph_t <- ce_2; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- cst_pkey_t; + find u_16 = ri_12 <= Qdperuser suchthat defined(E_12[ri_12], k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && {432}((pk_3[ri_12] = pk_3) && (i = i) && (enc_7[ri_12] = enc_7)) then + u_17 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_2[u_16], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(E_13, k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + E_12: pkey_t <- pkgen(s); + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- cst_pkey_t; + find u_9 = ri_5 <= Qdperuser suchthat defined(E_12[ri_5, i''_1], k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && {821}((u_22[ri_5, i''_1] = i'_1) && (i''_1 = i''_1) && (enc_7[ri_5, i''_1] = enc_star)) then + u_10 <= N <- i''_1; + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + E_13: pkey_t <- pkgen(s[i''_1]); + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((u_22[ri_5, i''_1] = i'_1) && (i''_1 = i''_1) && (enc_7[ri_5, i''_1] = enc_star)) with ((u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star)) at 821 + - Replaced ((pk_3[ri_12] = pk_3) && (i = i) && (enc_7[ri_12] = enc_7)) with ((pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7)) at 432 +yields + +Game 22 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + E_11: pkey_t <- pkgen(s); + ce: kemciph_t <- ce_2; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- cst_pkey_t; + find u_16 = ri_12 <= Qdperuser suchthat defined(E_12[ri_12], k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + u_17 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_2[u_16], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(E_13, k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + E_12: pkey_t <- pkgen(s); + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- cst_pkey_t; + find u_9 = ri_5 <= Qdperuser suchthat defined(E_12[ri_5, i''_1], k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + u_10 <= N <- i''_1; + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + E_13: pkey_t <- pkgen(s[i''_1]); + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to pk_S_4 + - Move assignment to pk_S_3 +yields + +Game 23 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + E_11: pkey_t <- pkgen(s); + ce: kemciph_t <- ce_2; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(E_12[ri_12], k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + u_17 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_2[u_16], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(E_13, k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + E_12: pkey_t <- pkgen(s); + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(E_12[ri_5, i''_1], k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + u_10 <= N <- i''_1; + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + E_13: pkey_t <- pkgen(s[i''_1]); + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on E_13 (definition removed, all usages removed) + - Remove assignments on u_10 (definition removed, all usages removed) + - Remove assignments on E_12 (definition removed, all usages removed) + - Remove assignments on u_17 (definition removed, all usages removed) + - Remove assignments on E_11 (definition removed, all usages removed) +yields + +Game 24 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + ce: kemciph_t <- ce_2; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_16], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence eliminate_failing(AuthEncap) + - Equivalence eliminate_failing(AuthEncap) +yields + +Game 25 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + {26} let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = (k_8: kemseed_t <- k_3; pk_5: pkey_t <- pk_2; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_5, sk_2), AuthEncap_enc_r(k_8, pk_5, sk_2))) in + ce: kemciph_t <- ce_2; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + {236} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_7: kemseed_t <- k_2; pk_4: pkey_t <- pk_2; sk_1: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_4, sk_1), AuthEncap_enc_r(k_7, pk_4, sk_1))) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_16], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 236 + - Remove else branch of let at 236 + - Simplify pattern AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) (tuple expanded) at 26 + - Remove else branch of let at 26 +yields + +Game 26 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + k_8: kemseed_t <- k_3; + pk_5: pkey_t <- pk_2; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_8, pk_5, sk_2); + k_6: kemkey_t <- AuthEncap_key_r(k_8, pk_5, sk_2); + ce: kemciph_t <- ce_2; + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + k_7: kemseed_t <- k_2; + pk_4: pkey_t <- pk_2; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_7, pk_4, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_7, pk_4, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_16], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k_7 (definition removed, all usages removed) + - Remove assignments on pk_4 (definition removed, all usages removed) + - Remove assignments on k_8 (definition removed, all usages removed) + - Remove assignments on pk_5 (definition removed, all usages removed) + - Remove assignments on k_6 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) +yields + +Game 27 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_16], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_9, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence prf(KeySchedule_auth) with k'_3, k'_2, k'_1 [probability Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc)] + - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1, k'_2 -> k_1, k'_3 -> k_1 +yields + +Game 28 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_3: keys_t <- (x: bitstring <- info_5; {56}find [unique] u_37 = ri_43 <= Qdperuser, u_38 = ri_44 <= N suchthat defined(u_7[ri_43, ri_44], u_6[ri_43, ri_44], x_4[ri_43, ri_44], r_10[ri_43, ri_44]) && {65}((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) then r_10[u_37, u_38] orfind suchthat defined(i'_1, u_4, x_7, r_13) && {91}((u_4 = iae) && (i'_1 = i) && (x = x_7)) then r_13 else r_6 <-R keys_t; r_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + r_4: keys_t <- (x_4: bitstring <- info_6; find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + r_4: keys_t <- (x_2: bitstring <- info_6; find [unique] suchthat defined(x_1[u_16], r_7[u_16]) && (x_2 = x_1[u_16]) then r_7[u_16] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_16[ri_33, ri_34]) && (u_16[ri_33, ri_34] = u_16) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(r_12, x_6, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2: kemkey_t <- cst_kemkey_t; + r_4: keys_t <- (x_1: bitstring <- info_6; {664}find [unique] u_29 = ri_29 <= Qdperuser, u_30 = ri_30 <= N suchthat defined(u_16[ri_29, ri_30], x_2[ri_29, ri_30], r_8[ri_29, ri_30]) && {671}((u_16[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) then r_8[u_29, u_30] orfind suchthat defined(i''_1, u_9, x_6, r_12) && {695}((u_9 = iad) && (i''_1 = i) && (x_1 = x_6)) then r_12 else r_7 <-R keys_t; r_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + r_5: keys_t <- (x_7: bitstring <- info_star; find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] else r_13 <-R keys_t; r_13); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + r_5: keys_t <- (x_6: bitstring <- info_star; find [unique] suchthat defined(x_1[u_9, i''_1], r_7[u_9, i''_1]) && (x_6 = x_1[u_9, i''_1]) then r_7[u_9, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_16[ri_21, ri_22]) && (u_16[ri_21, ri_22] = u_9) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] else r_12 <-R keys_t; r_12); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_5: bitstring <- info_star; {1056}find [unique] else r_11 <-R keys_t; r_11); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((u_4 = iae) && (i'_1 = i) && (x = x_7)) with false at 91 + - Remove branch 2 in find at 56 + - Replaced ((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) with false at 65 + - Remove branch 1 in find at 56 + - Find at 56 removed (else branch kept if any) + - Replaced ((u_9 = iad) && (i''_1 = i) && (x_1 = x_6)) with false at 695 + - Remove branch 2 in find at 664 + - Replaced ((u_16[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) with false at 671 + - Remove branch 1 in find at 664 + - Find at 664 removed (else branch kept if any) + - Find at 1056 removed (else branch kept if any) +yields + +Game 29 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_3: keys_t <- (x: bitstring <- info_5; r_6 <-R keys_t; r_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + r_4: keys_t <- (x_4: bitstring <- info_6; find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + r_4: keys_t <- (x_2: bitstring <- info_6; find [unique] suchthat defined(x_1[u_16], r_7[u_16]) && (x_2 = x_1[u_16]) then r_7[u_16] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_16[ri_33, ri_34]) && (u_16[ri_33, ri_34] = u_16) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(r_12, x_6, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2: kemkey_t <- cst_kemkey_t; + r_4: keys_t <- (x_1: bitstring <- info_6; r_7 <-R keys_t; r_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + r_5: keys_t <- (x_7: bitstring <- info_star; find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] else r_13 <-R keys_t; r_13); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + r_5: keys_t <- (x_6: bitstring <- info_star; find [unique] suchthat defined(x_1[u_9, i''_1], r_7[u_9, i''_1]) && (x_6 = x_1[u_9, i''_1]) then r_7[u_9, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_16[ri_21, ri_22]) && (u_16[ri_21, ri_22] = u_9) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] else r_12 <-R keys_t; r_12); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_5: bitstring <- info_star; r_11 <-R keys_t; r_11); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 30 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + x: bitstring <- info_5; + r_6 <-R keys_t; + r_3: keys_t <- r_6; + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- info_6; + find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then + r_4: keys_t <- r_6[u_6, u_7]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then + r_4: keys_t <- r_10[u_35, u_36]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then + r_4: keys_t <- r_13; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + r_4: keys_t <- r_10; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(k'_2[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + x_2: bitstring <- info_6; + find [unique] suchthat defined(x_1[u_16], r_7[u_16]) && (x_2 = x_1[u_16]) then + r_4: keys_t <- r_7[u_16]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_16[ri_33, ri_34]) && (u_16[ri_33, ri_34] = u_16) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then + r_4: keys_t <- r_8[u_31, u_32]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, x_6, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (x_2 = x_6) then + r_4: keys_t <- r_12; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + r_4: keys_t <- r_8; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + x_3: bitstring <- info_6; + find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then + r_4: keys_t <- r_9[u_33, u_34]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then + r_4: keys_t <- r_11; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + r_4: keys_t <- r_9; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2: kemkey_t <- cst_kemkey_t; + x_1: bitstring <- info_6; + r_7 <-R keys_t; + r_4: keys_t <- r_7; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- info_star; + find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then + r_5: keys_t <- r_6[u_4, i'_1]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then + r_5: keys_t <- r_10[u_27, u_28]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + r_5: keys_t <- r_13; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(k'_2[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + x_6: bitstring <- info_star; + find [unique] suchthat defined(x_1[u_9, i''_1], r_7[u_9, i''_1]) && (x_6 = x_1[u_9, i''_1]) then + r_5: keys_t <- r_7[u_9, i''_1]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_16[ri_21, ri_22]) && (u_16[ri_21, ri_22] = u_9) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then + r_5: keys_t <- r_8[u_25, u_26]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + r_5: keys_t <- r_12; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3: kemkey_t <- cst_kemkey_t; + x_5: bitstring <- info_star; + r_11 <-R keys_t; + r_5: keys_t <- r_11; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k'_3 (definition removed, all usages removed) + - Remove assignments on x_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x_6 (definition point kept, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x_7 (definition point kept, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on k'_2 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x_2 (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x_3 (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x_4 (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x (definition removed, all usages removed) + - Remove assignments on r_3 (definition removed, all usages removed) +yields + +Game 31 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {182} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- cst_bitstring; + {214} find [unique] suchthat defined(info_5[u_6, u_7], E_9[u_6, u_7], r_6[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(info_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (info_6 = info_6[ri_39, ri_40]) then + nonce_9: nonce_t <- get2(r_10[u_35, u_36]); + key_8: key_t <- get1(r_10[u_35, u_36]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_star, x_7, r_13, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + {464} find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + x_2: bitstring <- cst_bitstring; + {488} find [unique] suchthat defined(info_6[u_16], r_7[u_16]) && (info_6 = info_6[u_16]) then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(info_6[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34], u_16[ri_33, ri_34]) && (u_16[ri_33, ri_34] = u_16) && (ri_34 = i) && (info_6 = info_6[ri_33, ri_34]) then + nonce_9: nonce_t <- get2(r_8[u_31, u_32]); + key_8: key_t <- get1(r_8[u_31, u_32]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_star, x_6, r_12, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + x_3: bitstring <- cst_bitstring; + {731} find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (info_6 = info_6[ri_37, ri_38]) then + nonce_9: nonce_t <- get2(r_9[u_33, u_34]); + key_8: key_t <- get1(r_9[u_33, u_34]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_star, r_11) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else +{1059} find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- cst_bitstring; +{1079} find [unique] suchthat defined(info_5[u_4, i'_1], E_9[u_4, i'_1], r_6[u_4, i'_1]) && (info_star = info_5[u_4, i'_1]) then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(info_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else +{1185} find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + x_6: bitstring <- cst_bitstring; +{1205} find [unique] suchthat defined(info_6[u_9, i''_1], r_7[u_9, i''_1]) && (info_star = info_6[u_9, i''_1]) then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(info_6[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22], u_16[ri_21, ri_22]) && (u_16[ri_21, ri_22] = u_9) && (ri_22 = i''_1) && (info_star = info_6[ri_21, ri_22]) then + nonce_12: nonce_t <- get2(r_8[u_25, u_26]); + key_10: key_t <- get1(r_8[u_25, u_26]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - In branch 2 of find at 1205, substituting u_26 with i''_1 + - Replaced defined condition info_6[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22], u_16[ri_21, ri_22] with r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1] in find at 1205 + - Replaced defined condition info_6[u_9, i''_1], r_7[u_9, i''_1] with an empty condition in find at 1205 + - Replaced defined condition r_7[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1] with r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1] in find at 1185 + - Replaced defined condition info_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] with r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] in find at 1079 + - Replaced defined condition info_5[u_4, i'_1], E_9[u_4, i'_1], r_6[u_4, i'_1] with an empty condition in find at 1079 + - Replaced defined condition ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1] with r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] in find at 1059 + - Replaced defined condition info_star, r_11 with an empty condition in find at 731 + - In branch 1 of find at 731, substituting u_34 with i + - Replaced defined condition info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38] with r_9[ri_37], info_6[ri_37] in find at 731 + - Replaced defined condition r_11, enc_star, i''_1, pk_S with r_11, info_star, enc_star, i''_1, pk_S in find at 464 + - Replaced defined condition info_star, x_6, r_12, i''_1, u_9 with r_12, info_star, i''_1, u_9 in find at 488 + - In branch 2 of find at 488, substituting u_32 with i + - Replaced defined condition info_6[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34], u_16[ri_33, ri_34] with r_8[ri_33], info_6[ri_33], u_16[ri_33] in find at 488 + - Replaced defined condition info_6[u_16], r_7[u_16] with an empty condition in find at 488 + - Replaced defined condition r_7[ri_12], enc_7[ri_12], pk_3[ri_12] with r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12] in find at 464 + - Replaced defined condition info_star, x_7, r_13, i'_1, u_4 with r_13, info_star, i'_1, u_4 in find at 214 + - In branch 2 of find at 214, substituting u_36 with i + - Replaced defined condition info_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40] with r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39] in find at 214 + - Replaced defined condition info_5[u_6, u_7], E_9[u_6, u_7], r_6[u_6, u_7] with an empty condition in find at 214 + - Replaced defined condition ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3] with r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3] in find at 182 +yields + +Game 32 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + u_36 <= N <- i; + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + x_2: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && {530}((u_16[ri_33] = u_16) && (i = i) && (info_6 = info_6[ri_33])) then + u_32 <= N <- i; + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + x_3: bitstring <- cst_bitstring; + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + u_34 <= N <- i; + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + x_6: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && {1205}((u_16[ri_21, i''_1] = u_9) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) then + u_26 <= N <- i''_1; + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((u_16[ri_21, i''_1] = u_9) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) with ((u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1])) at 1205 + - Replaced ((u_16[ri_33] = u_16) && (i = i) && (info_6 = info_6[ri_33])) with ((u_16[ri_33] = u_16) && (info_6 = info_6[ri_33])) at 530 +yields + +Game 33 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + u_36 <= N <- i; + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + x_2: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + u_32 <= N <- i; + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + x_3: bitstring <- cst_bitstring; + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + u_34 <= N <- i; + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + x_6: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + u_26 <= N <- i''_1; + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to x_6 + - Move assignment to x_7 + - Move assignment to x_2 + - Move assignment to x_3 + - Move assignment to x_4 +yields + +Game 34 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + u_36 <= N <- i; + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + u_32 <= N <- i; + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + u_34 <= N <- i; + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + u_26 <= N <- i''_1; + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_26 (definition removed, all usages removed) + - Remove assignments on u_32 (definition removed, all usages removed) + - Remove assignments on u_34 (definition removed, all usages removed) + - Remove assignments on u_36 (definition removed, all usages removed) + - Remove assignments on k'_1 (definition removed, all usages removed) + - Remove assignments on k'_1 (definition removed, all usages removed) +yields + +Game 35 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_11 -> r +yields + +Game 36 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_12 -> r +yields + +Game 37 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_13 -> r +yields + +Game 38 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- get2(r_7[u_16]); + key_8: key_t <- get1(r_7[u_16]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_9, i''_1]); + key_10: key_t <- get1(r_7[u_9, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_7 -> r +yields + +Game 39 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part2_3[ri_12], part1_3[ri_12], r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- part2_3[u_16]; + key_8: key_t <- part1_3[u_16]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part2_3[ri_5, i''_1], part1_3[ri_5, i''_1], r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- part2_3[u_9, i''_1]; + key_10: key_t <- part1_3[u_9, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_9 -> r +yields + +Game 40 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part2_3[ri_12], part1_3[ri_12], r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- part2_3[u_16]; + key_8: key_t <- part1_3[u_16]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part2_3[ri_5, i''_1], part1_3[ri_5, i''_1], r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- part2_3[u_9, i''_1]; + key_10: key_t <- part1_3[u_9, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_8 -> r +yields + +Game 41 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part2_3[ri_12], part1_3[ri_12], r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- part2_3[u_16]; + key_8: key_t <- part1_3[u_16]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- part2_5[u_31]; + key_8: key_t <- part1_5[u_31]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + r_8: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_5; + key_8: key_t <- part1_5; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part2_3[ri_5, i''_1], part1_3[ri_5, i''_1], r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- part2_3[u_9, i''_1]; + key_10: key_t <- part1_3[u_9, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- part2_5[u_25, i''_1]; + key_10: key_t <- part1_5[u_25, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_10 -> r +yields + +Game 42 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- part2_6[u_35]; + key_8: key_t <- part1_6[u_35]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + r_10: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_6; + key_8: key_t <- part1_6; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part2_3[ri_12], part1_3[ri_12], r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- part2_3[u_16]; + key_8: key_t <- part1_3[u_16]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- part2_5[u_31]; + key_8: key_t <- part1_5[u_31]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + r_8: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_5; + key_8: key_t <- part1_5; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- part2_6[u_27, u_28]; + key_10: key_t <- part1_6[u_27, u_28]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part2_3[ri_5, i''_1], part1_3[ri_5, i''_1], r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- part2_3[u_9, i''_1]; + key_10: key_t <- part1_3[u_9, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- part2_5[u_25, i''_1]; + key_10: key_t <- part1_5[u_25, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_6 -> r +yields + +Game 43 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_6: keys_t <- cst_keys_t; + nonce_6: nonce_t <- part2_7; + key_6: key_t <- part1_7; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- part2_7[u_6, u_7]; + key_8: key_t <- part1_7[u_6, u_7]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- part2_6[u_35]; + key_8: key_t <- part1_6[u_35]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + r_10: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_6; + key_8: key_t <- part1_6; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part2_3[ri_12], part1_3[ri_12], r_7[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + nonce_9: nonce_t <- part2_3[u_16]; + key_8: key_t <- part1_3[u_16]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- part2_5[u_31]; + key_8: key_t <- part1_5[u_31]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + r_8: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_5; + key_8: key_t <- part1_5; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- part2_7[u_4, i'_1]; + key_10: key_t <- part1_7[u_4, i'_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- part2_6[u_27, u_28]; + key_10: key_t <- part1_6[u_27, u_28]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part2_3[ri_5, i''_1], part1_3[ri_5, i''_1], r_7[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + nonce_12: nonce_t <- part2_3[u_9, i''_1]; + key_10: key_t <- part1_3[u_9, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- part2_5[u_25, i''_1]; + key_10: key_t <- part1_5[u_25, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_11 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_12 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_13 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_7 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_9 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_10 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_6 (definition removed, all usages removed) + - Remove assignments on nonce_6 (definition removed, all usages removed) + - Remove assignments on key_6 (definition removed, all usages removed) +yields + +Game 44 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + ct_8: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_7[u_6, u_7], part2_7[u_6, u_7]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6[u_35], part2_6[u_35]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_2, part2_2) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6, part2_6) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part2_3[ri_12], part1_3[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3[u_16], part2_3[u_16]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5[u_31], part2_5[u_31]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5, part2_5) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1, part2) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3, part2_3) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_7[u_4, i'_1], part2_7[u_4, i'_1]) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_6[u_27, u_28], part2_6[u_27, u_28]) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_2, part2_2) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part2_3[ri_5, i''_1], part1_3[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_3[u_9, i''_1], part2_3[u_9, i''_1]) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_5[u_25, i''_1], part2_5[u_25, i''_1]) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_1, part2_1) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1, part2) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence int_ctxt(Seal_inner) with part1, part1_1, part1_5, part1_3, part1_2, part1_6, part1_7 [probability Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec)] + - Equivalence int_ctxt(Seal_inner) with variables: part2_2 -> n, part2_6 -> n, part2 -> n, part2_1 -> n, part2_5 -> n, part2_3 -> n, part2_7 -> n, part1_7 -> k_1, part1_6 -> k_1, part1_2 -> k_1, part1_3 -> k_1, part1_5 -> k_1, part1_1 -> k_1, part1 -> k_1 +yields + +Game 45 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; {334}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; {375}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; {401}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part1_3[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; {459}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; {504}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; {543}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; {569}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; {658}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; {733}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; {963}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; {977}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part1_3[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; {1015}find else bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; {1044}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; {1058}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; {1079}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Find at 334 removed (else branch kept if any) + - Find at 375 removed (else branch kept if any) + - Find at 401 removed (else branch kept if any) + - Find at 459 removed (else branch kept if any) + - Find at 504 removed (else branch kept if any) + - Find at 543 removed (else branch kept if any) + - Find at 569 removed (else branch kept if any) + - Find at 658 removed (else branch kept if any) + - Find at 733 removed (else branch kept if any) + - Find at 963 removed (else branch kept if any) + - Find at 977 removed (else branch kept if any) + - Find at 1015 removed (else branch kept if any) + - Find at 1044 removed (else branch kept if any) + - Find at 1058 removed (else branch kept if any) + - Find at 1079 removed (else branch kept if any) +yields + +Game 46 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + {221} let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + {325} let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + {365} let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + {390} let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part1_3[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + {447} let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + {491} let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + {529} let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + {554} let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + {642} let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + {716} let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + {891} let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + {949} let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + {962} let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part1_3[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + {999} let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then +{1027} let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; +{1040} let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; +{1060} let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Remove let at 1060 + - Remove let at 1040 + - Remove let at 1027 + - Remove let at 999 + - Remove let at 962 + - Remove let at 949 + - Remove let at 891 + - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 891 + - Remove else branch of let at 891 + - Remove let at 716 + - Remove let at 642 + - Remove let at 554 + - Remove let at 529 + - Remove let at 491 + - Remove let at 447 + - Remove let at 390 + - Remove let at 365 + - Remove let at 325 + - Remove let at 221 + - Simplify pattern injbot(pt_6: bitstring) (tuple expanded) at 221 + - Remove else branch of let at 221 +yields + +Game 47 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + x_8: bitstring <- m; + d: bitstring <- aad_8; + r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + y_7: bitstring <- c; + c_d_7: bitstring <- aad_9; + if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then + pt_6: bitstring <- x_8[u_6, u_7]; + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + y_8: bitstring <- c; + c_d_8: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + y_9: bitstring <- c; + c_d_9: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + y_6: bitstring <- c; + c_d_6: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part1_3[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + y_2: bitstring <- c; + c_d_2: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + y_3: bitstring <- c; + c_d_3: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + y_4: bitstring <- c; + c_d_4: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + y_1: bitstring <- c; + c_d_1: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + y_5: bitstring <- c; + c_d_5: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + y: bitstring <- c; + c_d: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + y_15: bitstring <- ciph_star; + c_d_15: bitstring <- aad_star; + if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then + pt_7: bitstring <- x_8[u_4, i'_1]; + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + y_16: bitstring <- ciph_star; + c_d_16: bitstring <- aad_star; + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + y_14: bitstring <- ciph_star; + c_d_14: bitstring <- aad_star; + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part1_3[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + y_12: bitstring <- ciph_star; + c_d_12: bitstring <- aad_star; + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + y_13: bitstring <- ciph_star; + c_d_13: bitstring <- aad_star; + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + y_11: bitstring <- ciph_star; + c_d_11: bitstring <- aad_star; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + y_10: bitstring <- ciph_star; + c_d_10: bitstring <- aad_star; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on y_10 (definition removed, all usages removed) + - Remove assignments on c_d_10 (definition removed, all usages removed) + - Remove assignments on y_11 (definition removed, all usages removed) + - Remove assignments on c_d_11 (definition removed, all usages removed) + - Remove assignments on y_12 (definition removed, all usages removed) + - Remove assignments on c_d_12 (definition removed, all usages removed) + - Remove assignments on y_13 (definition removed, all usages removed) + - Remove assignments on c_d_13 (definition removed, all usages removed) + - Remove assignments on y_14 (definition removed, all usages removed) + - Remove assignments on c_d_14 (definition removed, all usages removed) + - Remove assignments on y_15 (definition removed, all usages removed) + - Remove assignments on c_d_15 (definition removed, all usages removed) + - Remove assignments on pt_7 (definition removed, all usages removed) + - Remove assignments on y_16 (definition removed, all usages removed) + - Remove assignments on c_d_16 (definition removed, all usages removed) + - Remove assignments on y (definition removed, all usages removed) + - Remove assignments on c_d (definition removed, all usages removed) + - Remove assignments on y_1 (definition removed, all usages removed) + - Remove assignments on c_d_1 (definition removed, all usages removed) + - Remove assignments on y_2 (definition removed, all usages removed) + - Remove assignments on c_d_2 (definition removed, all usages removed) + - Remove assignments on y_3 (definition removed, all usages removed) + - Remove assignments on c_d_3 (definition removed, all usages removed) + - Remove assignments on y_4 (definition removed, all usages removed) + - Remove assignments on c_d_4 (definition removed, all usages removed) + - Remove assignments on y_5 (definition removed, all usages removed) + - Remove assignments on c_d_5 (definition removed, all usages removed) + - Remove assignments on y_6 (definition removed, all usages removed) + - Remove assignments on c_d_6 (definition removed, all usages removed) + - Remove assignments on y_7 (definition removed, all usages removed) + - Remove assignments on c_d_7 (definition removed, all usages removed) + - Remove assignments on pt_6 (definition removed, all usages removed) + - Remove assignments on y_8 (definition removed, all usages removed) + - Remove assignments on c_d_8 (definition removed, all usages removed) + - Remove assignments on y_9 (definition removed, all usages removed) + - Remove assignments on c_d_9 (definition removed, all usages removed) + - Remove assignments on x_8 (definition removed, all usages removed) + - Remove assignments on d (definition removed, all usages removed) + - Remove assignments on ct_8 (definition kept, array references kept) +yields + +Game 48 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, r_14)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + {202} find [unique] suchthat info_6 = info_5[u_6, u_7] then + {214} if defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then + return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part1_3[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + {429} part2_5 <-R nonce_t; + {430} part1_5 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + {555} part2_3 <-R nonce_t; + {556} part1_3 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + {708} find [unique] suchthat info_star = info_5[u_4, i'_1] then + {714} if defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star) then + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part1_3[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + return(bottom) + else + {825} part2_1 <-R nonce_t; + {826} part1_1 <-R key_t; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + {838} part2 <-R nonce_t; + {839} part1 <-R key_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Transform unused random number generation at 839 into constant assignment + - Remove random number generation at 838 + - Transform unused random number generation at 826 into constant assignment + - Remove random number generation at 825 + - Simplified find at 714 in branch of find at 708 + - Transform unused random number generation at 556 into constant assignment + - Remove random number generation at 555 + - Transform unused random number generation at 430 into constant assignment + - Remove random number generation at 429 + - Simplified find at 214 in branch of find at 202 +yields + +Game 49 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, r_14)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {170} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + {202} find [unique] suchthat defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then + return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + {332} if info_6 = info_5[u_6, u_7] then + return(OpenAuth_Some(Context_Open_None)) + else + {349} part2_6 <-R nonce_t; + {350} part1_6 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part1_3[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + part1_5: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part1_3: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + {722} find [unique] suchthat defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && {731}((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) then + event_abort adv_wins + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + return(bottom) + else + {778} if info_star = info_5[u_4, i'_1] then + return(bottom) + else + {788} part2_2 <-R nonce_t; + {789} part1_2 <-R key_t; + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part1_3[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + return(bottom) + else + part1_1: key_t <- cst_key_t; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part1: key_t <- cst_key_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Transformed find at 778 into a test + - Transform unused random number generation at 789 into constant assignment + - Remove random number generation at 788 + - Replaced ((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) with false at 731 + - Remove branch 1 in find at 722 + - Transformed find at 332 into a test + - Transform unused random number generation at 350 into constant assignment + - Remove random number generation at 349 + - Replaced defined condition m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7] with an empty condition in find at 202 + - Replaced defined condition part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3] with m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3] in find at 170 +yields + +Game 50 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + E_9: pkey_t <- pkgen(s); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, r_14)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], u_8[ri_2, ri_3], E_9[ri_2, ri_3]) && (E_9[ri_2, ri_3] = pk_3) && (u_8[ri_2, ri_3] = i) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then + return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + if info_6 = info_5[u_6, u_7] then + return(OpenAuth_Some(Context_Open_None)) + else + part1_6: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + else + find u_16 = ri_12 <= Qdperuser suchthat defined(part1_3[ri_12], info_6[ri_12], enc_7[ri_12], pk_3[ri_12]) && (pk_3[ri_12] = pk_3) && (enc_7[ri_12] = enc_7) then + find [unique] suchthat info_6 = info_6[u_16] then + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_16[ri_33]) && (u_16[ri_33] = u_16) && (info_6 = info_6[ri_33]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_9) && (u_9 = u_16) && (i''_1 = i) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + part1_5: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, i''_1, pk_S) && (pk_S = pk_3) && (i''_1 = i) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part1_3: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (u_8[ri, i'_1] = i''_1) && (ce_2[ri, i'_1] = enc_star) then + find [unique] u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + return(bottom) + else + if info_star = info_5[u_4, i'_1] then + return(bottom) + else + part1_2: key_t <- cst_key_t; + return(bottom) + else + find u_9 = ri_5 <= Qdperuser suchthat defined(part1_3[ri_5, i''_1], info_6[ri_5, i''_1], enc_7[ri_5, i''_1], u_22[ri_5, i''_1]) && (u_22[ri_5, i''_1] = i'_1) && (enc_7[ri_5, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_9, i''_1] then + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_16[ri_21, i''_1]) && (u_16[ri_21, i''_1] = u_9) && (info_star = info_6[ri_21, i''_1]) then + return(bottom) + else + part1_1: key_t <- cst_key_t; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part1: key_t <- cst_key_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Proved event(adv_wins) ==> false in game 50 +Adv[Game 1: event(adv_wins) ==> false] <= Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec) + Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc) + (#Oaenc * N + 11 * N^2) * P_pk_coll + Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec) + Adv[Game 50: event(adv_wins) ==> false] +Adv[Game 50: event(adv_wins) ==> false] <= 0 +RESULT Proved event(adv_wins) ==> false up to probability Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec) + Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc) + (#Oaenc * N + 11 * N^2) * P_pk_coll + Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec) +RESULT time_1 = time + time(context for game 10) = #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_6)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_9)) + #Oadec * time(let injbot, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 10: ct_8), maxlength(game 10: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 10: aad_8), maxlength(game 10: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 10: info_5), maxlength(game 10: info_star)) + time(KeySchedule_auth, maxlength(game 10: info_star)) + time(Open_inner, maxlength(game 10: ciph_star), maxlength(game 10: aad_star)) + time(let injbot, maxlength(game 10: pt_7)) + time +RESULT time_2 = time + time(context for game 17) = 2 * #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 17: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 17: m), maxlength(game 17: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 17: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 17: info_6)) + #Oadec * time(Open_inner, maxlength(game 17: c), maxlength(game 17: aad_9)) + #Oadec * time(let injbot, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 17: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 17: ct_8), maxlength(game 17: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 17: aad_8), maxlength(game 17: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 17: info_5), maxlength(game 17: info_star)) + time(KeySchedule_auth, maxlength(game 17: info_star)) + time(Open_inner, maxlength(game 17: ciph_star), maxlength(game 17: aad_star)) + time(let injbot, maxlength(game 17: pt_7)) + time +RESULT time_3 = time + time(context for game 27) = (N + #Oaenc * N + #Oaenc + #Oadec * N + 2 * N^2) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 27: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 27: m), maxlength(game 27: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 27: ct_8)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 27: info_6)) + #Oadec * time(Open_inner, maxlength(game 27: c), maxlength(game 27: aad_9)) + #Oadec * time(let injbot, maxlength(game 27: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 27: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 27: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 27: ct_8), maxlength(game 27: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 27: aad_8), maxlength(game 27: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 27: info_5), maxlength(game 27: info_star)) + time(Open_inner, maxlength(game 27: ciph_star), maxlength(game 27: aad_star)) + time(let injbot, maxlength(game 27: pt_7)) + time +RESULT time_4 = time + time(context for game 44) = (N + #Oaenc * N + #Oaenc + #Oadec * N + 2 * N^2) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 44: info_5)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 44: m), maxlength(game 44: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 44: ct_8)) + #Oadec * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_5)) + (#Oadec + #Oadec * Qdperuser) * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_6)) + #Oadec * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_star)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 44: info_6)) + #Oadec * time(Open_inner, maxlength(game 44: c), maxlength(game 44: aad_9)) + #Oadec * time(let injbot, maxlength(game 44: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 44: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 44: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 44: ct_8), maxlength(game 44: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 44: aad_8), maxlength(game 44: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 44: info_5), maxlength(game 44: info_star)) + time(= bitstring, maxlength(game 44: info_star), maxlength(game 44: info_5)) + (#Oadec + 1 + Qdperuser) * time(= bitstring, maxlength(game 44: info_star), maxlength(game 44: info_6)) + time(let injbot, maxlength(game 44: pt_7)) + time +All queries proved. diff --git a/hpke.auth.outsider-cca.m4.ocv b/hpke.auth.outsider-cca.m4.ocv index d9b5c01..39e9eb2 100644 --- a/hpke.auth.outsider-cca.m4.ocv +++ b/hpke.auth.outsider-cca.m4.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { out_game "g00.out.cv"; remove_assign binder the_sk; @@ -31,9 +43,10 @@ proba P_pk_coll. proba Adv_Outsider_CCA. fun kemkey2bitstr(kemkey_t): bitstring [data]. fun kemciph2bitstr(kemciph_t): bitstring [data]. -expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key, AuthEncap_enc, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA). +expand Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key, AuthEncap_enc, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key, AuthEncap_enc, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_CCA). -include(`common.hpke.ocv') +include(`common.hpke.ocvl') (* Define a function for choosing from two attacker-provided plaintexts based on a bit. Also, defines some equations on it so CryptoVerif is able @@ -73,13 +86,13 @@ process Ostart() := b <-R bool; return(); (* The adversary can generate up to N honest keypairs/users by calling - (* the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() - (* will be available for each keypair. *) + the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() + will be available for each keypair. *) (foreach i <= N do Osetup() := let (the_sk: skey_t, the_pk: pkey_t) = GenerateKeyPair() in (* The public key of each honest keypair is made available - (* to the adversary. *) + to the adversary. *) return(the_pk); ( @@ -111,8 +124,8 @@ process insert E(the_pk, pk, enc_star, c_star, aad, info); return((enc_star, c_star)) (* SealAuth does not fail, but CryptoVerif's language - (* requires we indicate the else branch. It will be - (* removed with the eliminate_failing step. *) + requires we indicate the else branch. It will be + removed with the eliminate_failing step. *) ) else return(bottom) ) else return(bottom) (* ends the condition on m0 and m1 lengths *) ) else return(bottom) (* ends the find inside Ochall() *) @@ -121,3 +134,8 @@ process ) (* This ends the block of oracles that are defined for each keypair *) ) (* This ends the definition of the Osetup() oracle and its nested oracles *) + +(* EXPECTED FILENAME: examples/hpke/hpke.auth.outsider-cca.m4.ocv TAG: 1 +All queries proved. +0.508s (user 0.500s + system 0.008s), max rss 27368K +END *) diff --git a/hpke.auth.outsider-cca.ocv b/hpke.auth.outsider-cca.ocv index 4021ddb..1ca402c 100644 --- a/hpke.auth.outsider-cca.ocv +++ b/hpke.auth.outsider-cca.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + proof { out_game "g00.out.cv"; remove_assign binder the_sk; @@ -31,8 +43,20 @@ proba P_pk_coll. proba Adv_Outsider_CCA. fun kemkey2bitstr(kemkey_t): bitstring [data]. fun kemciph2bitstr(kemciph_t): bitstring [data]. -expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key, AuthEncap_enc, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA). +expand Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key, AuthEncap_enc, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed_t, pkey_t, skey_t, kemseed_t, AuthEncap_res_t, AuthDecap_res_t, kemkey_t, kemciph_t, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key, AuthEncap_enc, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_CCA). +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) type key_t [large,fixed]. @@ -83,9 +107,9 @@ expand multikey_AEAD( Seal_inner, Open_inner, injbot, (* injection from plaintext to bitstringbot: - (* injbot(plaintext): bitstringbot *) - Length, (* returns a plaintext of same length, consisting of zeros: - (* Length(plaintext): plaintext *) + injbot(plaintext): bitstringbot *) + Length, (* returns a plaintext of same length, consisting of zeros: + Length(plaintext): plaintext *) (* probabilities *) Adv_cpa, Adv_ctxt @@ -259,13 +283,13 @@ process Ostart() := b <-R bool; return(); (* The adversary can generate up to N honest keypairs/users by calling - (* the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() - (* will be available for each keypair. *) + the Osetup() oracle. The nested oracles Oaenc(), Oadec(), Ochall() + will be available for each keypair. *) (foreach i <= N do Osetup() := let (the_sk: skey_t, the_pk: pkey_t) = GenerateKeyPair() in (* The public key of each honest keypair is made available - (* to the adversary. *) + to the adversary. *) return(the_pk); ( @@ -297,8 +321,8 @@ process insert E(the_pk, pk, enc_star, c_star, aad, info); return((enc_star, c_star)) (* SealAuth does not fail, but CryptoVerif's language - (* requires we indicate the else branch. It will be - (* removed with the eliminate_failing step. *) + requires we indicate the else branch. It will be + removed with the eliminate_failing step. *) ) else return(bottom) ) else return(bottom) (* ends the condition on m0 and m1 lengths *) ) else return(bottom) (* ends the find inside Ochall() *) @@ -307,3 +331,8 @@ process ) (* This ends the block of oracles that are defined for each keypair *) ) (* This ends the definition of the Osetup() oracle and its nested oracles *) + +(* EXPECTED FILENAME: examples/hpke/hpke.auth.outsider-cca.m4.ocv TAG: 1 +All queries proved. +0.508s (user 0.500s + system 0.008s), max rss 27368K +END *) diff --git a/hpke.auth.outsider-cca.proof b/hpke.auth.outsider-cca.proof index 014ab24..c3a8c72 100644 --- a/hpke.auth.outsider-cca.proof +++ b/hpke.auth.outsider-cca.proof @@ -1,3857 +1,3999 @@ -Initial state -Game 1 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - insert E(the_pk, pk_5, enc_star, c_star, aad_11, info_8); - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand get, insert and prove unique annotations - - Expand get/insert for table E -yields - -Game 2 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then -{297} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); {307}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in {319}let KeySchedule_Some(ctx_10: context_t) = {320}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {357}let Context_Seal_Some(ct_10: bitstring) = {358}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_5; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 - - Remove let at 297 - - Remove let at 307 - - Remove let at 297 - - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 320 - - Remove else branch of let at 320 - - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 319 - - Remove else branch of let at 319 - - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 307 - - Remove else branch of let at 307 - - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 358 - - Remove else branch of let at 358 - - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 357 - - Remove else branch of let at 357 - - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 297 - - Remove else branch of let at 297 - - Remove let at 194 - - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 - - Remove else branch of let at 206 - - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 - - Remove else branch of let at 205 - - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 - - Remove else branch of let at 194 - - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 - - Remove else branch of let at 241 - - Remove let at 29 - - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 - - Remove else branch of let at 42 - - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 - - Remove else branch of let at 41 - - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 - - Remove else branch of let at 29 - - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 - - Remove else branch of let at 80 - - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 - - Remove else branch of let at 79 -yields - -Game 3 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); - ctx_7: context_t <- ctx_6; - enc_6: kemciph_t <- enc_5; - seq_3: nonce_t <- nonce_zero; - nonce_7: nonce_t <- nonce_6; - key_7: key_t <- key_6; - nonce_8: nonce_t <- xor(nonce_7, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); - ct_8: bitstring <- ct_7; - return(SealAuth_Some(enc_6, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - info_hash: bitstring <- info_7; - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); - ctx_9: context_t <- ctx_8; - seq_4: nonce_t <- nonce_zero; - nonce_10: nonce_t <- nonce_9; - key_9: key_t <- key_8; - nonce_11: nonce_t <- xor(nonce_10, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); - ctx_11: context_t <- ctx_10; - enc_9: kemciph_t <- enc_8; - seq_5: nonce_t <- nonce_zero; - nonce_13: nonce_t <- nonce_12; - key_11: key_t <- key_10; - nonce_14: nonce_t <- xor(nonce_13, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); - ct_10: bitstring <- ct_9; - c_star: bitstring <- ct_10; - enc_star: kemciph_t <- enc_9; - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_5; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on ctx_11 (definition removed, all usages removed) - - Remove assignments on enc_9 (definition removed, all usages removed) - - Remove assignments on nonce_13 (definition removed, all usages removed) - - Remove assignments on key_11 (definition removed, all usages removed) - - Remove assignments on ct_10 (definition removed, all usages removed) - - Remove assignments on c_star (definition removed, all usages removed) - - Remove assignments on enc_star (definition removed, all usages removed) - - Remove assignments on E_1 (definition removed, all usages removed) - - Remove assignments on E_2 (definition removed, all usages removed) - - Remove assignments on E_3 (definition removed, all usages removed) - - Remove assignments on E_4 (definition removed, all usages removed) - - Remove assignments on E_5 (definition removed, all usages removed) - - Remove assignments on E_6 (definition removed, all usages removed) - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on ctx_9 (definition removed, all usages removed) - - Remove assignments on nonce_10 (definition removed, all usages removed) - - Remove assignments on key_9 (definition removed, all usages removed) - - Remove assignments on ctx_7 (definition removed, all usages removed) - - Remove assignments on enc_6 (definition removed, all usages removed) - - Remove assignments on nonce_7 (definition removed, all usages removed) - - Remove assignments on key_7 (definition removed, all usages removed) - - Remove assignments on ct_8 (definition removed, all usages removed) - - Remove assignments on ctx_10 (definition removed, all usages removed) - - Remove assignments on ctx_8 (definition removed, all usages removed) - - Remove assignments on ctx_6 (definition removed, all usages removed) -yields - -Game 4 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3]) && {116}((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- {196}xor(nonce_9, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- {302}xor(nonce_12, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced xor(nonce_12, seq_5) with nonce_12 at 302 - - Replaced xor(nonce_9, seq_4) with nonce_9 at 196 - - Replaced ((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 116 - - Replaced defined condition the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3] in find at 104 - - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 -yields - -Game 5 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to pt_8 - - Move assignment to seq_4 -yields - -Game 6 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on seq_5 (definition removed, all usages removed) - - Remove assignments on nonce_14 (definition removed, all usages removed) - - Remove assignments on nonce_11 (definition removed, all usages removed) - - Remove assignments on seq_3 (definition removed, all usages removed) - - Remove assignments on nonce_8 (definition removed, all usages removed) -yields - -Game 7 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_sk - - Remove assignments on the_sk (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_pk - - Remove assignments on the_pk (definition removed, all usages removed) -yields - -Game 9 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec)] - - Equivalence outsider_cca(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 -yields - -Game 10 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - {22} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k_2, pk_R, skgen(s))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{182} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], s[ri_4], pk_R[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && (pkgen(s) = pk_R[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_S) && (ce[ri_3, ri_4] = cd) then AuthDecap_Some(k'_1[u_7, u_8]) orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], s[ri_2], pk_R_1[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && (pkgen(s) = pk_R_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_S) && (ce_1[ri_1, ri_2] = cd) then AuthDecap_Some(k'_3[u_5, u_6]) else AuthDecap(cd, skgen(s), pk_S)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; -{359} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (pk_R_1: pkey_t <- pk_5; {364}find u_4 = ri <= N suchthat defined(s[ri]) && (pk_R_1 = pkgen(s[ri])) then let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in k'_2: kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_3, ce_1) else AuthEncap_None else AuthEncap_r(k_3, pk_R_1, skgen(s))) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N^2 * P_pk_coll] - - Expand if/find/let - - Remove else branch of find at 364 - - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 359 - - Remove else branch of let at 359 - - A single branch always succeeds in find at 364 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 182 - - Remove else branch of let at 182 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 182 - - Remove else branch of let at 182 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 22 - - Remove else branch of let at 22 -yields - -Game 11 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - pk_R: pkey_t <- pk_3; - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_5: kemciph_t <- ce; - shared_secret_3: kemkey_t <- k'_1; - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - pk_S: pkey_t <- pk_4; - cd: kemciph_t <- enc_7; - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], s[ri_4], pk_R[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && (pkgen(s) = pk_R[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_S) && (ce[ri_3, ri_4] = cd) then - shared_secret_4: kemkey_t <- k'_1[u_7, u_8]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], s[ri_2], pk_R_1[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && (pkgen(s) = pk_R_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_S) && (ce_1[ri_1, ri_2] = cd) then - shared_secret_4: kemkey_t <- k'_3[u_5, u_6]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; - pk_R_1: pkey_t <- pk_5; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - shared_secret_5: kemkey_t <- k'_3; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pk_R_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on enc_8 (definition kept, array references kept) - - Remove assignments on pk_S (definition removed, all usages removed) - - Remove assignments on cd (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R (definition removed, all usages removed) - - Remove assignments on enc_5 (definition removed, all usages removed) - - Remove assignments on shared_secret_3 (definition removed, all usages removed) -yields - -Game 12 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{269} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(pk_3[ri_3, ri_4], k'[ri_3, ri_4], s[ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && {279}((pkgen(s) = pk_3[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(pk_5[ri_1, ri_2], k'_2[ri_1, ri_2], s[ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && {363}((pkgen(s) = pk_5[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N^2 * P_pk_coll] - - Simplification pass - - Replaced ((pkgen(s) = pk_5[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) with ((i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) at 363 - - Replaced defined condition pk_5[ri_1, ri_2], k'_2[ri_1, ri_2], s[ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2] with k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 269 - - Replaced ((pkgen(s) = pk_3[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) with ((i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) at 279 - - Replaced defined condition pk_3[ri_3, ri_4], k'[ri_3, ri_4], s[ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4] with k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4] in find at 269 -yields - -Game 13 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move random number generation k'_3 - - Move random number generation k'_1 - - Move random number generation k_2 -yields - -Game 14 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - k'_3 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_3 <-R kemkey_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Rename variable k_2 into k_7, k_6 -yields - -Game 15 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_7, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_6 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_6, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - k'_3 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_3 <-R kemkey_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence eliminate_failing(AuthEncap) - - Equivalence eliminate_failing(AuthEncap) -yields - -Game 16 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - {30} let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = (k_9: kemseed_t <- k_7; pk_7: pkey_t <- pk_3; sk_3: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_9, pk_7, sk_3), AuthEncap_enc(k_9, pk_7, sk_3))) in - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_6 <-R kemseed_t; -{169} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_8, pk_6, sk_2), AuthEncap_enc(k_8, pk_6, sk_2))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; -{568} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_10: kemseed_t <- k_3; pk_8: pkey_t <- pk_5; sk_4: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_10, pk_8, sk_4), AuthEncap_enc(k_10, pk_8, sk_4))) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - k'_3 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_3 <-R kemkey_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 568 - - Remove else branch of let at 568 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 169 - - Remove else branch of let at 169 - - Simplify pattern AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) (tuple expanded) at 30 - - Remove else branch of let at 30 -yields - -Game 17 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - k_9: kemseed_t <- k_7; - pk_7: pkey_t <- pk_3; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_9, pk_7, sk_3); - k_4: kemkey_t <- AuthEncap_key(k_9, pk_7, sk_3); - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - k_8: kemseed_t <- k_6; - pk_6: pkey_t <- pk_3; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_8, pk_6, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_8, pk_6, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k_10: kemseed_t <- k_3; - pk_8: pkey_t <- pk_5; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_10, pk_8, sk_4); - k_5: kemkey_t <- AuthEncap_key(k_10, pk_8, sk_4); - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k_10 (definition removed, all usages removed) - - Remove assignments on pk_8 (definition removed, all usages removed) - - Remove assignments on k_5 (definition removed, all usages removed) - - Remove assignments on k'_2 (definition removed, all usages removed) - - Remove assignments on enc_8 (definition removed, all usages removed) - - Remove assignments on k_8 (definition removed, all usages removed) - - Remove assignments on pk_6 (definition removed, all usages removed) - - Remove assignments on k_9 (definition removed, all usages removed) - - Remove assignments on pk_7 (definition removed, all usages removed) - - Remove assignments on k_4 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) -yields - -Game 18 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying SA rename k'_1 - - Rename variable k'_1 into k'_5, k'_4 -yields - -Game 19 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); -{153} k'_5 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Remove random number generation at 153 -yields - -Game 20 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence prf(KeySchedule_auth) with k'_3 [probability Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec)] - - Equivalence prf(KeySchedule_auth) with variables: k'_3 -> k_1 -yields - -Game 21 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; {571}find [unique] u_10 = ri_8 <= Qdperuser, u_11 = ri_9 <= N suchthat defined(u_6[ri_8, ri_9], u_5[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9]) && {580}((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) then r_6[u_10, u_11] else r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Replaced ((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) with false at 580 - - Remove branch 1 in find at 571 - - Find at 571 removed (else branch kept if any) -yields - -Game 22 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 23 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - x: bitstring <- info_7; - find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then - r_4: keys_t <- r_6[u_12, u_13]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then - r_4: keys_t <- r_7[u_5, u_6]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - r_4: keys_t <- r_6; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3: kemkey_t <- cst_kemkey_t; - x_1: bitstring <- info_8; - r_7 <-R keys_t; - r_5: keys_t <- r_7; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k'_3 (definition removed, all usages removed) - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) -yields - -Game 24 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{235} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - x: bitstring <- cst_bitstring; -{344} find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(info_7[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (info_7 = info_7[ri_12, ri_13]) then - nonce_9: nonce_t <- get2(r_6[u_12, u_13]); - key_8: key_t <- get1(r_6[u_12, u_13]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_8[u_5, u_6], ce_1[u_5, u_6], r_7[u_5, u_6]) && (info_7 = info_8[u_5, u_6]) then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition info_8[u_5, u_6], ce_1[u_5, u_6], r_7[u_5, u_6] with an empty condition in find at 344 - - In branch 1 of find at 344, substituting u_13 with i - - Replaced defined condition info_7[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13] with r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12] in find at 344 - - Replaced defined condition ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] with r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 235 -yields - -Game 25 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - x: bitstring <- cst_bitstring; - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - u_13 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to x -yields - -Game 26 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - u_13 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_13 (definition removed, all usages removed) -yields - -Game 27 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_7 -> r -yields - -Game 28 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- part2[u_5, u_6]; - key_8: key_t <- part1[u_5, u_6]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_6 -> r -yields - -Game 29 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - nonce_9: nonce_t <- part2_1[u_12]; - key_8: key_t <- part1_1[u_12]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- part2[u_5, u_6]; - key_8: key_t <- part1[u_5, u_6]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_6: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_7 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_6 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) -yields - -Game 30 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_5, u_6], part2[u_5, u_6]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time_3, #Ochall, #Oadec)] - - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 31 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then -{422} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then injbot(x_2[u_5, u_6]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove let at 422 - - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 422 - - Remove else branch of let at 422 -yields - -Game 32 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - y: bitstring <- c; - c_d: bitstring <- aad_10; - if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then - pt_7: bitstring <- x_2[u_5, u_6]; - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - x_2: bitstring <- pt_8; - d: bitstring <- aad_11; - r_8: bitstring <- Seal_inner(x_2, d, part1, part2); - ct_9: bitstring <- r_8; - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_2 (definition removed, all usages removed) - - Remove assignments on d (definition removed, all usages removed) - - Remove assignments on ct_9 (definition removed, all usages removed) - - Remove assignments on y (definition removed, all usages removed) - - Remove assignments on c_d (definition removed, all usages removed) - - Remove assignments on pt_7 (definition removed, all usages removed) -yields - -Game 33 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then -{346} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then -{422} if defined(aad_11[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Simplified find at 422 in branch of find at 346 -yields - -Game 34 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then -{346} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(aad_11[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && {429}((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) - else -{476} if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Transformed find at 476 into a test - - Replaced ((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) with false at 429 - - Remove branch 2 in find at 346 -yields - -Game 35 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time_4, #Ochall)] - - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 36 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 37 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - x_3: bitstring <- pt_8; - d_1: bitstring <- aad_11; - r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); - r_8: bitstring <- r_9; - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on part1 (definition removed, all usages removed) - - Remove assignments on x_3 (definition removed, all usages removed) - - Remove assignments on d_1 (definition removed, all usages removed) - - Remove assignments on r_8 (definition removed, all usages removed) -yields - -Game 38 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- {571}enc'(Length(pt_8), aad_11, part1_2, part2_2); - return((ce_1, r_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 571 -yields - -Game 39 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - return((ce_1, r_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pt_8 (definition removed, all usages removed) -yields - -Game 40 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - return((ce_1, r_9)) - else - return(bottom) - else - return(bottom) - )) - - -Proved secrecy of b in game 40 -Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec) + 6 * N^2 * P_pk_coll + Adv[Game 40: secrecy of b] -Adv[Game 40: secrecy of b] <= 0 -RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec) + 6 * N^2 * P_pk_coll -RESULT time_1 = time + time(context for game 9) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 9: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 9: m), maxlength(game 9: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 9: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: ct_9), maxlength(game 9: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: aad_11), maxlength(game 9: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: info_8), maxlength(game 9: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 9: info_7)) + #Oadec * time(Open_inner, maxlength(game 9: c), maxlength(game 9: aad_10)) + #Oadec * time(let injbot, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 9: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 9: m0)), length(Length, maxlength(game 9: m1))) + #Ochall * time(Length, maxlength(game 9: m1)) + #Ochall * time(Length, maxlength(game 9: m0)) + #Ochall * time(KeySchedule_auth, maxlength(game 9: info_8)) + #Ochall * time(test, maxlength(game 9: m0), maxlength(game 9: m1)) + #Ochall * time(Seal_inner, maxlength(game 9: pt_8), maxlength(game 9: aad_11)) + time -RESULT time_2 = time + time(context for game 20) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 20: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 20: m), maxlength(game 20: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 20: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 20: ct_9), maxlength(game 20: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 20: aad_11), maxlength(game 20: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 20: info_8), maxlength(game 20: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 20: info_7)) + #Oadec * time(Open_inner, maxlength(game 20: c), maxlength(game 20: aad_10)) + #Oadec * time(let injbot, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 20: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 20: m0)), length(Length, maxlength(game 20: m1))) + #Ochall * time(Length, maxlength(game 20: m1)) + #Ochall * time(Length, maxlength(game 20: m0)) + #Ochall * time(test, maxlength(game 20: m0), maxlength(game 20: m1)) + #Ochall * time(Seal_inner, maxlength(game 20: pt_8), maxlength(game 20: aad_11)) + time -RESULT time_3 = time + time(context for game 30) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 30: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 30: m), maxlength(game 30: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 30: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 30: ct_9), maxlength(game 30: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 30: aad_11), maxlength(game 30: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 30: info_8), maxlength(game 30: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 30: info_7), maxlength(game 30: info_7)) + #Oadec * time(= bitstring, maxlength(game 30: info_7), maxlength(game 30: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 30: info_7)) + #Oadec * time(Open_inner, maxlength(game 30: c), maxlength(game 30: aad_10)) + #Oadec * time(let injbot, maxlength(game 30: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 30: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 30: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 30: m0)), length(Length, maxlength(game 30: m1))) + #Ochall * time(Length, maxlength(game 30: m1)) + #Ochall * time(Length, maxlength(game 30: m0)) + #Ochall * time(test, maxlength(game 30: m0), maxlength(game 30: m1)) + time -RESULT time_4 = time + time(context for game 35) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 35: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 35: m), maxlength(game 35: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 35: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 35: r_8), maxlength(game 35: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 35: aad_11), maxlength(game 35: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 35: info_8), maxlength(game 35: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 35: info_7), maxlength(game 35: info_7)) + #Oadec * time(= bitstring, maxlength(game 35: info_7), maxlength(game 35: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 35: info_7)) + #Oadec * time(Open_inner, maxlength(game 35: c), maxlength(game 35: aad_10)) + #Oadec * time(let injbot, maxlength(game 35: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 35: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 35: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 35: m0)), length(Length, maxlength(game 35: m1))) + #Ochall * time(Length, maxlength(game 35: m1)) + #Ochall * time(Length, maxlength(game 35: m0)) + #Ochall * time(test, maxlength(game 35: m0), maxlength(game 35: m1)) + time -All queries proved. +Initial state +Game 1 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + insert E(the_pk, pk_5, enc_star, c_star, aad_11, info_8); + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 2 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3]) && (E_2[u_2, u_3] = pk_4) && (E_3[u_2, u_3] = the_pk) && (E_4[u_2, u_3] = enc_7) && (E_5[u_2, u_3] = c) && (E_6[u_2, u_3] = aad_10) && (E_7[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then +{297} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); {307}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in {319}let KeySchedule_Some(ctx_10: context_t) = {320}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {357}let Context_Seal_Some(ct_10: bitstring) = {358}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + E_2: pkey_t <- the_pk; + E_3: pkey_t <- pk_5; + E_4: kemciph_t <- enc_star; + E_5: bitstring <- c_star; + E_6: bitstring <- aad_11; + E_7: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 + - Remove let at 297 + - Remove let at 307 + - Remove let at 297 + - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 320 + - Remove else branch of let at 320 + - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 319 + - Remove else branch of let at 319 + - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 307 + - Remove else branch of let at 307 + - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 358 + - Remove else branch of let at 358 + - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 357 + - Remove else branch of let at 357 + - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 297 + - Remove else branch of let at 297 + - Remove let at 194 + - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 + - Remove else branch of let at 206 + - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 + - Remove else branch of let at 205 + - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 + - Remove else branch of let at 194 + - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 + - Remove else branch of let at 241 + - Remove let at 29 + - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 + - Remove else branch of let at 42 + - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 + - Remove else branch of let at 41 + - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 + - Remove else branch of let at 29 + - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 + - Remove else branch of let at 80 + - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 + - Remove else branch of let at 79 +yields + +Game 3 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); + ctx_7: context_t <- ctx_6; + enc_6: kemciph_t <- enc_5; + seq_3: nonce_t <- nonce_zero; + nonce_7: nonce_t <- nonce_6; + key_7: key_t <- key_6; + nonce_8: nonce_t <- xor(nonce_7, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); + ct_8: bitstring <- ct_7; + return(SealAuth_Some(enc_6, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3], E_7[u_2, u_3]) && (E_2[u_2, u_3] = pk_4) && (E_3[u_2, u_3] = the_pk) && (E_4[u_2, u_3] = enc_7) && (E_5[u_2, u_3] = c) && (E_6[u_2, u_3] = aad_10) && (E_7[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + info_hash: bitstring <- info_7; + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); + ctx_9: context_t <- ctx_8; + seq_4: nonce_t <- nonce_zero; + nonce_10: nonce_t <- nonce_9; + key_9: key_t <- key_8; + nonce_11: nonce_t <- xor(nonce_10, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); + ctx_11: context_t <- ctx_10; + enc_9: kemciph_t <- enc_8; + seq_5: nonce_t <- nonce_zero; + nonce_13: nonce_t <- nonce_12; + key_11: key_t <- key_10; + nonce_14: nonce_t <- xor(nonce_13, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); + ct_10: bitstring <- ct_9; + c_star: bitstring <- ct_10; + enc_star: kemciph_t <- enc_9; + E_2: pkey_t <- the_pk; + E_3: pkey_t <- pk_5; + E_4: kemciph_t <- enc_star; + E_5: bitstring <- c_star; + E_6: bitstring <- aad_11; + E_7: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on ctx_11 (definition removed, all usages removed) + - Remove assignments on enc_9 (definition removed, all usages removed) + - Remove assignments on nonce_13 (definition removed, all usages removed) + - Remove assignments on key_11 (definition removed, all usages removed) + - Remove assignments on ct_10 (definition removed, all usages removed) + - Remove assignments on c_star (definition removed, all usages removed) + - Remove assignments on enc_star (definition removed, all usages removed) + - Remove assignments on E_2 (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on E_5 (definition removed, all usages removed) + - Remove assignments on E_6 (definition removed, all usages removed) + - Remove assignments on E_7 (definition removed, all usages removed) + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on ctx_9 (definition removed, all usages removed) + - Remove assignments on nonce_10 (definition removed, all usages removed) + - Remove assignments on key_9 (definition removed, all usages removed) + - Remove assignments on ctx_7 (definition removed, all usages removed) + - Remove assignments on enc_6 (definition removed, all usages removed) + - Remove assignments on nonce_7 (definition removed, all usages removed) + - Remove assignments on key_7 (definition removed, all usages removed) + - Remove assignments on ct_8 (definition removed, all usages removed) + - Remove assignments on ctx_10 (definition removed, all usages removed) + - Remove assignments on ctx_8 (definition removed, all usages removed) + - Remove assignments on ctx_6 (definition removed, all usages removed) +yields + +Game 4 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := +{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3]) && {116}((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- {196}xor(nonce_9, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- {302}xor(nonce_12, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced xor(nonce_12, seq_5) with nonce_12 at 302 + - Replaced xor(nonce_9, seq_4) with nonce_9 at 196 + - Replaced ((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 116 + - Replaced defined condition the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3] in find at 104 + - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 +yields + +Game 5 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to pt_8 + - Move assignment to seq_4 +yields + +Game 6 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on seq_5 (definition removed, all usages removed) + - Remove assignments on nonce_14 (definition removed, all usages removed) + - Remove assignments on nonce_11 (definition removed, all usages removed) + - Remove assignments on seq_3 (definition removed, all usages removed) + - Remove assignments on nonce_8 (definition removed, all usages removed) +yields + +Game 7 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_sk + - Remove assignments on the_sk (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_pk + - Remove assignments on the_pk (definition removed, all usages removed) +yields + +Game 9 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec)] + - Equivalence outsider_cca(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 +yields + +Game 10 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + {22} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in k': kemkey_t <- cst_kemkey_t; E_8: pkey_t <- pkgen(s); AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k_2, pk_R, skgen(s))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else +{186} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], pk_R[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_S) && (pk_R[ri_3, ri_4] = pkgen(s)) && (ce[ri_3, ri_4] = cd) then AuthDecap_Some(k'_1[u_7, u_8]) orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], pk_R_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_S) && (pk_R_1[ri_1, ri_2] = pkgen(s)) && (ce_1[ri_1, ri_2] = cd) then AuthDecap_Some(k'_3[u_5, u_6]) else AuthDecap(cd, skgen(s), pk_S)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; +{361} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (pk_R_1: pkey_t <- pk_5; {366}find u_4 = ri <= N suchthat defined(s[ri]) && (pk_R_1 = pkgen(s[ri])) then let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in k'_2: kemkey_t <- cst_kemkey_t; E_9: pkey_t <- pkgen(s); AuthEncap_tuple(k'_3, ce_1) else AuthEncap_None else AuthEncap_r(k_3, pk_R_1, skgen(s))) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Remove else branch of find at 366 + - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 361 + - Remove else branch of let at 361 + - A single branch always succeeds in find at 366 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 186 + - Remove else branch of let at 186 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 186 + - Remove else branch of let at 186 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 22 + - Remove else branch of let at 22 +yields + +Game 11 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + pk_R: pkey_t <- pk_3; + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + E_8: pkey_t <- pkgen(s); + enc_5: kemciph_t <- ce; + shared_secret_3: kemkey_t <- k'_1; + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + pk_S: pkey_t <- pk_4; + cd: kemciph_t <- enc_7; + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], pk_R[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_S) && (pk_R[ri_3, ri_4] = pkgen(s)) && (ce[ri_3, ri_4] = cd) then + shared_secret_4: kemkey_t <- k'_1[u_7, u_8]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], pk_R_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_S) && (pk_R_1[ri_1, ri_2] = pkgen(s)) && (ce_1[ri_1, ri_2] = cd) then + shared_secret_4: kemkey_t <- k'_3[u_5, u_6]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; + pk_R_1: pkey_t <- pk_5; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in + k'_2: kemkey_t <- cst_kemkey_t; + E_9: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce_1; + shared_secret_5: kemkey_t <- k'_3; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pk_R_1 (definition removed, all usages removed) + - Remove assignments on k'_2 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on enc_8 (definition kept, array references kept) + - Remove assignments on pk_S (definition removed, all usages removed) + - Remove assignments on cd (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R (definition removed, all usages removed) + - Remove assignments on k' (definition removed, all usages removed) + - Remove assignments on enc_5 (definition removed, all usages removed) + - Remove assignments on shared_secret_3 (definition removed, all usages removed) +yields + +Game 12 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + E_8: pkey_t <- pkgen(s); + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else +{271} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(pk_3[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], E_8[ri_3, ri_4]) && {280}((E_8[ri_3, ri_4] = pk_4) && (pk_3[ri_3, ri_4] = pkgen(s)) && (ce[ri_3, ri_4] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(pk_5[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], E_9[ri_1, ri_2]) && {363}((E_9[ri_1, ri_2] = pk_4) && (pk_5[ri_1, ri_2] = pkgen(s)) && (ce_1[ri_1, ri_2] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce_1; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((E_9[ri_1, ri_2] = pk_4) && (pk_5[ri_1, ri_2] = pkgen(s)) && (ce_1[ri_1, ri_2] = enc_7)) with ((E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7)) at 363 + - Replaced defined condition pk_5[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], E_9[ri_1, ri_2] with k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2] in find at 271 + - Replaced ((E_8[ri_3, ri_4] = pk_4) && (pk_3[ri_3, ri_4] = pkgen(s)) && (ce[ri_3, ri_4] = enc_7)) with ((E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7)) at 280 + - Replaced defined condition pk_3[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], E_8[ri_3, ri_4] with k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4] in find at 271 +yields + +Game 13 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + E_8: pkey_t <- pkgen(s); + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce_1; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move random number generation k'_3 + - Move random number generation k'_1 + - Move random number generation k_2 +yields + +Game 14 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + E_8: pkey_t <- pkgen(s); + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + k'_3 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_3 <-R kemkey_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Rename variable k_2 into k_7, k_6 +yields + +Game 15 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_7, pk_3, skgen(s)) in + E_8: pkey_t <- pkgen(s); + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_6 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_6, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + E_9: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + k'_3 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_3 <-R kemkey_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence eliminate_failing(AuthEncap) + - Equivalence eliminate_failing(AuthEncap) +yields + +Game 16 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + {30} let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = (k_9: kemseed_t <- k_7; pk_7: pkey_t <- pk_3; sk_3: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_9, pk_7, sk_3), AuthEncap_enc(k_9, pk_7, sk_3))) in + E_8: pkey_t <- pkgen(s); + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_6 <-R kemseed_t; +{171} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_8, pk_6, sk_2), AuthEncap_enc(k_8, pk_6, sk_2))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; +{572} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_10: kemseed_t <- k_3; pk_8: pkey_t <- pk_5; sk_4: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_10, pk_8, sk_4), AuthEncap_enc(k_10, pk_8, sk_4))) in + E_9: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + k'_3 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_3 <-R kemkey_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 572 + - Remove else branch of let at 572 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 171 + - Remove else branch of let at 171 + - Simplify pattern AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) (tuple expanded) at 30 + - Remove else branch of let at 30 +yields + +Game 17 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + k_9: kemseed_t <- k_7; + pk_7: pkey_t <- pk_3; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_9, pk_7, sk_3); + k_4: kemkey_t <- AuthEncap_key(k_9, pk_7, sk_3); + E_8: pkey_t <- pkgen(s); + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + k_8: kemseed_t <- k_6; + pk_6: pkey_t <- pk_3; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_8, pk_6, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_8, pk_6, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k_10: kemseed_t <- k_3; + pk_8: pkey_t <- pk_5; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_10, pk_8, sk_4); + k_5: kemkey_t <- AuthEncap_key(k_10, pk_8, sk_4); + E_9: pkey_t <- pkgen(s); + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k_10 (definition removed, all usages removed) + - Remove assignments on pk_8 (definition removed, all usages removed) + - Remove assignments on k_5 (definition removed, all usages removed) + - Remove assignments on enc_8 (definition removed, all usages removed) + - Remove assignments on k_8 (definition removed, all usages removed) + - Remove assignments on pk_6 (definition removed, all usages removed) + - Remove assignments on k_9 (definition removed, all usages removed) + - Remove assignments on pk_7 (definition removed, all usages removed) + - Remove assignments on k_4 (definition removed, all usages removed) +yields + +Game 18 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := +{180} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], E_9[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition ce_1[u_2, u_3], E_9[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3] in find at 180 +yields + +Game 19 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying SA rename k'_1 + - Rename variable k'_1 into k'_5, k'_4 +yields + +Game 20 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); +{158} k'_5 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Remove random number generation at 158 +yields + +Game 21 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence prf(KeySchedule_auth) with k'_3 [probability Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec)] + - Equivalence prf(KeySchedule_auth) with variables: k'_3 -> k_1 +yields + +Game 22 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; {582}find [unique] u_10 = ri_8 <= Qdperuser, u_11 = ri_9 <= N suchthat defined(u_6[ri_8, ri_9], u_5[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9]) && {591}((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) then r_6[u_10, u_11] else r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Replaced ((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) with false at 591 + - Remove branch 1 in find at 582 + - Find at 582 removed (else branch kept if any) +yields + +Game 23 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 24 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + x: bitstring <- info_7; + find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then + r_4: keys_t <- r_6[u_12, u_13]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then + r_4: keys_t <- r_7[u_5, u_6]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + r_4: keys_t <- r_6; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + k'_3: kemkey_t <- cst_kemkey_t; + x_1: bitstring <- info_8; + r_7 <-R keys_t; + r_5: keys_t <- r_7; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k'_3 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) +yields + +Game 25 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else +{240} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + x: bitstring <- cst_bitstring; +{351} find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(info_7[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (info_7 = info_7[ri_12, ri_13]) then + nonce_9: nonce_t <- get2(r_6[u_12, u_13]); + key_8: key_t <- get1(r_6[u_12, u_13]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_8[u_5, u_6], E_9[u_5, u_6], r_7[u_5, u_6]) && (info_7 = info_8[u_5, u_6]) then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition info_8[u_5, u_6], E_9[u_5, u_6], r_7[u_5, u_6] with an empty condition in find at 351 + - In branch 1 of find at 351, substituting u_13 with i + - Replaced defined condition info_7[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13] with r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12] in find at 351 + - Replaced defined condition ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2] with r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2] in find at 240 +yields + +Game 26 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + x: bitstring <- cst_bitstring; + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + u_13 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to x +yields + +Game 27 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + u_13 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_13 (definition removed, all usages removed) +yields + +Game 28 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_7 -> r +yields + +Game 29 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- part2[u_5, u_6]; + key_8: key_t <- part1[u_5, u_6]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_6 -> r +yields + +Game 30 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + nonce_9: nonce_t <- part2_1[u_12]; + key_8: key_t <- part1_1[u_12]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- part2[u_5, u_6]; + key_8: key_t <- part1[u_5, u_6]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_6: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_7 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_6 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) +yields + +Game 31 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_5, u_6], part2[u_5, u_6]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time_3, #Ochall, #Oadec)] + - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 32 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then +{429} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then injbot(x_2[u_5, u_6]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Remove let at 429 + - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 429 + - Remove else branch of let at 429 +yields + +Game 33 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + y: bitstring <- c; + c_d: bitstring <- aad_10; + if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then + pt_7: bitstring <- x_2[u_5, u_6]; + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + x_2: bitstring <- pt_8; + d: bitstring <- aad_11; + r_8: bitstring <- Seal_inner(x_2, d, part1, part2); + ct_9: bitstring <- r_8; + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_2 (definition removed, all usages removed) + - Remove assignments on d (definition removed, all usages removed) + - Remove assignments on ct_9 (definition removed, all usages removed) + - Remove assignments on y (definition removed, all usages removed) + - Remove assignments on c_d (definition removed, all usages removed) + - Remove assignments on pt_7 (definition removed, all usages removed) +yields + +Game 34 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then +{353} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then +{429} if defined(aad_11[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Simplified find at 429 in branch of find at 353 +yields + +Game 35 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then +{353} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(aad_11[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && {436}((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) + else +{483} if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Transformed find at 483 into a test + - Replaced ((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) with false at 436 + - Remove branch 2 in find at 353 +yields + +Game 36 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time_4, #Ochall)] + - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 37 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 38 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + x_3: bitstring <- pt_8; + d_1: bitstring <- aad_11; + r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); + r_8: bitstring <- r_9; + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on part1 (definition removed, all usages removed) + - Remove assignments on x_3 (definition removed, all usages removed) + - Remove assignments on d_1 (definition removed, all usages removed) + - Remove assignments on r_8 (definition removed, all usages removed) +yields + +Game 39 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- {582}enc'(Length(pt_8), aad_11, part1_2, part2_2); + return((ce_1, r_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 582 +yields + +Game 40 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + return((ce_1, r_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pt_8 (definition removed, all usages removed) +yields + +Game 41 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + E_8: pkey_t <- pkgen(s); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], u_9[ri_3, ri_4], E_8[ri_3, ri_4]) && (E_8[ri_3, ri_4] = pk_4) && (u_9[ri_3, ri_4] = i) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], i'_1[ri_1, ri_2], E_9[ri_1, ri_2]) && (E_9[ri_1, ri_2] = pk_4) && (i'_1[ri_1, ri_2] = i) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + E_9: pkey_t <- pkgen(s); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + return((ce_1, r_9)) + else + return(bottom) + else + return(bottom) + )) + + +Proved secrecy of b in game 41 +Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec) + 6 * N^2 * P_pk_coll + Adv[Game 41: secrecy of b] +Adv[Game 41: secrecy of b] <= 0 +RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec) + 6 * N^2 * P_pk_coll +RESULT time_1 = time + time(context for game 9) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 9: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 9: m), maxlength(game 9: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 9: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: ct_9), maxlength(game 9: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: aad_11), maxlength(game 9: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: info_8), maxlength(game 9: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 9: info_7)) + #Oadec * time(Open_inner, maxlength(game 9: c), maxlength(game 9: aad_10)) + #Oadec * time(let injbot, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 9: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 9: m0)), length(Length, maxlength(game 9: m1))) + #Ochall * time(Length, maxlength(game 9: m1)) + #Ochall * time(Length, maxlength(game 9: m0)) + #Ochall * time(KeySchedule_auth, maxlength(game 9: info_8)) + #Ochall * time(test, maxlength(game 9: m0), maxlength(game 9: m1)) + #Ochall * time(Seal_inner, maxlength(game 9: pt_8), maxlength(game 9: aad_11)) + time +RESULT time_2 = time + time(context for game 21) = (N + #Oaenc * N + #Oaenc + #Oadec * #Ochall + #Ochall * N + #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 21: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 21: m), maxlength(game 21: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 21: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 21: ct_9), maxlength(game 21: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 21: aad_11), maxlength(game 21: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 21: info_8), maxlength(game 21: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 21: info_7)) + #Oadec * time(Open_inner, maxlength(game 21: c), maxlength(game 21: aad_10)) + #Oadec * time(let injbot, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 21: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 21: m0)), length(Length, maxlength(game 21: m1))) + #Ochall * time(Length, maxlength(game 21: m1)) + #Ochall * time(Length, maxlength(game 21: m0)) + #Ochall * time(test, maxlength(game 21: m0), maxlength(game 21: m1)) + #Ochall * time(Seal_inner, maxlength(game 21: pt_8), maxlength(game 21: aad_11)) + time +RESULT time_3 = time + time(context for game 31) = (N + #Oaenc * N + #Oaenc + #Oadec * #Ochall + #Ochall * N + #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 31: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 31: m), maxlength(game 31: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 31: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 31: ct_9), maxlength(game 31: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 31: aad_11), maxlength(game 31: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 31: info_8), maxlength(game 31: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 31: info_7), maxlength(game 31: info_7)) + #Oadec * time(= bitstring, maxlength(game 31: info_7), maxlength(game 31: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 31: info_7)) + #Oadec * time(Open_inner, maxlength(game 31: c), maxlength(game 31: aad_10)) + #Oadec * time(let injbot, maxlength(game 31: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 31: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 31: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 31: m0)), length(Length, maxlength(game 31: m1))) + #Ochall * time(Length, maxlength(game 31: m1)) + #Ochall * time(Length, maxlength(game 31: m0)) + #Ochall * time(test, maxlength(game 31: m0), maxlength(game 31: m1)) + time +RESULT time_4 = time + time(context for game 36) = (N + #Oaenc * N + #Oaenc + #Oadec * #Ochall + #Ochall * N + #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 36: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 36: m), maxlength(game 36: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 36: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 36: r_8), maxlength(game 36: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 36: aad_11), maxlength(game 36: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 36: info_8), maxlength(game 36: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 36: info_7), maxlength(game 36: info_7)) + #Oadec * time(= bitstring, maxlength(game 36: info_7), maxlength(game 36: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 36: info_7)) + #Oadec * time(Open_inner, maxlength(game 36: c), maxlength(game 36: aad_10)) + #Oadec * time(let injbot, maxlength(game 36: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 36: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 36: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 36: m0)), length(Length, maxlength(game 36: m1))) + #Ochall * time(Length, maxlength(game 36: m1)) + #Ochall * time(Length, maxlength(game 36: m0)) + #Ochall * time(test, maxlength(game 36: m0), maxlength(game 36: m1)) + time +All queries proved. diff --git a/keyschedule.auth.prf.ocv b/keyschedule.auth.prf.ocv index 74e2080..e3e6b8e 100644 --- a/keyschedule.auth.prf.ocv +++ b/keyschedule.auth.prf.ocv @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* This type denotes the two-byte indication of length used in LabeledExpand. *) type length_t [fixed]. @@ -253,3 +265,8 @@ equivalence (* The next oracle gives the key of the collision resistant hash function to the adversary *) run Extract_CR_oracle(cr_key)) + +(* EXPECTED +All queries proved. +0.328s (user 0.312s + system 0.016s), max rss 20608K +END *) diff --git a/keyschedule.auth.prf.proof b/keyschedule.auth.prf.proof index a39b8a9..e823a8f 100644 --- a/keyschedule.auth.prf.proof +++ b/keyschedule.auth.prf.proof @@ -1,1559 +1,1557 @@ -Initial state -Game 2 is - Ostart() := - cr_key_3 <-R cr_key_t; - return(cr_key_3); - (( - foreach ikey_1 <= Nkey do - Ok() := - return(); - foreach i_1 <= Nperkey do - Oprf(info_4: bitstring) := - find [unique?] j_1 = j <= Nperkey suchthat defined(info_4[j], r[j]) && (info_4[j] = info_4) then - return(r[j_1]) - else - r <-R keys_t; - return(r) - ) | ( - OH() := - return(cr_key_3) - )) - - -Applying expand get, insert and prove unique annotations - - Proved that [unique] annotations are correct -yields - -Game 3 is - Ostart() := - cr_key_3 <-R cr_key_t; - return(cr_key_3); - (( - foreach ikey_1 <= Nkey do - Ok() := - return(); - foreach i_1 <= Nperkey do - Oprf(info_4: bitstring) := - find [unique] j_1 = j <= Nperkey suchthat defined(info_4[j], r[j]) && (info_4[j] = info_4) then - return(r[j_1]) - else - r <-R keys_t; - return(r) - ) | ( - OH() := - return(cr_key_3) - )) - -Initial state -Game 1 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - return((mode: mode_t <- mode_auth; psk: bitstring <- default_psk; psk_id: bitstring <- default_psk_id; psk_id_hash: cr_output_t <- (salt_3: cr_salt_t <- empty; label_5: label_extract_t <- label_psk_id_hash; labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); Extract_CR(cr_key_2, salt_3, labeled_input)); info_hash: cr_output_t <- (salt_4: cr_salt_t <- empty; label_6: label_extract_t <- label_info_hash; labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); Extract_CR(cr_key_2, salt_4, labeled_input_1)); key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); secrett: extract_t <- (label_7: label_extract_t <- label_secret; IKM: bitstring <- psk; labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); Extract_PRF(k, labeled_IKM)); key: key_t <- (label_8: label_expand_t <- label_key; L_2: length_t <- Nk; truncate_to_Nk((labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); Expand_PRF(secrett, labeledInfo)))); base_nonce: nonce_t <- (label_9: label_expand_t <- label_base_nonce; L_3: length_t <- Nn; truncate_to_Nn((labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); Expand_PRF(secrett, labeledInfo_1)))); concat(key, base_nonce))) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 4 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - psk: bitstring <- default_psk; - psk_id: bitstring <- default_psk_id; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - IKM: bitstring <- psk; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on IKM (definition removed, all usages removed) -yields - -Game 5 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - psk: bitstring <- default_psk; - psk_id: bitstring <- default_psk_id; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, psk); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder psk - - Remove assignments on psk (definition removed, all usages removed) -yields - -Game 6 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - psk_id: bitstring <- default_psk_id; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder psk_id - - Remove assignments on psk_id (definition removed, all usages removed) -yields - -Game 7 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder labeled_IKM - - Remove assignments on labeled_IKM (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_7, default_psk)); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder label_7 - - Remove assignments on label_7 (definition removed, all usages removed) -yields - -Game 9 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - {11} return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying insert instruction sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) at occurrence 11 -yields - -Game 10 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- {84}Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying use variable(s) sec - - Use variable sec - - Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) replaced with sec at 84 -yields - -Game 11 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - {26} mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying insert instruction find [unique] l_1 = l <= Nperkey suchthat - defined(else_br[l], info_3[l]) - && (info_3[l] = info_3) - then else else_br <- true at occurrence 26 -yields - -Game 12 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); -{293} return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying insert instruction r_1 <- concat(key, base_nonce) at occurrence 293 -yields - -Game 13 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return({303}concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying use variable(s) r_1 - - Use variable r_1 - - concat(key, base_nonce) replaced with r_1 at 303 -yields - -Game 14 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return({152}concat(key, base_nonce)) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying replace term at occurrence 152 with r_1[l_1] -yields - -Game 15 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(r_1[l_1]) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on else_br (definition removed, all usages removed) - - Remove assignments on secrett (definition removed, all usages removed) - - Remove assignments on secrett (definition removed, all usages removed) - - Remove assignments on key (definition removed, all usages removed) - - Remove assignments on base_nonce (definition removed, all usages removed) - - Remove assignments on labeledInfo (definition removed, all usages removed) - - Remove assignments on labeledInfo_1 (definition removed, all usages removed) - - Remove assignments on key_schedule_context (definition removed, all usages removed) - - Remove assignments on label_8 (definition removed, all usages removed) - - Remove assignments on L_2 (definition removed, all usages removed) - - Remove assignments on label_9 (definition removed, all usages removed) - - Remove assignments on L_3 (definition removed, all usages removed) - - Remove assignments on mode (definition removed, all usages removed) - - Remove assignments on psk_id_hash (definition removed, all usages removed) - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on salt_3 (definition removed, all usages removed) - - Remove assignments on labeled_input (definition removed, all usages removed) - - Remove assignments on salt_4 (definition removed, all usages removed) - - Remove assignments on labeled_input_1 (definition removed, all usages removed) - - Remove assignments on label_5 (definition removed, all usages removed) - - Remove assignments on label_6 (definition removed, all usages removed) -yields - -Game 16 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence prf(Extract_PRF) [probability P_PRF_Extract(time_1, Nkey, Nkey)] - - Equivalence prf(Extract_PRF) with variables: k -> k_2 -yields - -Game 17 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); {17}find [unique] else r_2 <-R extract_t; r_2); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Find at 17 removed (else branch kept if any) -yields - -Game 18 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); r_2 <-R extract_t; r_2); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 19 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); - r_2 <-R extract_t; - sec: extract_t <- r_2; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on x (definition removed, all usages removed) - - Remove assignments on sec (definition removed, all usages removed) -yields - -Game 20 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - r_2 <-R extract_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(r_2, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(r_2, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence prf(Expand_PRF) [probability P_PRF_Expand(time_2, Nkey, 2 * #Oprf)] - - Equivalence prf(Expand_PRF) with variables: r_2 -> k_2 -yields - -Game 21 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; {116}find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] orfind u_2 = ri_5 <= Nperkey suchthat defined(x_2[ri_5], r_4[ri_5]) && {137}(x_1 = x_2[ri_5]) then r_4[u_2] else r_3 <-R expand_t; r_3)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; {176}find [unique] u_1 = ri_3 <= Nperkey suchthat defined(x_1[ri_3], r_3[ri_3]) && {181}(x_2 = x_1[ri_3]) then r_3[u_1] orfind u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Replaced (x_1 = x_2[ri_5]) with false at 137 - - Remove branch 2 in find at 116 - - Replaced (x_2 = x_1[ri_3]) with false at 181 - - Remove branch 1 in find at 176 -yields - -Game 22 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] else r_3 <-R expand_t; r_3)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 23 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - x_1: bitstring <- labeledInfo; - find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on x_2 (definition kept, array references kept) - - Remove assignments on x_2 (definition kept, array references kept) -yields - -Game 24 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); -{110} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(labeledInfo[ri_7], r_3[ri_7]) && {115}(labeledInfo = labeledInfo[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; -{150} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {155}(labeledInfo_1 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; -{239} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {244}(labeledInfo_1 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify - - Simplification pass - - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 244 - - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 239 - - Replaced (labeledInfo = labeledInfo[ri_7]) with (info_hash = info_hash[ri_7]) at 115 - - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 155 - - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 150 - - Replaced defined condition labeledInfo[ri_7], r_3[ri_7] with r_3[ri_7], info_hash[ri_7] in find at 110 -yields - -Game 25 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying move all binders - - Move assignment to x_2 - - Move assignment to labeledInfo_1 - - Move assignment to L_3 - - Move assignment to label_9 - - Move assignment to x_2 - - Move assignment to labeledInfo_1 - - Move assignment to L_3 - - Move assignment to label_9 - - Move assignment to labeledInfo - - Move assignment to L_2 - - Move assignment to label_8 - - Move assignment to key_schedule_context - - Move assignment to mode -yields - -Game 26 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on psk_id_hash (definition removed, all usages removed) - - Remove assignments on salt_3 (definition removed, all usages removed) - - Remove assignments on labeled_input (definition removed, all usages removed) - - Remove assignments on label_5 (definition removed, all usages removed) -yields - -Game 27 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - {59} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && {64}(info_hash = info_hash[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); -{142} find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && {147}(info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify [probability P_hashcoll(time_3)] - - Simplification pass - - Replaced (info_hash = info_hash[ri_1]) with (info_3 = info_3[ri_1]) at 147 - - Remove branch 1 in find at 142 - - Find at 142 removed (else branch kept if any) - - Replaced (info_hash = info_hash[ri_7]) with (info_3 = info_3[ri_7]) at 64 - - Remove branch 1 in find at 59 - - Find at 59 removed (else branch kept if any) -yields - -Game 28 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence truncate(truncate_to_Nk) - - Equivalence truncate(truncate_to_Nk) with variables: r_3 -> h -yields - -Game 29 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - k_1 <-R key_t; - key: key_t <- k_1; - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on key (definition removed, all usages removed) - - Remove assignments on salt_4 (definition removed, all usages removed) - - Remove assignments on labeled_input_1 (definition removed, all usages removed) - - Remove assignments on label_6 (definition removed, all usages removed) -yields - -Game 30 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_1 <-R key_t; - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(k_1, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence truncate(truncate_to_Nn) - - Equivalence truncate(truncate_to_Nn) with variables: r_4 -> h -yields - -Game 31 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_1 <-R key_t; - k_2 <-R nonce_t; - base_nonce: nonce_t <- k_2; - r_1: keys_t <- concat(k_1, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on base_nonce (definition removed, all usages removed) -yields - -Game 32 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_1 <-R key_t; - k_2 <-R nonce_t; - r_1: keys_t <- concat(k_1, k_2); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence concat_random - - Equivalence concat_random with variables: k_2 -> k2, k_1 -> k1 -yields - -Game 33 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_3 <-R keys_t; - r_1: keys_t <- k_3; - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_1 (definition removed, all usages removed) -yields - -Game 34 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(k_3[l], info_3[l]) && (info_3[l] = info_3) then - return(k_3[l_1]) - else - k_3 <-R keys_t; - return(k_3) - ) | ( - OH() := - return(cr_key_2) - )) - - -Proved indistinguishability between game 34 and game 2 -Game 34 is the same as game 3. -Adv[Game 2: indistinguishability from game 3] <= 0 + Adv[Game 3: indistinguishability from game 3] -Adv[Game 3: indistinguishability from game 3] <= 0 -Adv[Game 1: indistinguishability from game 34] <= P_hashcoll(time_3) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_1, Nkey, Nkey) + Adv[Game 34: indistinguishability from game 34] -Adv[Game 34: indistinguishability from game 34] <= 0 -RESULT Proved indistinguishability between game 1 and game 2 up to probability P_hashcoll(time_3) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_1, Nkey, Nkey) -RESULT time_1 = time + time(context for game 16) = Nkey * time(concat_PRF, length(default_psk)) + #Oprf * Nperkey * time(= bitstring, maxlength(game 16: info_3), maxlength(game 16: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 16: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 16: info_3)) + #Oprf * time(Extract_CR, maxlength(game 16: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + #Oprf * time(Expand_PRF, maxlength(game 16: labeledInfo)) + 2 * #Oprf * time(concat_Expand, maxlength(game 16: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(Expand_PRF, maxlength(game 16: labeledInfo_1)) + #Oprf * time(concat) + time -RESULT time_2 = time + time(context for game 20) = #Oprf * Nperkey * time(= bitstring, maxlength(game 20: info_3), maxlength(game 20: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 20: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 20: info_3)) + #Oprf * time(Extract_CR, maxlength(game 20: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + 2 * #Oprf * time(concat_Expand, maxlength(game 20: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) + time -RESULT time_3 = time + time(game 27) = time + #Oprf * Nperkey * time(= bitstring, maxlength(game 27: info_3), maxlength(game 27: info_3)) + #Oprf * time(concat_CR, maxlength(game 27: info_3)) + #Oprf * time(Extract_CR, maxlength(game 27: labeled_input_1)) + #Oprf * time(truncate_to_Nk) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) -All queries proved. +Initial state +Game 2 is + Ostart() := + cr_key_3 <-R cr_key_t; + return(cr_key_3); + (( + foreach ikey_1 <= Nkey do + Ok() := + return(); + foreach i_1 <= Nperkey do + Oprf(info_4: bitstring) := + find [unique?] j_1 = j <= Nperkey suchthat defined(info_4[j], r[j]) && (info_4[j] = info_4) then + return(r[j_1]) + else + r <-R keys_t; + return(r) + ) | ( + OH() := + return(cr_key_3) + )) + + +Applying expand get, insert and prove unique annotations + - Proved that [unique] annotations are correct +yields + +Game 3 is + Ostart() := + cr_key_3 <-R cr_key_t; + return(cr_key_3); + (( + foreach ikey_1 <= Nkey do + Ok() := + return(); + foreach i_1 <= Nperkey do + Oprf(info_4: bitstring) := + find [unique] j_1 = j <= Nperkey suchthat defined(info_4[j], r[j]) && (info_4[j] = info_4) then + return(r[j_1]) + else + r <-R keys_t; + return(r) + ) | ( + OH() := + return(cr_key_3) + )) + +Initial state +Game 1 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + return((mode: mode_t <- mode_auth; psk: bitstring <- default_psk; psk_id: bitstring <- default_psk_id; psk_id_hash: cr_output_t <- (salt_3: cr_salt_t <- empty; label_5: label_extract_t <- label_psk_id_hash; labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); Extract_CR(cr_key_2, salt_3, labeled_input)); info_hash: cr_output_t <- (salt_4: cr_salt_t <- empty; label_6: label_extract_t <- label_info_hash; labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); Extract_CR(cr_key_2, salt_4, labeled_input_1)); key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); secrett: extract_t <- (label_7: label_extract_t <- label_secret; IKM: bitstring <- psk; labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); Extract_PRF(k, labeled_IKM)); key: key_t <- (label_8: label_expand_t <- label_key; L_2: length_t <- Nk; truncate_to_Nk((labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); Expand_PRF(secrett, labeledInfo)))); base_nonce: nonce_t <- (label_9: label_expand_t <- label_base_nonce; L_3: length_t <- Nn; truncate_to_Nn((labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); Expand_PRF(secrett, labeledInfo_1)))); concat(key, base_nonce))) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 4 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + psk: bitstring <- default_psk; + psk_id: bitstring <- default_psk_id; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + IKM: bitstring <- psk; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on IKM (definition removed, all usages removed) +yields + +Game 5 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + psk: bitstring <- default_psk; + psk_id: bitstring <- default_psk_id; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, psk); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder psk + - Remove assignments on psk (definition removed, all usages removed) +yields + +Game 6 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + psk_id: bitstring <- default_psk_id; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder psk_id + - Remove assignments on psk_id (definition removed, all usages removed) +yields + +Game 7 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder labeled_IKM + - Remove assignments on labeled_IKM (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_7, default_psk)); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder label_7 + - Remove assignments on label_7 (definition removed, all usages removed) +yields + +Game 9 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + {11} return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying insert instruction sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) at occurrence 11 +yields + +Game 10 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- {84}Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying use variable(s) sec + - Use variable sec + - Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) replaced with sec at 84 +yields + +Game 11 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + {26} mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying insert instruction find [unique] l_1 = l <= Nperkey suchthat + defined(else_br[l], info_3[l]) + && (info_3[l] = info_3) + then else else_br <- true at occurrence 26 +yields + +Game 12 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); +{293} return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying insert instruction r_1 <- concat(key, base_nonce) at occurrence 293 +yields + +Game 13 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return({303}concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying use variable(s) r_1 + - Use variable r_1 + - concat(key, base_nonce) replaced with r_1 at 303 +yields + +Game 14 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return({152}concat(key, base_nonce)) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying replace term at occurrence 152 with r_1[l_1] +yields + +Game 15 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(r_1[l_1]) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on else_br (definition removed, all usages removed) + - Remove assignments on secrett (definition removed, all usages removed) + - Remove assignments on secrett (definition removed, all usages removed) + - Remove assignments on key (definition removed, all usages removed) + - Remove assignments on base_nonce (definition removed, all usages removed) + - Remove assignments on labeledInfo (definition removed, all usages removed) + - Remove assignments on labeledInfo_1 (definition removed, all usages removed) + - Remove assignments on key_schedule_context (definition removed, all usages removed) + - Remove assignments on label_8 (definition removed, all usages removed) + - Remove assignments on L_2 (definition removed, all usages removed) + - Remove assignments on label_9 (definition removed, all usages removed) + - Remove assignments on L_3 (definition removed, all usages removed) + - Remove assignments on mode (definition removed, all usages removed) + - Remove assignments on psk_id_hash (definition removed, all usages removed) + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on salt_3 (definition removed, all usages removed) + - Remove assignments on labeled_input (definition removed, all usages removed) + - Remove assignments on salt_4 (definition removed, all usages removed) + - Remove assignments on labeled_input_1 (definition removed, all usages removed) + - Remove assignments on label_5 (definition removed, all usages removed) + - Remove assignments on label_6 (definition removed, all usages removed) +yields + +Game 16 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence prf(Extract_PRF) [probability P_PRF_Extract(time_1, Nkey, Nkey)] + - Equivalence prf(Extract_PRF) with variables: k -> k_2 +yields + +Game 17 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); {17}find [unique] else r_2 <-R extract_t; r_2); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Find at 17 removed (else branch kept if any) +yields + +Game 18 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); r_2 <-R extract_t; r_2); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 19 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); + r_2 <-R extract_t; + sec: extract_t <- r_2; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on x (definition removed, all usages removed) + - Remove assignments on sec (definition removed, all usages removed) +yields + +Game 20 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + r_2 <-R extract_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(r_2, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(r_2, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence prf(Expand_PRF) [probability P_PRF_Expand(time_2, Nkey, 2 * #Oprf)] + - Equivalence prf(Expand_PRF) with variables: r_2 -> k_2 +yields + +Game 21 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; {116}find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] orfind u_2 = ri_5 <= Nperkey suchthat defined(x_2[ri_5], r_4[ri_5]) && {137}(x_1 = x_2[ri_5]) then r_4[u_2] else r_3 <-R expand_t; r_3)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; {176}find [unique] u_1 = ri_3 <= Nperkey suchthat defined(x_1[ri_3], r_3[ri_3]) && {181}(x_2 = x_1[ri_3]) then r_3[u_1] orfind u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Replaced (x_1 = x_2[ri_5]) with false at 137 + - Remove branch 2 in find at 116 + - Replaced (x_2 = x_1[ri_3]) with false at 181 + - Remove branch 1 in find at 176 +yields + +Game 22 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] else r_3 <-R expand_t; r_3)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 23 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + x_1: bitstring <- labeledInfo; + find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on x_2 (definition kept, array references kept) + - Remove assignments on x_2 (definition kept, array references kept) +yields + +Game 24 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); +{110} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(labeledInfo[ri_7], r_3[ri_7]) && {115}(labeledInfo = labeledInfo[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; +{150} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {155}(labeledInfo_1 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; +{239} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {244}(labeledInfo_1 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify + - Simplification pass + - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 244 + - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 239 + - Replaced (labeledInfo = labeledInfo[ri_7]) with (info_hash = info_hash[ri_7]) at 115 + - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 155 + - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 150 + - Replaced defined condition labeledInfo[ri_7], r_3[ri_7] with r_3[ri_7], info_hash[ri_7] in find at 110 +yields + +Game 25 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying move all binders + - Move assignment to x_2 + - Move assignment to labeledInfo_1 + - Move assignment to L_3 + - Move assignment to label_9 + - Move assignment to x_2 + - Move assignment to labeledInfo_1 + - Move assignment to L_3 + - Move assignment to label_9 + - Move assignment to labeledInfo + - Move assignment to L_2 + - Move assignment to label_8 + - Move assignment to key_schedule_context + - Move assignment to mode +yields + +Game 26 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on psk_id_hash (definition removed, all usages removed) + - Remove assignments on salt_3 (definition removed, all usages removed) + - Remove assignments on labeled_input (definition removed, all usages removed) + - Remove assignments on label_5 (definition removed, all usages removed) +yields + +Game 27 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + {59} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && {64}(info_hash = info_hash[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); +{142} find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && {147}(info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify [probability P_hashcoll(time_3)] + - Simplification pass + - Replaced (info_hash = info_hash[ri_1]) with (info_3 = info_3[ri_1]) at 147 + - Remove branch 1 in find at 142 + - Find at 142 removed (else branch kept if any) + - Replaced (info_hash = info_hash[ri_7]) with (info_3 = info_3[ri_7]) at 64 + - Remove branch 1 in find at 59 + - Find at 59 removed (else branch kept if any) +yields + +Game 28 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence truncate(truncate_to_Nk) + - Equivalence truncate(truncate_to_Nk) with variables: r_3 -> h +yields + +Game 29 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + k_1 <-R key_t; + key: key_t <- k_1; + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on key (definition removed, all usages removed) + - Remove assignments on salt_4 (definition removed, all usages removed) + - Remove assignments on labeled_input_1 (definition removed, all usages removed) + - Remove assignments on label_6 (definition removed, all usages removed) +yields + +Game 30 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_1 <-R key_t; + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(k_1, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence truncate(truncate_to_Nn) + - Equivalence truncate(truncate_to_Nn) with variables: r_4 -> h +yields + +Game 31 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_1 <-R key_t; + k_2 <-R nonce_t; + base_nonce: nonce_t <- k_2; + r_1: keys_t <- concat(k_1, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on base_nonce (definition removed, all usages removed) +yields + +Game 32 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_1 <-R key_t; + k_2 <-R nonce_t; + r_1: keys_t <- concat(k_1, k_2); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence concat_random + - Equivalence concat_random with variables: k_2 -> k2, k_1 -> k1 +yields + +Game 33 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_3 <-R keys_t; + r_1: keys_t <- k_3; + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_1 (definition removed, all usages removed) +yields + +Game 34 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(k_3[l], info_3[l]) && (info_3[l] = info_3) then + return(k_3[l_1]) + else + k_3 <-R keys_t; + return(k_3) + ) | ( + OH() := + return(cr_key_2) + )) + + +Proved indistinguishability between game 34 and game 2 +Game 34 is the same as game 3. +Adv[Game 2: indistinguishability from game 3] <= 0 + Adv[Game 3: indistinguishability from game 3] +Adv[Game 1: indistinguishability from game 34] <= P_hashcoll(time_3) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_1, Nkey, Nkey) + Adv[Game 34: indistinguishability from game 34] +RESULT Proved indistinguishability between game 1 and game 2 up to probability P_hashcoll(time_3) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_1, Nkey, Nkey) +RESULT time_1 = time + time(context for game 16) = Nkey * time(concat_PRF, length(default_psk)) + #Oprf * Nperkey * time(= bitstring, maxlength(game 16: info_3), maxlength(game 16: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 16: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 16: info_3)) + #Oprf * time(Extract_CR, maxlength(game 16: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + #Oprf * time(Expand_PRF, maxlength(game 16: labeledInfo)) + 2 * #Oprf * time(concat_Expand, maxlength(game 16: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(Expand_PRF, maxlength(game 16: labeledInfo_1)) + #Oprf * time(concat) + time +RESULT time_2 = time + time(context for game 20) = #Oprf * Nperkey * time(= bitstring, maxlength(game 20: info_3), maxlength(game 20: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 20: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 20: info_3)) + #Oprf * time(Extract_CR, maxlength(game 20: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + 2 * #Oprf * time(concat_Expand, maxlength(game 20: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) + time +RESULT time_3 = time + time(game 27) = time + #Oprf * Nperkey * time(= bitstring, maxlength(game 27: info_3), maxlength(game 27: info_3)) + #Oprf * time(concat_CR, maxlength(game 27: info_3)) + #Oprf * time(Extract_CR, maxlength(game 27: labeled_input_1)) + #Oprf * time(truncate_to_Nk) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) +All queries proved. diff --git a/lib.aead.ocvl b/lib.aead.ocvl index f314879..7da725b 100644 --- a/lib.aead.ocvl +++ b/lib.aead.ocvl @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* AEAD (authenticated encryption with additional data) with a random nonce. A typical example is AES-GCM. diff --git a/lib.authkem.ocvl b/lib.authkem.ocvl index d1ca620..0e34ff2 100644 --- a/lib.authkem.ocvl +++ b/lib.authkem.ocvl @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* The following macros define security properties of AKEM, which we use as assumptions in the proof of HPKE. @@ -86,17 +98,17 @@ def Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap } (* Macro Outsider_CCA_Secure_Authenticated_KEM defines an Outsider-CCA secure AKEM. - In addition to the previous arguments, it takes the advantage of the adversary + It takes the previous arguments, except that instead of P_pk_coll, it takes the advantage of the adversary over the Outsider-CCA property, Adv_Outsider_CCA(time, N, Qetot, Qdtot), where time is the runtime of the adversary, N the number of users, and Qetot, Qdtot the total number of queries to the Encap and Decap oracles, respectively. *) -def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA) { - - expand Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_CCA) { param N, Qeperuser, Qdperuser. + table E(pkey, pkey, ciphertext, key). + (* In this security notion, the sender keypair is honest, which means the private key is not known to the adversary. *) equiv(outsider_cca(AuthEncap)) @@ -117,6 +129,7 @@ def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, Auth find i2 <= N suchthat defined(s[i2]) && pk_R = pkgen(s[i2]) then ( let AuthEncap_tuple(k: key, ce: ciphertext) = AuthEncap_r(ks, pk_R, skgen(s)) in ( k' <-R key; + insert E(pkgen(s), pk_R, ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -127,15 +140,8 @@ def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, Auth )) | foreach id <= Qdperuser do ( OADecap(pk_S: pkey, cd: ciphertext) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - encryption queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(s[i1], pk_R[ie1, i1], k'[ie1, i1], ce[ie1, i1]) && - pkgen(s) = pk_R[ie1, i1] && pkgen(s[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k'[ie1, i1])) + get E(=pk_S, =pkgen(s), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(cd, skgen(s), pk_S)) )) | @@ -143,19 +149,19 @@ def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, Auth ). } -(* Macro Outsider_Secure_Authenticated_KEM defines an Outsider-CCA and Outsider-Auth AKEM. - In addition to the arguments mentioned at the top of the file, it takes the advantage - of the adversary over the Outsider-CCA property, Adv_Outsider_CCA(time, N, Qetot, Qdtot), and +(* Macro Outsider_Auth_Secure_Authenticated_KEM defines an Outsider-Auth AKEM. + It takes the arguments mentioned at the top of the file, except that instead + of P_pk_coll, it takes the advantage of the adversary over the Outsider-Auth property, Adv_Outsider_Auth(time, N, Qetot, Qdtot), where time is the runtime of the adversary, N the number of users, and Qetot, Qdtot the total number of queries to the Encap and Decap oracles, respectively. *) -def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA, Adv_Outsider_Auth) { - - expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA). +def Outsider_Auth_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_Auth) { param N, Qeperuser, Qdperuser. + table E(pkey, pkey, ciphertext, key). + equiv(outsider_auth(AuthEncap)) foreach i <= N do s <-R keypairseed; ( foreach ie <= Qeperuser do ks <-R kemseed; ( @@ -172,6 +178,7 @@ def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEnca foreach ie <= Qeperuser do ks <-R kemseed [unchanged]; ( OAEncap(pk_R: pkey) := let AuthEncap_tuple(k: key, ce: ciphertext) = AuthEncap_r(ks, pk_R, skgen(s)) in ( + insert E(pkgen(s), pk_R, ce, k); return(AuthEncap_tuple(k, ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -179,27 +186,14 @@ def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEnca )) | foreach id <= Qdperuser do ( OADecap(pk_S: pkey, cd: ciphertext) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - Oencap and previous Odecap queries using arrays. - The first branch looks into Oencap queries, and in case of - success, the oracle returns the key k computed there. - The second branch (after "orfind") looks into previous - Odecap queries, and in case of success, the oracle returns - the previously computed key k'. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(s[i1], pk_R[ie1, i1], k[ie1, i1], ce[ie1, i1]) && - pkgen(s) = pk_R[ie1, i1] && pkgen(s[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k[ie1, i1])) - ) orfind id1 <= Qdperuser, i1 <= N suchthat - defined(s[i1], pk_S[id1, i1], k'[id1, i1], cd[id1, i1]) && - pkgen(s) = pkgen(s[i1]) && pk_S[id1, i1] = pk_S && cd[id1, i1] = cd then ( - return(AuthDecap_Some(k'[id1, i1])) + get E(=pk_S, =pkgen(s), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( (* This "find" checks whether pk_S is among the honest public keys pk_i *) find i1 <= N suchthat defined(s[i1]) && pk_S = pkgen(s[i1]) then ( let AuthDecap_Some(k0) = AuthDecap(cd, skgen(s), pk_S) in ( k' <-R key; + insert E(pk_S, pkgen(s), cd, k'); return(AuthDecap_Some(k')) ) else ( return(AuthDecap_None) @@ -214,17 +208,17 @@ def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEnca } (* Macro Insider_CCA_Secure_Authenticated_KEM defines an Insider-CCA AKEM. - In addition to the arguments mentioned at the top of the file, it takes the advantage + It takes the arguments mentioned at the top of the file, except that instead of P_pk_coll it takes the advantage of the adversary over the Insider-CCA property, Adv_Insider_CCA(time, N, Qetot, Qctot, Qdtot), where time is the runtime of the adversary, N the number of users, and Qetot, Qctot, Qdtot the total number of queries to the Encap, Decap, and Challenge oracles, respectively. *) -def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Insider_CCA) { - - expand Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Insider_CCA) { param N, Qeperuser, Qdperuser, Qcperuser. + table E(pkey, pkey, ciphertext, key). + equiv(insider_cca(AuthEncap)) foreach i <= N do s <-R keypairseed; ( foreach ic <= Qcperuser do ks' <-R kemseed; ( @@ -245,6 +239,7 @@ def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthE Ochall(s': keypairseed) := let AuthEncap_tuple(k: key, ce: ciphertext) = AuthEncap_r(ks', pkgen(s), skgen(s')) in ( k' <-R key; + insert E(pkgen(s'), pkgen(s), ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -255,17 +250,8 @@ def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthE return(AuthEncap_r(ks, pk_R, skgen(s)))) | foreach id <= Qdperuser do ( OADecap(pk_S: pkey, cd: ciphertext) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - Ochall queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ic1 <= Qcperuser, i1 <= N suchthat - defined(ce[ic1, i1], k'[ic1, i1], s[i1], s'[ic1, i1]) - && ce[ic1, i1] = cd - && pkgen(s'[ic1, i1]) = pk_S - && pkgen(s[i1]) = pkgen(s) then ( - return(AuthDecap_Some(k'[ic1, i1])) + get E(=pk_S, =pkgen(s), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(cd, skgen(s), pk_S)) ) diff --git a/lib.choice.ocvl b/lib.choice.ocvl index 7b71e8e..dbb7c89 100644 --- a/lib.choice.ocvl +++ b/lib.choice.ocvl @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + def boolean_choice(value_t, test) { fun test(bool, value_t, value_t) : value_t. diff --git a/lib.gdh.ocvl b/lib.gdh.ocvl index eb6ea23..582f7cc 100644 --- a/lib.gdh.ocvl +++ b/lib.gdh.ocvl @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* DH_proba_collision_minimal says that the probability that exp(g, x) = Y for random x and Y independent of x is at most PCollKey *) diff --git a/lib.ocvl b/lib.ocvl index 3329c18..af60fa2 100644 --- a/lib.ocvl +++ b/lib.ocvl @@ -4,7 +4,7 @@ * * * Bruno Blanchet and David Cadé * * * - * Copyright (C) ENS, CNRS, INRIA, 2005-2021 * + * Copyright (C) ENS, CNRS, INRIA, 2005-2022 * * * *************************************************************) @@ -2661,7 +2661,7 @@ expand SUF_CMA_proba_signature_all_args(keyseed, pkey, skey, signinput, signatur exp': symbol that replaces exp after game transformation mult: the multiplication function for exponents - The types G and Z must be declared before + The types G and Z must be declared before expanding this macro. The functions g, exp, exp', and mult are defined by this macro. They must not be declared elsewhere, and they can be used only after expanding the macro. @@ -2685,6 +2685,220 @@ equation forall a:G, x:Z, y:Z; } +(* DH_basic_with_is_neutral(G, Z, g, exp, exp', mult, is_neutral) +defines a Diffie-Hellman structure like +DH_basic(G, Z, g, exp, exp', mult) +with additionally +* for X in G, is_neutral(X^y) if and only if is_neutral(X); +* not(is_neutral(g)). + +is_neutral(G):bool is defined by this macro. It must not be +declared elsewhere, and can be used only after expanding the +macro. + +Prime-order groups with the neutral element included satisfy +this assumption, for instance. +*) + +def DH_basic_with_is_neutral(G, Z, g, exp, exp', mult, is_neutral) { + +expand DH_basic(G, Z, g, exp, exp', mult). + +fun is_neutral(G):bool. + +equation is_neutral(g) = false. + +equation forall x:G, y:Z; is_neutral(exp(x,y)) = is_neutral(x). +equation forall x:G, y:Z; is_neutral(exp'(x,y)) = is_neutral(x). + +} + +(* +DH_subgroup(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG) +defines a Diffie-Hellman structure that satisfies the following properties: + +Z is a set of integers multiple of k, prime to n (possibly modulo kn). +k is prime to n. + +G is a set of elements +g is an element of G + +There is an exponentiation function ^: for X in G, y integer, we have X^y in G. +with the following properties: +* (X^x)^y = X^(xy) +* for X in subG, for any x prime to n, X^x = X'^x => X = X' +* ^ yields the same results for exponents equal modulo kn. + +mult(Z,Z):Z is the product of integers. + +subG = { X^k | X \in G } is a subset of G. + +g_k = g^k \in subG + +exp(G,Z):G exp(X,y) = X^y +exp_div_k(subG,Z):subG exp_div_k(X,y) = X^{y/k} +exp_div_k' is defined like exp_div_k; it replaces exp_div_k after games transformations. + +pow_k(G):subG pow_k(X) = X^k + +subGtoG(subG):G is the injection from subG to G + +The types G, Z, and subG must be declared before expanding this macro. +The constants g and g_k, and the functions exp, mult, exp_div_k, +exp_div_k', pow_k, subGtoG are defined by this macro. They must not be +declared elsewhere, and they can be used only after expanding the +macro. + +Curve25519 satisfies these properties with k = 8, n = pp' where the curve has order +kp and the quadratic twist has order k'p' (k' = 4). See + https://hal.inria.fr/hal-02100345 + +Curve448 does not satisfy these properties because kp may be chosen as a private key +and it is not prime to n = pp' where the curve has order kp and the quadratic twist +has order k'p' (k = k' = 4) (weak private key). In order to use DH_subgroup, one should +exclude the weak private key using DH_exclude_weak_keys as follows: + expand DH_subgroup(G, Znw, g, expnw, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG). + letproba Pweak_key = 2^-445. + expand DH_exclude_weak_keys(G, Z, Znw, ZnwtoZ, exp, expnw, Pweak_key). + +Groups of prime order p also satisfy these properties, with k = 1, n = p, subG = G, +g_k = g, pow_k and subGtoG are the identity (assuming private keys are chosen in +[1,p-1]). + +*) + +def DH_subgroup(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG) { + +fun mult(Z,Z): Z. +equation builtin commut(mult). + +fun pow_k(G):subG. +fun subGtoG(subG): G [data]. + +equation forall x:subG, x':subG; + (pow_k(subGtoG(x)) = pow_k(subGtoG(x'))) = (x = x'). + +const g: G. +const g_k:subG. +equation pow_k(g) = g_k. + +fun exp_div_k(subG,Z): subG. +fun exp_div_k'(subG,Z): subG. + +(* ((X^(y/k))^k)^(z/k) = X^(y.z/k) + Used when expanding exp(exp(g,y),z). *) +equation forall X:subG, y:Z, z:Z; + exp_div_k(pow_k(subGtoG(exp_div_k(X,y))), z) = exp_div_k(X, mult(y,z)). +equation forall X:subG, y:Z, z:Z; + exp_div_k'(pow_k(subGtoG(exp_div_k'(X,y))), z) = exp_div_k'(X, mult(y,z)). + +equation forall x:subG, x':subG, y:Z; (exp_div_k(x,y) = exp_div_k(x',y)) = (x = x'). +equation forall x:subG, x':subG, y:Z; (exp_div_k'(x,y) = exp_div_k'(x',y)) = (x = x'). + +(* exp_div_k(g_k, mult(x',y)) = exp_div_k'(X',y) where X' = pow_k(subGtoG(exp_div_k(g_k,x')), + we can show the next equalities using the previous ones *) +equation forall x:subG, x':Z, y:Z; (exp_div_k(x,y) = exp_div_k(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k(g_k,x')))). +equation forall x:subG, x':Z, y:Z; (exp_div_k'(x,y) = exp_div_k'(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k'(g_k,x')))). + +fun exp(G, Z): G. + +(* X^y = (X^k)^(y/k) *) +equation forall X:G, y:Z; + exp(X,y) = subGtoG(exp_div_k(pow_k(X),y)). + +} + +(* DH_subgroup_with_is_neutral(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_neutral_G, is_neutral_subG) defines a Diffie-Hellman structure with the same properties as +DH_subgroup(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG) +and additionally +* for X in subG, is_neutral(X^y) if and only if is_neutral(X); +* not(is_neutral(g^k)). + +is_neutral_G(G):bool +is_neutral_subG(subG):bool +correspond to the function is_neutral, respectively on G and on subG. +These functions are defined by this macro. They must not be +declared elsewhere, and they can be used only after expanding the +macro. + +Curve22519 satisfies these properties with is_neutral(X) = (X = 0). +Curve448 also satisfies these properties with is_neutral(X) = (X = 0), after removing the +weak private key as follows: + expand DH_subgroup_with_is_neutral(G, Znw, g, expnw, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_neutral_G, is_neutral_subG). + letproba Pweak_key = 2^-445. + expand DH_exclude_weak_keys(G, Z, Znw, ZnwtoZ, exp, expnw, Pweak_key). +Prime order groups satisfy these properties with is_neutral(X) = false. +*) + +def DH_subgroup_with_is_neutral(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_neutral_G, is_neutral_subG) { + +expand DH_subgroup(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG). + +fun is_neutral_G(G):bool. +fun is_neutral_subG(subG):bool. +equation forall X:subG; is_neutral_G(subGtoG(X)) = is_neutral_subG(X). + +equation is_neutral_subG(g_k) = false. + +equation forall x:subG, y:Z; is_neutral_subG(exp_div_k(x,y)) = is_neutral_subG(x). +equation forall x:subG, y:Z; is_neutral_subG(exp_div_k'(x,y)) = is_neutral_subG(x). + +equation forall x:subG; is_neutral_subG(pow_k(subGtoG(x))) = is_neutral_subG(x). + +} + +(* DH_exclude_weak_keys allows excluding weak private keys. + +Z is a set of Diffie-Hellman private keys (exponents), possibly containing weak private keys +Znw is the subset of Z obtained by removing weak keys. + +ZnwtoZ is the injection from Znw to Z. + +Pweak_key is the probability that a weak private key is chosen. + +This macro defines an equivalence exclude_weak_keys(Z) which replaces the choice +of private keys in Z with a choice in Znw, so that there are no weak private keys. +It should be applied early in the proof, before applying Diffie-Hellman properties. + +The type of exponentiation functions is a follows: +exp(G,Z):G +expnw(G,Znw):G + +The types G, Z, Znw, the function expnw, and the probability Pweak_key +must be declared before expanding this macro. (The function expnw +should be defined by expanding one of the macros DH_basic, DH_subgroup, +or DH_good_group with Znw instead of Z and expnw instead of exp.) The +functions ZnwtoZ and exp are defined by this macro. They must not be +declared elsewhere, and they can be used only after expanding the +macro. + +This is useful for Curve448 which has a weak key kp, with k = 4 where the curve has order +kp, so Znw = Z \ { kp }, Pweak_key = 2^-445. +This is also useful for groups of prime order p in case private keys are chosen in [0,p-1]: +one should eliminate the weak private key 0, so Z = [0,p-1], Znw = [1,p-1], Pweak_key = 1/p. +*) + +def DH_exclude_weak_keys(G, Z, Znw, ZnwtoZ, exp, expnw, Pweak_key) { + +fun ZnwtoZ(Znw): Z [data]. + +param N. + +equiv(exclude_weak_keys(Z)) +foreach i<=N do x <-R Z; O() := return(x) +<=(N*Pweak_key)=> +foreach i<=N do x <-R Znw; O() := return(ZnwtoZ(x)). + +fun exp(G, Z): G. + +equation forall X:G, y:Znw; + exp(X,ZnwtoZ(y)) = expnw(X,y). + +equation forall X:G, y:Z, z:Znw; + expnw(exp(X,y),z) = exp(expnw(X,z),y). + +} + (* DH_proba_collision says that the probability that exp(g, x) = Y for random x and Y independent of x is at most PCollKey1, and @@ -2698,8 +2912,6 @@ equation forall a:G, x:Z, y:Z; def DH_proba_collision(G, Z, g, exp, exp', mult, PCollKey1, PCollKey2) { -expand DH_basic(G, Z, g, exp, exp', mult). - collision x <-R Z; forall Y: G; return(exp(g, x) = Y) <=(PCollKey1)=> return(false) if Y independent-of x. collision x <-R Z; forall Y: G; @@ -2783,6 +2995,93 @@ collision x1 <-R Z; y1 <-R Z; x2 <-R Z; y2 <-R Z; [random_choices_may_be_equal] } +(* is_neutral_DH_proba_collision is meant to be used with + DH_subgroup_with_is_neutral as follows: + expand DH_subgroup_with_is_neutral(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_neutral_G, is_neutral_subG). + expand is_neutral_DH_proba_collision(subG, Z, g_k, exp_div_k, exp_div_k', mult, is_neutral_subG, PCollKey2, PCollKey3, PCollKey4). + or with DH_basic_with_is_neutral as follows: + expand DH_basic_with_is_neutral(G, Z, g, exp, exp', mult, is_neutral). + expand is_neutral_DH_proba_collision(G, Z, g, exp, exp', mult, is_neutral, PCollKey2, PCollKey3, PCollKey4). + + In both cases, naming the arguments of is_neutral_DH_proba_collision as + follows: + is_neutral_DH_proba_collision(G, Z, g, exp, exp', mult, is_neutral, PCollKey2, PCollKey3, PCollKey4) + we have + * mult is commutative; + * if X = g^x, then exp(X, y) = exp(g, mult(x,y)); + * for X in G, is_neutral(X^y) if and only if is_neutral(X); + * for X in G, is_neutral(exp(X,y)) if and only if is_neutral(X); + * not(is_neutral(g)). + + is_neutral_DH_proba_collision assumes the following properties: + - if is_neutral(X) and is_neutral(Y) then X = Y + (in other words, there is 0 or 1 neutral element in G); + - the probability that exp(X,x) = Y where x is random and X and Y are + independent of x and not neutral is at most PCollKey2; + - the probability that exp(g, mult(x,x)) = Y with random x and Y + independent of x is at most PCollKey3, with PCollKey3 >= PCollKey2. + - the probability that exp(X,y) = exp(X,z) with y,z random + independent of each other and X is not neutral is at most PCollKey4. + *) + +def is_neutral_DH_proba_collision(G, Z, g, exp, exp', mult, is_neutral, PCollKey2, PCollKey3, PCollKey4) { + +(* The hypothesis implies that + - the probability that exp(g, x) = Y for random x and Y independent + of x is at most PCollKey2 (using the probability that exp(X,x) = Y + with X = g not neutral and independent of x; the equality can hold only + when Y is not neutral); + - the probability that exp(g, mult(x,y)) = Y where x and y are + independent random private keys and Y is independent of x or y is at most + PCollKey2 (assuming Y is independent of x, we take X = g^y, not neutral and + independent of x and use the probability that exp(X,x) = Y; + the equality can hold only when Y is not neutral; the other case is + symmetric). + - the probability that exp(g, mult(x,x)) = Y with random x and Y + independent of x is at most PCollKey3, with PCollKey3 >= PCollKey2. *) +expand square_DH_proba_collision(G, Z, g, exp, exp', mult, PCollKey2, PCollKey2, PCollKey3). + +(* This collision groups 2 cases: + - y and z are the same random choice: both sides are true + - y and z are independent random choices: implied by hypothesis *) +collision y <-R Z; z <-R Z; [random_choices_may_be_equal] forall X: G; + return(exp(X, y) = exp(X, z)) <=(PCollKey4)=> return(is_neutral(X) || (y = z)). +collision y <-R Z; z <-R Z; [random_choices_may_be_equal] forall X: G; + return(exp'(X, y) = exp'(X, z)) <=(PCollKey4)=> return(is_neutral(X) || (y = z)). + +(* The next collision is a consequence of the previous one by taking X = g^x. *) +collision x <-R Z; y <-R Z; y' <-R Z; [random_choices_may_be_equal] + return(exp(g,mult(x,y)) = exp(g,mult(x,y'))) <=(PCollKey4)=> return(y = y'). +collision x <-R Z; y <-R Z; y' <-R Z; [random_choices_may_be_equal] + return(exp'(g,mult(x,y)) = exp'(g,mult(x,y'))) <=(PCollKey4)=> return(y = y'). + + +collision x <-R Z; forall X: G, Y: G; + return(exp(X, x) = Y) <=(PCollKey2)=> return(is_neutral(X) && is_neutral(Y)) + if X independent-of x && Y independent-of x. +collision x <-R Z; forall X: G, Y: G; + return(exp'(X, x) = Y) <=(PCollKey2)=> return(is_neutral(X) && is_neutral(Y)) + if X independent-of x && Y independent-of x. + +(* The next collision is a consequence of the previous one by taking X = g^y *) +collision x <-R Z; forall y: Z, Y: G; + return(exp(g,mult(x,y)) = Y) <=(PCollKey2)=> return(false) + if y independent-of x && Y independent-of x. +collision x <-R Z; forall y: Z, Y: G; + return(exp'(g,mult(x,y)) = Y) <=(PCollKey2)=> return(false) + if y independent-of x && Y independent-of x. + +(* The next collision is a consequence of the previous one +collision x <-R Z; y <-R Z; forall Y: G; + return(exp(g,mult(x,y)) = Y) <=(PCollKey2)=> return(false) + if Y independent-of x || Y independent-of y. +collision x <-R Z; y <-R Z; forall Y: G; + return(exp'(g,mult(x,y)) = Y) <=(PCollKey2)=> return(false) + if Y independent-of x || Y independent-of y. +It is included in square_DH_proba_collision. *) + +} + (* DH_dist_random_group_element_vs_exponent says that the probability of distinguishing a random group element from an exponentiation exp(g,x) with a random exponent is at most PDist. The other @@ -2963,33 +3262,9 @@ collision x <-R Z; forall X: G, Y: G; and Z = {1, ..., q-1} so when x varies in Z, exp(g,x) covers each element of G exactly once. *) -param N, N'. - -equiv(group_to_exp_strict(exp)) - foreach iX <= N do X <-R G; (OX() := return(X) | foreach iXm <= N' do OXm(m:Z) [useful_change] := return(exp(X,m))) -<=(0)=> [computational] - foreach iX <= N do x <-R Z; (OX() := return(exp(g,x)) | foreach iXm <= N' do OXm(m:Z) := return(exp(g,mult(x,m)))). - -(* This equivalence is very general, apply it only manually, because - otherwise it might be applied too often. The equivalence above is - particular case applied only when X is inside exp, and good for - automatic proofs. *) - -equiv(group_to_exp(exp)) - foreach iX <= N do X <-R G; OX() := return(X) -<=(0)=> [manual, computational] - foreach iX <= N do x <-R Z; OX() := return(exp(g,x)). - - -equiv(exp_to_group(exp)) - foreach iX <= N do x <-R Z; OX() := return(exp(g,x)) -<=(0)=> [computational] - foreach iX <= N do X <-R G; OX() := return(X). +letproba PDist = 0. -equiv(exp'_to_group(exp)) - foreach iX <= N do x <-R Z; OX() := return(exp'(g,x)) -<=(0)=> [computational] - foreach iX <= N do X <-R G; OX() := return(X). +expand DH_dist_random_group_element_vs_exponent(G, Z, g, exp, exp', mult, PDist). } @@ -3013,10 +3288,10 @@ equiv(exp'_to_group(exp)) the function repr, such that red o repr is the identity. The Diffie-Hellman "exponentiation" is defined by exp(X,y) = repr((red(X))^y). - The secret keys are chosen uniformly in { kn | n \in [n_min,n_max] } + The private keys are chosen uniformly in { kn | n \in [n_min,n_max] } where n_min < n_max, n_max-n_min < q, and n_max-n_min < q'. - Therefore the set of secret keys may contain a multiple of q (resp. q'). + Therefore the set of private keys may contain a multiple of q (resp. q'). Such keys are weak, in the sense that they yield 0 for all public keys on the curve (resp. on the twist). We exclude them. @@ -3048,138 +3323,38 @@ equiv(exp'_to_group(exp)) subGtoG is repr restricted to subG to G. - zero is the public key 0. - sub_zero is 0, as an element of subG. + is_zero_G(G):bool is_zero_G(X) is true when X is the public key 0. + is_zero_subG(subG): bool is defined as is_zero_G, but for arguments of + type subG. The types G, subG, Z, and Znw must be declared before this macro. The functions g, exp, mult, ZnwtoZ, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, - zero, sub_zero are defined by this macro. They must not be declared + is_zero_G, is_zero_subG are defined by this macro. They must not be declared elsewhere, and they can be used only after expanding the macro. This model is justified in https://hal.inria.fr/hal-02100345 -*) - -def DH_single_coord_ladder(G, Z, g, exp, mult, subG, Znw, ZnwtoZ, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, zero, sub_zero) { - -fun mult(Znw,Znw): Znw. -equation builtin commut(mult). - -fun pow_k(G):subG. -fun subGtoG(subG): G [data]. - -equation forall x:subG, x':subG; - (pow_k(subGtoG(x)) = pow_k(subGtoG(x'))) = (x = x'). - -const zero:G. -const sub_zero:subG. -equation zero = subGtoG(sub_zero). - -const g: G. -const g_k:subG. -equation pow_k(g) = g_k. - -fun ZnwtoZ(Znw): Z [data]. - -param N. - -equiv(exclude_weak_keys(Z)) -foreach i<=N do x <-R Z; O() := return(x) -<=(2*N*Pcoll1rand(Z))=> -foreach i<=N do x <-R Znw; O() := return(ZnwtoZ(x)). - -fun exp(G, Z): G. -fun exp_div_k(subG,Znw): subG. -fun exp_div_k'(subG,Znw): subG. - -(* X^y = (X^k)^(y/k) *) -equation forall X:G, y:Znw; - exp(X,ZnwtoZ(y)) = subGtoG(exp_div_k(pow_k(X),y)). - -(* ((X^(y/k))^k)^(z/k) = X^(y.z/k) - Used when expanding exp(exp(g,y),z). *) -equation forall X:subG, y:Znw, z:Znw; - exp_div_k(pow_k(subGtoG(exp_div_k(X,y))), z) = exp_div_k(X, mult(y,z)). -equation forall X:subG, y:Znw, z:Znw; - exp_div_k'(pow_k(subGtoG(exp_div_k'(X,y))), z) = exp_div_k'(X, mult(y,z)). - -equation g_k <> sub_zero. -equation forall x:subG, y:Znw; (exp_div_k(x,y) = sub_zero) = (x = sub_zero). -equation forall x:subG, y:Znw; (exp_div_k'(x,y) = sub_zero) = (x = sub_zero). -equation forall x:subG, y:Znw; (exp_div_k(x,y) <> sub_zero) = (x <> sub_zero). -equation forall x:subG, y:Znw; (exp_div_k'(x,y) <> sub_zero) = (x <> sub_zero). - -equation forall x:subG; (pow_k(subGtoG(x)) = sub_zero) = (x = sub_zero). -equation forall x:subG; (pow_k(subGtoG(x)) <> sub_zero) = (x <> sub_zero). - -equation forall x:subG, x':subG, y:Znw; (exp_div_k(x,y) = exp_div_k(x',y)) = (x = x'). -equation forall x:subG, x':subG, y:Znw; (exp_div_k'(x,y) = exp_div_k'(x',y)) = (x = x'). - -(* exp_div_k(g_k, mult(x',y)) = exp_div_k'(X',y) where X' = pow_k(subGtoG(exp_div_k(g_k,x')), - we can show the next equalities using the previous ones *) -equation forall x:subG, x':Znw, y:Znw; (exp_div_k(x,y) = exp_div_k(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k(g_k,x')))). -equation forall x:subG, x':Znw, y:Znw; (exp_div_k'(x,y) = exp_div_k'(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k'(g_k,x')))). - -collision y <-R Znw; z <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k(X, y) = exp_div_k(X, z)) <=(Pcoll1rand(Znw))=> return((X = sub_zero) || (y = z)). -collision y <-R Znw; z <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k'(X, y) = exp_div_k'(X, z)) <=(Pcoll1rand(Znw))=> return((X = sub_zero) || (y = z)). - -collision x <-R Znw; forall X: subG, Y: subG; - return(exp_div_k(X, x) = Y) <=(2*Pcoll1rand(Znw))=> return((X = sub_zero) && (Y = sub_zero)) - if X independent-of x && Y independent-of x. -collision x <-R Znw; forall X: subG, Y: subG; - return(exp_div_k'(X, x) = Y) <=(2*Pcoll1rand(Znw))=> return((X = sub_zero) && (Y = sub_zero)) - if X independent-of x && Y independent-of x. - - -collision x <-R Znw; forall y: Znw, X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if y independent-of x && X independent-of x. - -collision x <-R Znw; forall y: Znw, X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if y independent-of x && X independent-of x. - -(* The next collision is a consequence of the previous one *) -collision x <-R Znw; y <-R Znw; forall X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - -collision x <-R Znw; y <-R Znw; forall X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - +*) -collision x <-R Znw; y <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(4*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - -collision x <-R Znw; y <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(4*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - -(* The next collision is a consequence of the previous one, - as in DH_good_group *) -collision x1 <-R Znw; y1 <-R Znw; x2 <-R Znw; y2 <-R Znw; [random_choices_may_be_equal] - return(exp_div_k(g_k,mult(x1,y1)) = exp_div_k(g_k,mult(x2,y2))) <=(4*Pcoll1rand(Znw))=> return(false) - if (x1 independent-of x2 || y1 independent-of y2) && - (x1 independent-of y2 || y1 independent-of x2). - -collision x1 <-R Znw; y1 <-R Znw; x2 <-R Znw; y2 <-R Znw; [random_choices_may_be_equal] - return(exp_div_k'(g_k,mult(x1,y1)) = exp_div_k'(g_k,mult(x2,y2))) <=(4*Pcoll1rand(Znw))=> return(false) - if (x1 independent-of x2 || y1 independent-of y2) && - (x1 independent-of y2 || y1 independent-of x2). - +def DH_single_coord_ladder(G, Z, g, exp, mult, subG, Znw, ZnwtoZ, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_zero_G, is_zero_subG) { -collision x <-R Znw; y <-R Znw; y' <-R Znw; [random_choices_may_be_equal] - return(exp_div_k(g_k,mult(x,y)) = exp_div_k(g_k,mult(x,y'))) <=(Pcoll1rand(Znw))=> return(y = y'). +expand DH_subgroup_with_is_neutral(G, Znw, g, expnw, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_zero_G, is_zero_subG). -collision x <-R Znw; y <-R Znw; y' <-R Znw; [random_choices_may_be_equal] - return(exp_div_k'(g_k,mult(x,y)) = exp_div_k'(g_k,mult(x,y'))) <=(Pcoll1rand(Znw))=> return(y = y'). +letproba Pweak_key = 2*Pcoll1rand(Z). +expand DH_exclude_weak_keys(G, Z, Znw, ZnwtoZ, exp, expnw, Pweak_key). +letproba PCollKey2 = 2*Pcoll1rand(Znw). +letproba PCollKey3 = 4*Pcoll1rand(Znw). +letproba PCollKey4 = Pcoll1rand(Znw). +expand is_neutral_DH_proba_collision(subG, Znw, g_k, exp_div_k, exp_div_k', mult, is_zero_subG, PCollKey2, PCollKey3, PCollKey4). } (* DH_X25519 models Curve25519 as defined in RFC 7748. https://tools.ietf.org/html/rfc7748 More generally, it supports the same curves as DH_single_coord_ladder - with the additional assumption that all secret keys are prime to qq'. - Therefore, we do not need to exclude weak secret keys, so the + with the additional assumption that all private keys are prime to qq'. + Therefore, we do not need to exclude weak private keys, so the parameters Znw and ZnwtoZ are removed, and we use Z instead of Znw. Curve25519 satisfies these assumptions with @@ -3193,252 +3368,54 @@ https://tools.ietf.org/html/rfc7748 This model is justified in detail in https://hal.inria.fr/hal-02100345 *) -def DH_X25519(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, zero, sub_zero) { - -fun mult(Z,Z): Z. -equation builtin commut(mult). - -fun pow_k(G):subG. -fun subGtoG(subG): G [data]. - -equation forall x:subG, x':subG; - (pow_k(subGtoG(x)) = pow_k(subGtoG(x'))) = (x = x'). - -const zero:G. -const sub_zero:subG. -equation zero = subGtoG(sub_zero). - -const g: G. -const g_k:subG. -equation pow_k(g) = g_k. - -fun exp(G, Z): G. -fun exp_div_k(subG,Z): subG. -fun exp_div_k'(subG,Z): subG. - -(* X^y = (X^k)^(y/k) *) -equation forall X:G, y:Z; - exp(X,y) = subGtoG(exp_div_k(pow_k(X),y)). +def DH_X25519(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_zero_G, is_zero_subG) { -(* ((X^(y/k))^k)^(z/k) = X^(y.z/k) - Used when expanding exp(exp(g,y),z). *) -equation forall X:subG, y:Z, z:Z; - exp_div_k(pow_k(subGtoG(exp_div_k(X,y))), z) = exp_div_k(X, mult(y,z)). -equation forall X:subG, y:Z, z:Z; - exp_div_k'(pow_k(subGtoG(exp_div_k'(X,y))), z) = exp_div_k'(X, mult(y,z)). +expand DH_subgroup_with_is_neutral(G, Z, g, exp, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_zero_G, is_zero_subG). -equation g_k <> sub_zero. -equation forall x:subG, y:Z; (exp_div_k(x,y) = sub_zero) = (x = sub_zero). -equation forall x:subG, y:Z; (exp_div_k'(x,y) = sub_zero) = (x = sub_zero). -equation forall x:subG, y:Z; (exp_div_k(x,y) <> sub_zero) = (x <> sub_zero). -equation forall x:subG, y:Z; (exp_div_k'(x,y) <> sub_zero) = (x <> sub_zero). +letproba PCollKey2 = 2*Pcoll1rand(Z). +letproba PCollKey3 = 4*Pcoll1rand(Z). +letproba PCollKey4 = Pcoll1rand(Z). +expand is_neutral_DH_proba_collision(subG, Z, g_k, exp_div_k, exp_div_k', mult, is_zero_subG, PCollKey2, PCollKey3, PCollKey4). -equation forall x:subG; (pow_k(subGtoG(x)) = sub_zero) = (x = sub_zero). -equation forall x:subG; (pow_k(subGtoG(x)) <> sub_zero) = (x <> sub_zero). +} -equation forall x:subG, x':subG, y:Z; (exp_div_k(x,y) = exp_div_k(x',y)) = (x = x'). -equation forall x:subG, x':subG, y:Z; (exp_div_k'(x,y) = exp_div_k'(x',y)) = (x = x'). +(* DH_X448 models Curve448 as defined in RFC 7748. +https://tools.ietf.org/html/rfc7748 + More generally, it supports the same curves as DH_single_coord_ladder + with the additional assumptions that there is at most one private key + multiple of q or q' and that q = -1 \mod 4, so -1 is not a + square modulo q. That allows to reduce some probabilities. -(* exp_div_k(g_k, mult(x',y)) = exp_div_k'(X',y) where X' = pow_k(subGtoG(exp_div_k(g_k,x')), - we can show the next equalities using the previous ones *) -equation forall x:subG, x':Z, y:Z; (exp_div_k(x,y) = exp_div_k(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k(g_k,x')))). -equation forall x:subG, x':Z, y:Z; (exp_div_k'(x,y) = exp_div_k'(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k'(g_k,x')))). + This model is justified in https://hal.inria.fr/hal-02100345 +*) -collision y <-R Z; z <-R Z; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k(X, y) = exp_div_k(X, z)) <=(Pcoll1rand(Z))=> return((X = sub_zero) || (y = z)). -collision y <-R Z; z <-R Z; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k'(X, y) = exp_div_k'(X, z)) <=(Pcoll1rand(Z))=> return((X = sub_zero) || (y = z)). +def DH_X448(G, Z, g, exp, mult, subG, Znw, ZnwtoZ, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_zero_G, is_zero_subG) { -collision x <-R Z; forall X: subG, Y: subG; - return(exp_div_k(X, x) = Y) <=(2*Pcoll1rand(Z))=> return((X = sub_zero) && (Y = sub_zero)) - if X independent-of x && Y independent-of x. -collision x <-R Z; forall X: subG, Y: subG; - return(exp_div_k'(X, x) = Y) <=(2*Pcoll1rand(Z))=> return((X = sub_zero) && (Y = sub_zero)) - if X independent-of x && Y independent-of x. +expand DH_subgroup_with_is_neutral(G, Znw, g, expnw, mult, subG, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, is_zero_G, is_zero_subG). +letproba Pweak_key = Pcoll1rand(Z). +expand DH_exclude_weak_keys(G, Z, Znw, ZnwtoZ, exp, expnw, Pweak_key). -collision x <-R Z; forall y: Z, X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Z))=> return(false) if y independent-of x && X independent-of x. +letproba PCollKey2 = 2*Pcoll1rand(Znw). +letproba PCollKey3 = 2*Pcoll1rand(Znw). +letproba PCollKey4 = Pcoll1rand(Znw). +expand is_neutral_DH_proba_collision(subG, Znw, g_k, exp_div_k, exp_div_k', mult, is_zero_subG, PCollKey2, PCollKey3, PCollKey4). -collision x <-R Z; forall y: Z, X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Z))=> return(false) if y independent-of x && X independent-of x. +} -(* The next collision is a consequence of the previous one *) -collision x <-R Z; y <-R Z; forall X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Z))=> return(false) if X independent-of x || X independent-of y. +(* Computational Diffie-Hellman -collision x <-R Z; y <-R Z; forall X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Z))=> return(false) if X independent-of x || X independent-of y. + pCDH(t): the probability of breaking the CDH assumption in time t + Other arguments as in DH_basic. + All arguments must be declared before this macro. +*) +def CDH(G, Z, g, exp, exp', mult, pCDH) { -collision x <-R Z; y <-R Z; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(4*Pcoll1rand(Z))=> return(false) if X independent-of x || X independent-of y. +(* the CDH assumption *) -collision x <-R Z; y <-R Z; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(4*Pcoll1rand(Z))=> return(false) if X independent-of x || X independent-of y. - -(* The next collision is a consequence of the previous one, - as in DH_good_group *) -collision x1 <-R Z; y1 <-R Z; x2 <-R Z; y2 <-R Z; [random_choices_may_be_equal] - return(exp_div_k(g_k,mult(x1,y1)) = exp_div_k(g_k,mult(x2,y2))) <=(4*Pcoll1rand(Z))=> return(false) - if (x1 independent-of x2 || y1 independent-of y2) && - (x1 independent-of y2 || y1 independent-of x2). - -collision x1 <-R Z; y1 <-R Z; x2 <-R Z; y2 <-R Z; [random_choices_may_be_equal] - return(exp_div_k'(g_k,mult(x1,y1)) = exp_div_k'(g_k,mult(x2,y2))) <=(4*Pcoll1rand(Z))=> return(false) - if (x1 independent-of x2 || y1 independent-of y2) && - (x1 independent-of y2 || y1 independent-of x2). - - -collision x <-R Z; y <-R Z; y' <-R Z; [random_choices_may_be_equal] - return(exp_div_k(g_k,mult(x,y)) = exp_div_k(g_k,mult(x,y'))) <=(Pcoll1rand(Z))=> return(y = y'). - -collision x <-R Z; y <-R Z; y' <-R Z; [random_choices_may_be_equal] - return(exp_div_k'(g_k,mult(x,y)) = exp_div_k'(g_k,mult(x,y'))) <=(Pcoll1rand(Z))=> return(y = y'). - - -} - -(* DH_X448 models Curve448 as defined in RFC 7748. -https://tools.ietf.org/html/rfc7748 - More generally, it supports the same curves as DH_single_coord_ladder - with the additional assumptions that there is at most one secret key - multiple of q or q' and that q = -1 \mod 4, so -1 is not a - square modulo q. That allows to reduce some probabilities. - - This model is justified in https://hal.inria.fr/hal-02100345 -*) - -def DH_X448(G, Z, g, exp, mult, subG, Znw, ZnwtoZ, g_k, exp_div_k, exp_div_k', pow_k, subGtoG, zero, sub_zero) { - -fun mult(Znw,Znw): Znw. -equation builtin commut(mult). - -fun pow_k(G):subG. -fun subGtoG(subG): G [data]. - -equation forall x:subG, x':subG; - (pow_k(subGtoG(x)) = pow_k(subGtoG(x'))) = (x = x'). - -const zero:G. -const sub_zero:subG. -equation zero = subGtoG(sub_zero). - -const g: G. -const g_k:subG. -equation pow_k(g) = g_k. - -fun ZnwtoZ(Znw): Z [data]. - -param N. - -equiv(exclude_weak_keys(Z)) -foreach i<=N do x <-R Z; O() := return(x) -<=(N*Pcoll1rand(Z))=> -foreach i<=N do x <-R Znw; O() := return(ZnwtoZ(x)). - -fun exp(G, Z): G. -fun exp_div_k(subG,Znw): subG. -fun exp_div_k'(subG,Znw): subG. - -(* X^y = (X^k)^(y/k) *) -equation forall X:G, y:Znw; - exp(X,ZnwtoZ(y)) = subGtoG(exp_div_k(pow_k(X),y)). - -(* ((X^(y/k))^k)^(z/k) = X^(y.z/k) - Used when expanding exp(exp(g,y),z). *) -equation forall X:subG, y:Znw, z:Znw; - exp_div_k(pow_k(subGtoG(exp_div_k(X,y))), z) = exp_div_k(X, mult(y,z)). -equation forall X:subG, y:Znw, z:Znw; - exp_div_k'(pow_k(subGtoG(exp_div_k'(X,y))), z) = exp_div_k'(X, mult(y,z)). - -equation g_k <> sub_zero. -equation forall x:subG, y:Znw; (exp_div_k(x,y) = sub_zero) = (x = sub_zero). -equation forall x:subG, y:Znw; (exp_div_k'(x,y) = sub_zero) = (x = sub_zero). -equation forall x:subG, y:Znw; (exp_div_k(x,y) <> sub_zero) = (x <> sub_zero). -equation forall x:subG, y:Znw; (exp_div_k'(x,y) <> sub_zero) = (x <> sub_zero). - -equation forall x:subG; (pow_k(subGtoG(x)) = sub_zero) = (x = sub_zero). -equation forall x:subG; (pow_k(subGtoG(x)) <> sub_zero) = (x <> sub_zero). - -equation forall x:subG, x':subG, y:Znw; (exp_div_k(x,y) = exp_div_k(x',y)) = (x = x'). -equation forall x:subG, x':subG, y:Znw; (exp_div_k'(x,y) = exp_div_k'(x',y)) = (x = x'). - -(* exp_div_k(g_k, mult(x',y)) = exp_div_k'(X',y) where X' = pow_k(subGtoG(exp_div_k(g_k,x')), - we can show the next equalities using the previous ones *) -equation forall x:subG, x':Znw, y:Znw; (exp_div_k(x,y) = exp_div_k(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k(g_k,x')))). -equation forall x:subG, x':Znw, y:Znw; (exp_div_k'(x,y) = exp_div_k'(g_k, mult(x',y))) = (x = pow_k(subGtoG(exp_div_k'(g_k,x')))). - -collision y <-R Znw; z <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k(X, y) = exp_div_k(X, z)) <=(Pcoll1rand(Znw))=> return((X = sub_zero) || (y = z)). -collision y <-R Znw; z <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k'(X, y) = exp_div_k'(X, z)) <=(Pcoll1rand(Znw))=> return((X = sub_zero) || (y = z)). - -collision x <-R Znw; forall X: subG, Y: subG; - return(exp_div_k(X, x) = Y) <=(2*Pcoll1rand(Znw))=> return((X = sub_zero) && (Y = sub_zero)) - if X independent-of x && Y independent-of x. -collision x <-R Znw; forall X: subG, Y: subG; - return(exp_div_k'(X, x) = Y) <=(2*Pcoll1rand(Znw))=> return((X = sub_zero) && (Y = sub_zero)) - if X independent-of x && Y independent-of x. - - -collision x <-R Znw; forall y: Znw, X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if y independent-of x && X independent-of x. - -collision x <-R Znw; forall y: Znw, X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if y independent-of x && X independent-of x. - -(* The next collision is a consequence of the previous one *) -collision x <-R Znw; y <-R Znw; forall X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - -collision x <-R Znw; y <-R Znw; forall X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - - - -collision x <-R Znw; y <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - -collision x <-R Znw; y <-R Znw; [random_choices_may_be_equal] forall X: subG; - return(exp_div_k'(g_k,mult(x,y)) = X) <=(2*Pcoll1rand(Znw))=> return(false) if X independent-of x || X independent-of y. - -(* The next collision is a consequence of the previous one, - as in DH_good_group *) -collision x1 <-R Znw; y1 <-R Znw; x2 <-R Znw; y2 <-R Znw; [random_choices_may_be_equal] - return(exp_div_k(g_k,mult(x1,y1)) = exp_div_k(g_k,mult(x2,y2))) <=(2*Pcoll1rand(Znw))=> return(false) - if (x1 independent-of x2 || y1 independent-of y2) && - (x1 independent-of y2 || y1 independent-of x2). - -collision x1 <-R Znw; y1 <-R Znw; x2 <-R Znw; y2 <-R Znw; [random_choices_may_be_equal] - return(exp_div_k'(g_k,mult(x1,y1)) = exp_div_k'(g_k,mult(x2,y2))) <=(2*Pcoll1rand(Znw))=> return(false) - if (x1 independent-of x2 || y1 independent-of y2) && - (x1 independent-of y2 || y1 independent-of x2). - - -collision x <-R Znw; y <-R Znw; y' <-R Znw; [random_choices_may_be_equal] - return(exp_div_k(g_k,mult(x,y)) = exp_div_k(g_k,mult(x,y'))) <=(Pcoll1rand(Znw))=> return(y = y'). - -collision x <-R Znw; y <-R Znw; y' <-R Znw; [random_choices_may_be_equal] - return(exp_div_k'(g_k,mult(x,y)) = exp_div_k'(g_k,mult(x,y'))) <=(Pcoll1rand(Znw))=> return(y = y'). - - -} - -(* Computational Diffie-Hellman - - pCDH(t): the probability of breaking the CDH assumption in time t - Other arguments as in DH_basic. - - All arguments must be declared before this macro. -*) - -def CDH(G, Z, g, exp, exp', mult, pCDH) { - -(* the CDH assumption *) - -param na, naDDH, nb, nbDDH, naDH9, nbDH9. +param na, naDDH, nb, nbDDH, naDH9, nbDH9. equiv(cdh(exp)) foreach ia <= na do a <-R Z; ( @@ -3512,8 +3489,8 @@ equiv(cdh(exp)) pDistRerandom: the probability that rerandomization can be distinguished from the original distribution It is 0 when exponents are chosen uniformly in (Z/qZ)^*. - 2^-125 for curve25519 - 2^-220 for curve448 + 2^-126 for curve25519 + 2^-221 for curve448 (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization for curve25519 and curve448). @@ -3540,7 +3517,7 @@ equiv(cdh(exp)) foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(m = exp(g, mult(a[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=((#ODDHa + #ODDHb) * max(1, 4*#Oa) * max(1, 4*#Ob) * pCDH(time + (na + nb + #ODDHa + #ODDHb + 1 + #ODHa9 + #ODHb9) * time(exp)) + (na + nb) * pDistRerandom)=> [computational] +<=((#ODDHa + #ODDHb) * (3*#Oa+1) * (3*#Ob+1) * pCDH(time + (na + nb + (optim-if #Oa = 0 && #Ob = 0 then 0 else #ODDHa + #ODDHb) + 1 + #ODHa9 + #ODHb9) * time(exp)) + (na + nb) * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | @@ -3579,7 +3556,7 @@ equiv(cdh(exp)) return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(2* #ODDHa * max(1, 27/4*#Oa^2) * pCDH(time + (na + #ODDHa + 1 + #ODHa9) * time(exp)) + na * pDistRerandom)=> [computational] +<=(#ODDHa * (23*(#Oa+1)^2-11) / 6 * pCDH(time + (na + (optim-if #Oa = 0 then 0 else #ODDHa) + 1 + #ODHa9) * time(exp)) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | @@ -3719,8 +3696,8 @@ equiv(ddh(exp)) pDistRerandom: the probability that rerandomization can be distinguished from the original distribution It is 0 when exponents are chosen uniformly in (Z/qZ)^*. - 2^-125 for curve25519 - 2^-220 for curve448 + 2^-126 for curve25519 + 2^-221 for curve448 Other arguments as in DH_basic. All arguments must be declared before this macro. @@ -3765,13 +3742,13 @@ equiv(ddh(exp)) pDistRerandom: the probability that rerandomization can be distinguished from the original distribution It is 0 when exponents are chosen uniformly in (Z/qZ)^*. - 2^-125 for curve25519 - 2^-220 for curve448 + 2^-126 for curve25519 + 2^-221 for curve448 (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization for curve25519 and curve448). It is needed because, for curve25519/448, to make - the DH decision oracle unambiguous, we generate secret keys in [(p+1)/2,p-1] - instead of the set used for generating secret keys in the curve25519/448 implementation. - (The latter set yields equivalent secret keys with small probability.) + the DH decision oracle unambiguous, we generate private keys in [(p+1)/2,p-1] + instead of the set used for generating private keys in the curve25519/448 implementation. + (The latter set yields equivalent private keys with small probability.) Other arguments as in DH_basic. All arguments must be declared before this macro. @@ -4010,8 +3987,8 @@ equiv(gdh(exp)) pDistRerandom: the probability that rerandomization can be distinguished from the original distribution It is 0 when exponents are chosen uniformly in (Z/qZ)^*. - 2^-125 for curve25519 - 2^-220 for curve448 + 2^-126 for curve25519 + 2^-221 for curve448 (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization for curve25519 and curve448). @@ -4066,7 +4043,7 @@ equiv(gdh(exp)) foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp(g,mult(b[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=(max(1, 4*(#Oa+optim-if #ODDHa5+#ODDHb7=0 then 0 else 1)) * max(1, 4*(#Ob+optim-if #ODDHa4+#ODDHb6=0 then 0 else 1)) * +<=((3*(#Oa+optim-if #ODDHa5+#ODDHb7=0 then 0 else 1)+1) * (3*(#Ob+optim-if #ODDHa4+#ODDHb6=0 then 0 else 1)+1) * pGDH(time + (na + nb + 1 + #ODHa9 + #ODHb9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa2 + #ODDHa3 + #ODDHa4 + #ODDHa5 + #ODDHa6 + #ODDHa7 + #ODDHa8 + #ODDHb + #ODDHb1 + #ODDHb2 + #ODDHb3 + #ODDHb4 + #ODDHb5 + #ODDHb6 + #ODDHb7 + #ODDHb8) @@ -4190,7 +4167,7 @@ equiv(gdh(exp)) foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(2* max(1, 27/4*(#Oa+optim-if #ODDHa5=0 then 0 else 1)^2) * +<=((23*(1+#Oa+optim-if #ODDHa5=0 then 0 else 1)^2-11) / 6 * pGDH(time + (na+1 + #ODHa9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( @@ -4292,8 +4269,8 @@ equiv(cdh(exp)) pDistRerandom: the probability that rerandomization can be distinguished from the original distribution It is 0 when exponents are chosen uniformly in (Z/qZ)^*. - 2^-125 for curve25519 - 2^-220 for curve448 + 2^-126 for curve25519 + 2^-221 for curve448 (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization for curve25519 and curve448). @@ -4316,7 +4293,7 @@ equiv(cdh(exp)) return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(#ODDHa * max(1, 27/4*#Oa^2) * pSQCDH(time + (na + #ODDHa + 1 + #ODHa9) * time(exp)) + na * pDistRerandom)=> [computational] +<=(#ODDHa * (23*(1+#Oa)^2-11) / 12 * pSQCDH(time + (na + (optim-if #Oa = 0 then 0 else #ODDHa) + 1 + #ODHa9) * time(exp)) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | @@ -4387,13 +4364,13 @@ equiv(ddh(exp)) pDistRerandom: the probability that rerandomization can be distinguished from the original distribution It is 0 when exponents are chosen uniformly in (Z/qZ)^*. - 2^-125 for curve25519 - 2^-220 for curve448 + 2^-126 for curve25519 + 2^-221 for curve448 (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization for curve25519 and curve448). It is needed because, for curve25519/448, to make - the DH decision oracle unambiguous, we generate secret keys in [(p+1)/2,p-1] - instead of the set used for generating secret keys in the curve25519/448 implementation. - (The latter set yields equivalent secret keys with small probability.) + the DH decision oracle unambiguous, we generate private keys in [(p+1)/2,p-1] + instead of the set used for generating private keys in the curve25519/448 implementation. + (The latter set yields equivalent private keys with small probability.) Other arguments as in DH_basic. All arguments must be declared before this macro. @@ -4485,8 +4462,8 @@ equiv(gdh(exp)) pDistRerandom: the probability that rerandomization can be distinguished from the original distribution It is 0 when exponents are chosen uniformly in (Z/qZ)^*. - 2^-125 for curve25519 - 2^-220 for curve448 + 2^-126 for curve25519 + 2^-221 for curve448 (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization for curve25519 and curve448). @@ -4520,7 +4497,7 @@ equiv(gdh(exp)) foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(max(1, 27/4*(#Oa+optim-if #ODDHa5=0 then 0 else 1)^2) * +<=((23*(1+#Oa+optim-if #ODDHa5=0 then 0 else 1)^2-11) / 12 * pSQGDH(time + (na+1 + #ODHa9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( @@ -4704,6 +4681,13 @@ equiv(prf_odh(prf)) (* PRF-ODH2 is a consequence of GDH and ROM. It corresponds to mmPRF-ODH in https://eprint.iacr.org/2017/517, but again with several challenge queries using the same or different DH pairs and argument of the PRF. +This assumption requires that it is possible to test +efficiently whether exp(Y,a) = exp(g, ab) knowing just Y and +B = exp(g,b) (so the result does not depend on a). This is possible +for prime-order groups as well as Curve25519 and Curve448 when +the weak private key is excluded. When this is true, +we say that the keys Y and B are equivalent. + G, Z, g, exp, exp', mult are as in DH_basic. prf(G, prf_in): prf_out: pseudo-random function that takes as argument a group element (in G) and an element in prf_in, and produces a result in @@ -4714,11 +4698,14 @@ equiv(prf_odh(prf)) in time t with n queries to the PRF (prf(g^ab, m)) and n' queries to prf(X^a, m) or prf(X^b, m). + PCollKey1: probability that two randomly generated public keys + exp(g,a) and exp(g,b) are equivalent. + The function prf is defined by this macro. It must not be declared elsewhere, and it can be used only after expanding the macro. All other arguments must be declared before this macro. *) -def PRF_ODH2(G, Z, prf_in, prf_out, g, exp, exp', mult, prf, pPRF_ODH) { +def PRF_ODH2(G, Z, prf_in, prf_out, g, exp, exp', mult, prf, pPRF_ODH, PCollKey1) { fun prf(G, prf_in): prf_out. @@ -4726,7 +4713,7 @@ fun prf(G, prf_in): prf_out. event ev_abort. -param na, na1, na2, nb, nb1, nb2, naDH9, nbDH9. +param na, na1, na2, na3, nb, nb1, nb2, nb3, naDH9, nbDH9. table prf_dh_val(na, nb, prf_in, prf_out). @@ -4734,8 +4721,9 @@ equiv(prf_odh(prf)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | Oa() [10] := return(a) | - foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := return(prf(exp(ma1, a), xa1)) | + foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) [useful_change] := return(prf(exp(ma1, a), xa1)) | foreach ia2 <= na2 do Oa2(jb <= nb, xa2: prf_in) [useful_change] := return(prf(exp(g, mult(b[jb], a)), xa2)) | + foreach ia3 <= na3 do Oa3(ja <= na, xa3: prf_in) := return(prf(exp(g, mult(a[ja], a)), xa3)) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) | foreach ib <= nb do b <-R Z; ( @@ -4743,14 +4731,16 @@ equiv(prf_odh(prf)) Ob() [10] := return(b) | foreach ib1 <= nb1 do Ob1(mb1:G, xb1:prf_in) := return(prf(exp(mb1, b), xb1)) | foreach ib2 <= nb2 do Ob2(ja <= na, xb2: prf_in) := return(prf(exp(g, mult(a[ja], b)), xb2)) | + foreach ib3 <= nb3 do Ob3(jb <= nb, xb3: prf_in) := return(prf(exp(g, mult(b[jb], b)), xb3)) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) <=(na * nb * pPRF_ODH(time + - (na + nb + #Oa1 + #Ob1 + #Oa2 + #Ob2 - 3 + #ODHa9 + #ODHb9)*time(exp)+ - (#Oa1 + #Ob1 + #Oa2 + #Ob2 - 1)* + (na + nb + #Oa1 + #Ob1 + #Oa2 + #Ob2 + #Oa3 + #Ob3 - 3 + #ODHa9 + #ODHb9)*time(exp)+ + (#Oa1 + #Ob1 + #Oa2 + #Ob2 + #Oa3 + #Ob3 - 1)* time(prf, max(maxlength(xa1), maxlength(xb1), maxlength(xa2), maxlength(xb2))), - na1 + nb1 + na2 + nb2, - na1 + nb1))=> + na1 + nb1 + na2 + nb2 + na3 + nb3, + na1 + nb1 + na3 + nb3) + + optim-if na3+nb3 = 0 then 0 else na * nb * PCollKey1)=> foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | Oa() := @@ -4758,7 +4748,7 @@ equiv(prf_odh(prf)) get prf_dh_val(=ia, jb, x, c) in event_abort ev_abort else let ka:bool = true in return(a) | foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := - find j' <= nb suchthat defined(b[j']) && ma1 = exp'(g, b[j']) then + find j' <= nb suchthat defined(b[j']) && exp'(ma1,a) = exp'(g, mult(a,b[j'])) then ( (* In this case, that's the same as Oa2 *) if defined(kb[j']) then (* b[j'] compromised *) return(prf(exp'(ma1, a), xa1)) else @@ -4779,6 +4769,9 @@ equiv(prf_odh(prf)) ca2 <-R prf_out; insert prf_dh_val(ia, jb, xa2, ca2); return(ca2) | + foreach ia3 <= na3 do Oa3(ja <= na, xa3: prf_in) := return(prf(exp'(g, mult(a[ja], a)), xa3)) | + (* Oa3 can be considered as prf(exp(OA[ja], a), xa3) and there is a negligible probability + of collision between exp(OA[ja], a) and exp(g, mult(b[.], a)) *) foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ) | foreach ib <= nb do b <-R Z; ( @@ -4788,7 +4781,7 @@ equiv(prf_odh(prf)) get prf_dh_val(ja, =ib, x, c) in event_abort ev_abort else let kb:bool = true in return(b) | foreach ib1 <= nb1 do Ob1(mb1:G, xb1:prf_in) := - find j' <= na suchthat defined(a[j']) && mb1 = exp'(g, a[j']) then + find j' <= na suchthat defined(a[j']) && exp'(mb1,b) = exp'(g, mult(a[j'],b)) then ( (* In this case, that's the same as Oa2 *) if defined(ka[j']) then (* a[j'] compromised *) return(prf(exp'(mb1, b), xb1)) else @@ -4809,6 +4802,7 @@ equiv(prf_odh(prf)) cb2 <-R prf_out; insert prf_dh_val(ja, ib, xb2, cb2); return(cb2) | + foreach ib3 <= nb3 do Ob3(jb <= nb, xb3: prf_in) := return(prf(exp'(g, mult(b[jb], b)), xb3)) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) ). @@ -4817,7 +4811,7 @@ equiv(prf_odh(prf)) (* Same as PRF_ODH2, but with a single family of exponents instead of two. More powerful, but may lead to a higher probability. *) -def PRF_ODH2_single(G, Z, prf_in, prf_out, g, exp, exp', mult, prf, pPRF_ODH) { +def PRF_ODH2_single(G, Z, prf_in, prf_out, g, exp, exp', mult, prf, pPRF_ODH, PCollKey1) { fun prf(G, prf_in): prf_out. @@ -4833,12 +4827,13 @@ equiv(prf_odh(prf)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | Oa() [10] := return(a) | - foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := return(prf(exp(ma1, a), xa1)) | + foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) [useful_change] := return(prf(exp(ma1, a), xa1)) | foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) [useful_change] := return(prf(exp(g, mult(a[ja], a)), xa2)) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) <=(na*(na-1)/2 * pPRF_ODH(time + (na + #Oa1 + #Oa2 - 3 + #ODHa9)*time(exp) + - (#Oa1 + #Oa2 - 1) * time(prf, max(maxlength(xa1), maxlength(xa2))), 2*na2, 2*na1))=> + (#Oa1 + #Oa2 - 1) * time(prf, max(maxlength(xa1), maxlength(xa2))), 2*na2, 2*na1) + + na*(na-1)/2 * PCollKey1)=> (* proba that g^{a_i a_i} = g^{a_i a_j}, that is, g^a_i is equivalent to g^{a_j}, needed to support the square *) foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | Oa() := @@ -4847,7 +4842,7 @@ equiv(prf_odh(prf)) get prf_dh_val(ja, =ia, x, c) in event_abort ev_abort else let ka:bool = true in return(a) | foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := - find j' <= na suchthat defined(a[j']) && ma1 = exp'(g, a[j']) then + find j' <= na suchthat defined(a[j']) && exp'(ma1,a) = exp'(g, mult(a[j'],a)) then ( (* In this case, that's the same as Oa2 *) if defined(ka[j']) then (* a[j'] compromised *) return(prf(exp'(ma1, a), xa1)) else @@ -4942,6 +4937,12 @@ equiv(prf_odh(prf)) (* square PRF-ODH2 and PRF-ODH2 This is a "square" variant of PRF_ODH2. +This assumption requires that it is possible to test +efficiently whether exp(Y,a) = exp(g, ab) knowing just Y and +B = exp(g,b) (so the result does not depend on a). This is possible +for prime-order groups as well as Curve25519 and Curve448 when +the weak private key is excluded. + G, Z, g, exp, exp', mult are as in DH_basic. prf(G, prf_in): prf_out: pseudo-random function that takes as argument a group element (in G) and an element in prf_in, and produces a result in @@ -4975,7 +4976,7 @@ equiv(prf_odh(prf)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | Oa() [10] := return(a) | - foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := return(prf(exp(ma1, a), xa1)) | + foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) [useful_change] := return(prf(exp(ma1, a), xa1)) | foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) [useful_change] := return(prf(exp(g, mult(a[ja], a)), xa2)) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) @@ -4991,7 +4992,7 @@ equiv(prf_odh(prf)) get prf_dh_val(ja, =ia, x, c) in event_abort ev_abort else let ka:bool = true in return(a) | foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := - find j' <= na suchthat defined(a[j']) && ma1 = exp'(g, a[j']) then + find j' <= na suchthat defined(a[j']) && exp'(ma1,a) = exp'(g, mult(a[j'],a)) then ( (* In this case, that's the same as Oa2 *) if defined(ka[j']) then (* a[j'] compromised *) return(prf(exp'(ma1, a), xa1)) else @@ -5026,13 +5027,13 @@ equiv(prf_odh(prf)) (* One-way trapdoor permutation seed: type of random seeds to generate keys, must be "bounded", typically "fixed" pkey: type of public keys, must be "bounded" - skey: type of secret keys, must be "bounded" + skey: type of private keys, must be "bounded" D: type of the input and output of the permutation, must be "bounded", typically "fixed" pkgen: public-key generation function - skgen: secret-key generation function + skgen: private-key generation function f: the permutation (taking as argument the public key) - invf: the inverse permutation of f (taking as argument the secret key, + invf: the inverse permutation of f (taking as argument the private key, i.e. the trapdoor) pkgen', f': symbols that replace pkgen and f respectively after game transformation @@ -5184,7 +5185,7 @@ equiv(ow_rsr(f)) (Oy() := return(f(pkgen(r), x)) | foreach i1 <= n1 do Oeq (x' : D) := return(x' = x) | Ox() := return(x))) -<=(max(nK, 4 * #Ox) * POW(time + (nK-1) * time(pkgen) + (#Oy-1) * time(f)))=> [computational] +<=(nK * ((3 * #(Ox foreach r) + 1) * POW(time + (nK-1) * time(pkgen) + (#Oy+#(Oeq foreach r)) * time(f))))=> [computational] foreach iK <= nK do r <-R seed [unchanged]; ( Opk() := return(pkgen'(r)) | foreach iF <= nF do x <-R D [unchanged]; @@ -5204,7 +5205,7 @@ expand OW_trapdoor_perm_RSR_all_args(seed, pkey, skey, D, pkgen, pkgen', skgen, (* Set partial-domain one-way trapdoor permutation seed: type of random seeds to generate keys, must be "bounded", typically "fixed" pkey: type of public keys, must be "bounded" - skey: type of secret keys, must be "bounded" + skey: type of private keys, must be "bounded" D: type of the input and output of the permutation, must be "bounded", typically "fixed" The domain D consists of the concatenation of bitstrings in Dow and Dr. Dow is the set of sub-bitstrings of D on which one-wayness holds (it is difficult to compute the @@ -5212,9 +5213,9 @@ expand OW_trapdoor_perm_RSR_all_args(seed, pkey, skey, D, pkgen, pkgen', skgen, Dow and Dr must be "bounded", typically "fixed". pkgen: public-key generation function - skgen: secret-key generation function + skgen: private-key generation function f: the permutation (taking as argument the public key) - invf: the inverse permutation of f (taking as argument the secret key, + invf: the inverse permutation of f (taking as argument the private key, i.e. the trapdoor) concat(Dow, Dr):D is bitstring concatenation pkgen', f': symbols that replace pkgen and f respectively after game transformation @@ -5375,3196 +5376,3208 @@ AEAD def Auth_Enc_from_Enc_then_MAC(emkey, cleartext, ciphertext, enc, dec, injbot, Z, Penc, Pmac) { -type mkey [fixed,large]. (* Mac key *) -type ekey [fixed,large]. (* Encryption key *) +type mkey [fixed,large]. (* Mac key *) +type ekey [fixed,large]. (* Encryption key *) + +(* Extraction of encryption and MAC keys from the pair *) + +fun get_ekey(emkey):ekey. +fun get_mkey(emkey):mkey. + +param Nk. + +equiv(emkey) + foreach ik <= Nk do r <-R emkey; (O1():= return(get_ekey(r))| O2():= return(get_mkey(r))) +<=(0)=> + foreach ik <= Nk do (O1():= k1 <-R ekey; return(k1) | O2():= k2 <-R mkey; return(k2)). + +(* IND-CPA encryption *) + +type ciphertext_internal. + +expand IND_CPA_sym_enc(ekey, cleartext, ciphertext_internal, enc_internal, dec_internal, injbot, Z, Penc). + +(* MAC *) + +type macres [fixed]. +expand SUF_CMA_det_mac(mkey, ciphertext_internal, macres, mac, check, Pmac). + +(* Concatenation of MAC *) + +fun concat_MAC(ciphertext_internal, macres): ciphertext [data]. + +letfun enc(c: cleartext, k: emkey) = + let kENC = get_ekey(k) in + let kMAC = get_mkey(k) in + let e = enc_internal(c, kENC) in + let m = mac(e, kMAC) in + concat_MAC(e, m). + +letfun dec(e_MAC: ciphertext, k: emkey) = + let kENC = get_ekey(k) in + let kMAC = get_mkey(k) in + let concat_MAC(e, m) = e_MAC in + ( + if check(e, kMAC, m) then + dec_internal(e, kENC) + else + bottom + ) + else + bottom. + +} + +(* Authenticated encryption, built from AEAD, by choosing the additional data nil. + key: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". + cleartext: type of cleartexts + ciphertext: type of ciphertexts + + enc: encryption function + dec: decryption function + injbot: natural injection from cleartext to bitstringbot + Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + + Penc(t, N, l): probability of breaking the IND-CPA property of the + underlying encryption scheme in time t for one key and N encryption + queries with cleartexts of length at most l. + Pencctxt(t, N, N', l, l', ld, ld'): probability of breaking the + INT-CTXT property of the underlying encryption scheme in time t for + one key, N encryption queries, N' decryption queries with + cleartexts of length at most l and ciphertexts of length at most + l', additional data for encryption of length at most ld, and + additional data for decryption of length at most ld'. + + The types key, cleartext, ciphertext, and the + probabilities Penc, Pencctxt must be declared before this macro is + expanded. The functions enc, dec, injbot, and Z are declared + by this macro. They must not be declared elsewhere, and they can be + used only after expanding the macro. +*) + +def AuthEnc_from_AEAD(key, cleartext, ciphertext, enc, dec, injbot, Z, Penc, Pencctxt) { + +type add_data. +const nil: add_data. + +expand AEAD(key, cleartext, ciphertext, add_data, enc_internal, dec_internal, injbot, Z, Penc, Pencctxt). + +letfun enc(c: cleartext, k: key) = + enc_internal(c, nil, k). + +letfun dec(e: ciphertext, k: key) = + dec_internal(e, nil, k). + +} + +(* Authenticated encryption, built from AEAD_nonce by choosing the nonce randomly, and choosing the additional data nil. + key: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". + cleartext: type of cleartexts + ciphertext: type of ciphertexts + + enc: encryption function + dec: decryption function + injbot: natural injection from cleartext to bitstringbot + Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + + Penc(t, N, l): probability of breaking the IND-CPA property of the + underlying encryption scheme in time t for one key and N encryption + queries with cleartexts of length at most l. + Pencctxt(t, N, N', l, l', ld, ld'): probability of breaking the + INT-CTXT property of the underlying encryption scheme in time t for + one key, N encryption queries, N' decryption queries with + cleartexts of length at most l and ciphertexts of length at most + l', additional data for encryption of length at most ld, and + additional data for decryption of length at most ld'. + + The types key, cleartext, ciphertext, and the + probabilities Penc, Pencctxt must be declared before this macro is + expanded. The functions enc, dec, injbot, and Z are declared + by this macro. They must not be declared elsewhere, and they can be + used only after expanding the macro. +*) + +def AuthEnc_from_AEAD_nonce(key, cleartext, ciphertext, enc, dec, injbot, Z, Penc, Pencctxt) { + +type nonce [large,fixed]. +type ciphertext_internal. + +type add_data. +const nil: add_data. + +expand AEAD_nonce(key, cleartext, ciphertext_internal, add_data, nonce, enc_internal, dec_internal, injbot, Z, Penc, Pencctxt). + +fun concat_nonce(nonce, ciphertext_internal): ciphertext [data]. + +letfun enc(c: cleartext, k: key) = + new n: nonce; + let e = enc_internal(c, nil, k, n) in + concat_nonce(n, e). + +letfun dec(e_nonce: ciphertext, k: key) = + let concat_nonce(n, e) = e_nonce in + dec_internal(e, nil, k, n) + else + bottom. + +} + +(* Authenticated encryption with additional data, built from encrypt-then-MAC. + emkey: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". + cleartext: type of cleartexts + ciphertext: type of ciphertexts + add_data: type of additional data + + enc: encryption function + dec: decryption function + injbot: natural injection from cleartext to bitstringbot + Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + + Penc(t, N, l): probability of breaking the IND-CPA property of the + underlying encryption scheme in time t for one key and N encryption + queries with cleartexts of length at most l. + Pmac(t, N, N', Nu', l): probability of breaking the SUF-CMA + property of the underlying MAC scheme in time t for one key, N MAC + queries, N' modified verification queries and Nu' unchanged + verification queries for messages of length at most l. + + The types emkey, cleartext, ciphertext, add_data, and the + probabilities Penc, Pmac must be declared before this macro is + expanded. The functions enc, dec, injbot, and Z are declared + by this macro. They must not be declared elsewhere, and they can be + used only after expanding the macro. +*) + +def AEAD_from_Enc_then_MAC(emkey, cleartext, ciphertext, add_data, enc, dec, injbot, Z, Penc, Pmac) { + +type mkey [fixed,large]. (* Mac key *) +type ekey [fixed,large]. (* Encryption key *) + +(* Extraction of encryption and MAC keys from the pair *) + +fun get_ekey(emkey):ekey. +fun get_mkey(emkey):mkey. + +param Nk. + +equiv(emkey) + foreach ik <= Nk do r <-R emkey; (O1():= return(get_ekey(r))| O2():= return(get_mkey(r))) +<=(0)=> + foreach ik <= Nk do (O1():= k1 <-R ekey; return(k1) | O2():= k2 <-R mkey; return(k2)). + +(* IND-CPA encryption *) + +type ciphertext_internal. + +expand IND_CPA_sym_enc(ekey, cleartext, ciphertext_internal, enc_internal, dec_internal, injbot, Z, Penc). + +(* MAC *) + +type macres [fixed]. +expand SUF_CMA_det_mac(mkey, bitstring, macres, mac, check, Pmac). + +(* Concatenation of associated data *) + +fun concat_data(ciphertext_internal, add_data): bitstring [data]. + +(* Concatenation of MAC *) + +fun concat_MAC(ciphertext_internal, macres): ciphertext [data]. + +letfun enc(c: cleartext, d: add_data, k: emkey) = + let kENC = get_ekey(k) in + let kMAC = get_mkey(k) in + let e = enc_internal(c, kENC) in + let m = mac(concat_data(e, d), kMAC) in + concat_MAC(e, m). + +letfun dec(e_MAC: ciphertext, d: add_data, k: emkey) = + let kENC = get_ekey(k) in + let kMAC = get_mkey(k) in + let concat_MAC(e, m) = e_MAC in + ( + if check(concat_data(e,d), kMAC, m) then + dec_internal(e, kENC) + else + bottom + ) + else + bottom. + +} + + +(* Authenticated encryption with additional data, built from AEAD_nonce by choosing the nonce randomly. + key: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". + cleartext: type of cleartexts + ciphertext: type of ciphertexts + add_data: type of additional data + + enc: encryption function + dec: decryption function + injbot: natural injection from cleartext to bitstringbot + Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + + Penc(t, N, l): probability of breaking the IND-CPA property of the + underlying encryption scheme in time t for one key and N encryption + queries with cleartexts of length at most l. + Pencctxt(t, N, N', l, l', ld, ld'): probability of breaking the + INT-CTXT property of the underlying encryption scheme in time t for + one key, N encryption queries, N' decryption queries with + cleartexts of length at most l and ciphertexts of length at most + l', additional data for encryption of length at most ld, and + additional data for decryption of length at most ld'. + + The types key, cleartext, ciphertext, add_data, and the + probabilities Penc, Pencctxt must be declared before this macro is + expanded. The functions enc, dec, injbot, and Z are declared + by this macro. They must not be declared elsewhere, and they can be + used only after expanding the macro. +*) + +def AEAD_from_AEAD_nonce(key, cleartext, ciphertext, add_data, enc, dec, injbot, Z, Penc, Pencctxt) { + +type nonce [large,fixed]. +type ciphertext_internal. + +expand AEAD_nonce(key, cleartext, ciphertext_internal, add_data, nonce, enc_internal, dec_internal, injbot, Z, Penc, Pencctxt). + +fun concat_nonce(nonce, ciphertext_internal): ciphertext [data]. + +letfun enc(c: cleartext, d: add_data, k: key) = + new n: nonce; + let e = enc_internal(c, d, k, n) in + concat_nonce(n, e). + +letfun dec(e_nonce: ciphertext, d: add_data, k: key) = + let concat_nonce(n, e) = e_nonce in + dec_internal(e, d, k, n) + else + bottom. + +} +(******************************* Hash functions (ROM) ****************************) + +(* Hash function in the random oracle model + key: type of the key of the hash function, which models the choice of the hash function, must be "bounded", typically "fixed" + input%: type of the %-th input of the hash function + output: type of the output of the hash function, must be "bounded" or "nonuniform" (typically "fixed"). + + f: the hash function. + WARNING: f is a keyed hash function. + The key must be generated once and for all at the beginning of the game + and the hash oracle must be made available to the adversary, + by including the process f_oracle(k) where k is the key. + qH is the number of calls to f_oracle. + + The types key, input%, and output must be declared before + this macro. The function f, the process f_oracle, and + the parameter qH are defined by this macro. They must not + be declared elsewhere, and they can be used only after expanding the + macro. + + *) + +def ROM_hash_1(key, input1, output, f, f_oracle, qH) { + +fun f(key, input1):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def ROM_hash_2(key, input1, input2, output, f, f_oracle, qH) { + +fun f(key, input1, input2):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def ROM_hash_3(key, input1, input2, input3, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def ROM_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def ROM_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def ROM_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def ROM_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def ROM_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def ROM_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def ROM_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def ROM_hash(key, input, output, f, f_oracle, qH) { +expand ROM_hash_1(key, input, output, f, f_oracle, qH). +} + +(* ROM with large output. + The only difference with ROM is that we eliminate collisions on the output. + The interface is the same as for ROMs. *) + +def ROM_hash_large_1(key, input1, output, f, f_oracle, qH) { + +fun f(key, input1):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def ROM_hash_large_2(key, input1, input2, output, f, f_oracle, qH) { + +fun f(key, input1, input2):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def ROM_hash_large_3(key, input1, input2, input3, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def ROM_hash_large_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def ROM_hash_large_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def ROM_hash_large_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def ROM_hash_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def ROM_hash_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def ROM_hash_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def ROM_hash_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def ROM_hash_large(key, input, output, f, f_oracle, qH) { +expand ROM_hash_large_1(key, input, output, f, f_oracle, qH). +} + +(* Collision resistant hash function + key: type of the key of the hash function, must be "bounded" or "nonuniform", typically "fixed" + input%: type of the %-th input of the hash function + output: type of the output of the hash function + + f: the hash function. + Phash: probability of breaking collision resistance. + WARNING: A collision resistant hash function is a keyed hash function. + The key must be generated once and for all at the beginning of the game, + and immediately made available to the adversary, for instance by + including the process f_oracle(k), where k is the key. + + The types key, input%, output, and the probability Phash + must be declared before this macro. The function f and the + process f_oracle are defined by this macro. They must not be + declared elsewhere, and they can be used only after expanding the + macro. + + *) + +def CollisionResistant_hash_1(key, input1, output, f, f_oracle, Phash) { + +fun f(key, input1):output. + +collision k <-R key; forall x1:input1, y1:input1; + return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { + +fun f(key, input1, input2):output. + +collision k <-R key; forall x1:input1, x2:input2, y1:input1, y2:input2; + return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3; + return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4; + return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; + return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; + return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; + return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash(key, input, output, f, f_oracle, Phash) { +expand CollisionResistant_hash_1(key, input, output, f, f_oracle, Phash). +} + +(* Hidden-key collision resistant hash function + The interface is similar to collision-resistant hash functions, except for the addition of qH. + WARNING: A hidden-key collision resistant hash function is a keyed hash function. + The key must be generated once and for all at the beginning of the game, + and the hash oracle must be made available to the adversary, + by including the process f_oracle(k) where k is the key. + qH is the number of calls to f_oracle. + Phash(t,N): probability of breaking collision resistance + for an adversary that runs in time at most t + and calls the hash oracle at most N times. *) + +def HiddenKeyCollisionResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { + +fun f(key, input1):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1) := return(f(k, x1)) | + foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) [useful_change] := return(f(k, x1) = f(k, y1))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1) := return(f(k, x1)) | + foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) := return((x1 = y1))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def HiddenKeyCollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def HiddenKeyCollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def HiddenKeyCollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def HiddenKeyCollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def HiddenKeyCollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def HiddenKeyCollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def HiddenKeyCollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def HiddenKeyCollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def HiddenKeyCollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def HiddenKeyCollisionResistant_hash(key, input, output, f, f_oracle, qH, Phash) { +expand HiddenKeyCollisionResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). + } + +(* Second-preimage-resistant hash function + The interface is the same as for collision-resistant hash functions. + *) + +def SecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { + +fun f(key, input1):output. + +collision k <-R key; x1 <-R input1; forall y1:input1; + return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { + +fun f(key, input1, input2):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; + return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; + return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; + return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; + return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; + return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; + return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash(key, input, output, f, f_oracle, Phash) { +expand SecondPreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). +} + +(* Hidden key second-preimage-resistant hash function + The interface is the same as for hidden-key collision-resistant hash functions. + *) + +def HiddenKeySecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { + +fun f(key, input1):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1; + (Ox1() := return(x1) | + foreach i <= Ncoll do Ocoll(y1:input1) [useful_change] := return(f(k, x1) = f(k, y1)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; + (Ox1() := return(x1) | + foreach i <= Ncoll do Ocoll(y1:input1) := return((x1 = y1)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def HiddenKeySecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Ox1() := return(x1) | Ox2() := return(x2) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def HiddenKeySecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def HiddenKeySecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def HiddenKeySecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def HiddenKeySecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def HiddenKeySecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def HiddenKeySecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def HiddenKeySecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def HiddenKeySecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; x10 <-R input10 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def HiddenKeySecondPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { +expand HiddenKeySecondPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). + } + +(* Fixed-hash second-preimage-resistant hash function + input%: type of the %-th input of the hash function + output: type of the output of the hash function + + f(input...):output : the hash function. (It is not keyed.) + Phash: probability of breaking second-preimage resistance. + + The types input%, output, and the probability Phash + must be declared before this macro. The function f + is defined by this macro. It must not be + declared elsewhere, and it can be used only after expanding the + macro. + *) + +def FixedSecondPreimageResistant_hash_1(input1, output, f, Phash) { + +fun f(input1):output. + +collision x1 <-R input1; forall y1:input1; + return(f(x1) = f(y1)) <=(Phash(time))=> return((x1 = y1)). + +} + +def FixedSecondPreimageResistant_hash_2(input1, input2, output, f, Phash) { + +fun f(input1, input2):output. + +collision x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; + return(f(x1, x2) = f(y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). + +} + +def FixedSecondPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { + +fun f(input1, input2, input3):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; + return(f(x1, x2, x3) = f(y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). + +} + +def FixedSecondPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { + +fun f(input1, input2, input3, input4):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; + return(f(x1, x2, x3, x4) = f(y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). + +} + +def FixedSecondPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; + return(f(x1, x2, x3, x4, x5) = f(y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). + +} + +def FixedSecondPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; + return(f(x1, x2, x3, x4, x5, x6) = f(y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). + +} + +def FixedSecondPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; + return(f(x1, x2, x3, x4, x5, x6, x7) = f(y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). + +} + +def FixedSecondPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; + return(f(x1, x2, x3, x4, x5, x6, x7, x8) = f(y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). + +} + +def FixedSecondPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; + return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). + +} + +def FixedSecondPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; + return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). + +} + +def FixedSecondPreimageResistant_hash(input, output, f, Phash) { +expand FixedSecondPreimageResistant_hash_1(input, output, f, Phash). +} + +(* preimage-resistant hash function + The interface is the same as for collision-resistant hash functions. + *) + +def PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash) { + +fun f(key, input1):output. + +fun f'(key, input1):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | + Ox1() := return(x1))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f'(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := + let r = (x1 = y1) in + find suchthat defined(comp1) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2):output. + +fun f'(key, input1, input2):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | + Ox1() := return(x1) | Ox2() := return(x2))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f'(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := + let r = (x1 = y1) && (x2 = y2) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3):output. + +fun f'(key, input1, input2, input3):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f'(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +fun f'(key, input1, input2, input3, input4):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f'(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +fun f'(key, input1, input2, input3, input4, input5):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +fun f'(key, input1, input2, input3, input4, input5, input6):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash(key, input, output, f, f_oracle, Phash) { +expand PreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). +} + +def PreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, Phash) { +expand PreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, Phash). +} + +(* Hidden key preimage-resistant hash function + The interface is the same as for hidden-key collision-resistant hash functions. + *) + +def HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1):output. + +fun f'(key, input1):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | + Ox1() := return(x1))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f'(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := + let r = (x1 = y1) in + find suchthat defined(comp1) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def HiddenKeyPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2):output. + +fun f'(key, input1, input2):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | + Ox1() := return(x1) | Ox2() := return(x2))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f'(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := + let r = (x1 = y1) && (x2 = y2) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def HiddenKeyPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3):output. + +fun f'(key, input1, input2, input3):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f'(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def HiddenKeyPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +fun f'(key, input1, input2, input3, input4):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f'(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def HiddenKeyPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +fun f'(key, input1, input2, input3, input4, input5):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def HiddenKeyPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +fun f'(key, input1, input2, input3, input4, input5, input6):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def HiddenKeyPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def HiddenKeyPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def HiddenKeyPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def HiddenKeyPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def HiddenKeyPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { +expand HiddenKeyPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, qH, Phash) { +expand HiddenKeyPreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, qH, Phash). +} + +(* Fixed-hash preimage-resistant hash function + The interface is the same as for fixed-hash second-preimage-resistant hash functions. + *) + +def FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash) { + +fun f(input1):output. + +fun f'(input1):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; (Oim() := return(f(x1)) | + foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | + Ox1() := return(x1)) + <=(Phash(time))=> + x1 <-R input1; (Oim() := return(f'(x1)) | + foreach i <= Neq do Oeq(y1: input1) := + let r = (x1 = y1) in + find suchthat defined(comp1) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1)). + +} + +def FixedPreimageResistant_hash_1(input1, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash) { + +fun f(input1, input2):output. + +fun f'(input1, input2):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; (Oim() := return(f(x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | + Ox1() := return(x1) | Ox2() := return(x2)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; (Oim() := return(f'(x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := + let r = (x1 = y1) && (x2 = y2) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2)). + +} + +def FixedPreimageResistant_hash_2(input1, input2, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash) { + +fun f(input1, input2, input3):output. + +fun f'(input1, input2, input3):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f(x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f'(x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3)). + +} + +def FixedPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash) { + +fun f(input1, input2, input3, input4):output. + +fun f'(input1, input2, input3, input4):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f(x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f'(x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4)). + +} + +def FixedPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5):output. + +fun f'(input1, input2, input3, input4, input5):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f(x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f'(x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5)). + +} + +def FixedPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6):output. + +fun f'(input1, input2, input3, input4, input5, input6):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f(x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f'(x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6)). + +} + +def FixedPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7)). + +} + +def FixedPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7, input8):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8)). + +} + +def FixedPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9)). + +} + +def FixedPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10)). + +} + +def FixedPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash). +} + +def FixedPreimageResistant_hash(input, output, f, Phash) { +expand FixedPreimageResistant_hash_1(input, output, f, Phash). +} + +def FixedPreimageResistant_hash_all_args(input, output, f, f', Phash) { +expand FixedPreimageResistant_hash_all_args_1(input, output, f, f', Phash). +} + +(* Pseudo random function (PRF) + key: type of keys, must be "bounded" (to be able to generate random numbers from it, and to talk about the runtime of f without mentioned the length of the key), typically "fixed" and "large". + input%: type of the %-th input of the PRF. + output: type of the output of the PRF, must be "bounded" or "nonuniform", typically "fixed". + + f: PRF function + + Pprf(t, N, l): probability of breaking the PRF property + in time t, for one key, N queries to the PRF of length at most l. + + The types key, input, output and the probability Pprf must + be declared before this macro is expanded. The function f + is declared by this macro. It must not be declared elsewhere, + and it can be used only after expanding the macro. + + *) + +def PRF_1(key, input1, output, f, Pprf) { + +fun f(key, input1):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_2(key, input1, input2, output, f, Pprf) { + +fun f(key, input1, input2):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_3(key, input1, input2, input3, output, f, Pprf) { + +fun f(key, input1, input2, input3):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_4(key, input1, input2, input3, input4, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF(key, input, output, f, Pprf) { +expand PRF_1(key, input, output, f, Pprf). +} + +(* Pseudo random function (PRF) with large output. + The only difference with PRF is that we eliminate collisions on the output. + The interface is the same as for PRFs. *) + +def PRF_large_1(key, input1, output, f, Pprf) { + +fun f(key, input1):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_2(key, input1, input2, output, f, Pprf) { + +fun f(key, input1, input2):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_3(key, input1, input2, input3, output, f, Pprf) { + +fun f(key, input1, input2, input3):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_4(key, input1, input2, input3, input4, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large(key, input, output, f, Pprf) { +expand PRF_large_1(key, input, output, f, Pprf). +} + +(* Ideal Cipher Model + cipherkey: type of keys that correspond to the choice of the scheme, must be "bounded" or "nonuniform", typically "fixed". + key: type of keys (typically "large") + blocksize: type of the input and output of the cipher, must be "bounded" or "nonuniform" (to be able to generate random numbers from it; typically "fixed") and "large". + (The modeling of the ideal cipher model is not perfect in that, in + order to encrypt a new message, one chooses a fresh random number, + not necessarily different from previously generated random + numbers. Then CryptoVerif needs to eliminate collisions between + those random numbers, so blocksize must really be "large".) + + enc: encryption function + dec: decryption function + WARNING: the encryption and decryption functions take 2 keys as + input: the key of type cipherkey that corresponds to the choice of + the scheme, and the normal encryption/decryption key. The cipherkey + must be chosen once and for all at the beginning of the game and + the encryption and decryption oracles must be made available to the + adversary, by including a process enc_dec_oracle(ck) where + ck is the cipherkey. + qE is the number of calls of the encryption oracle + qD is the number of calls of the decryption oracle + + The types cipherkey, key, blocksize must be declared before this + macro is expanded. The functions enc, dec, the process + enc_dec_oracle, and the parameters qE, qD are declared by this + macro. They must not be declared elsewhere, and they can be used + only after expanding the macro. + + *) -(* Extraction of encryption and MAC keys from the pair *) +def ICM_cipher(cipherkey, key, blocksize, enc, dec, enc_dec_oracle, qE, qD) { -fun get_ekey(emkey):ekey. -fun get_mkey(emkey):mkey. +fun enc(cipherkey, blocksize, key): blocksize. +fun dec(cipherkey, blocksize, key): blocksize. -param Nk. +equation forall ck:cipherkey, m:blocksize, k:key; + dec(ck, enc(ck, m, k), k) = m. +equation forall ck:cipherkey, m:blocksize, k:key; + enc(ck, dec(ck, m, k), k) = m. +equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; + (dec(ck, m1, k) = dec(ck, m2, k)) = (m1 = m2). +equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; + (enc(ck, m1, k) = enc(ck, m2, k)) = (m1 = m2). -equiv(emkey) - foreach ik <= Nk do r <-R emkey; (O1():= return(get_ekey(r))| O2():= return(get_mkey(r))) -<=(0)=> - foreach ik <= Nk do (O1():= k1 <-R ekey; return(k1) | O2():= k2 <-R mkey; return(k2)). +equiv(icm(enc)) special icm(("key", "msg", "local_key"), enc, dec, + (ck, k, me, md, u), ("large")). -(* IND-CPA encryption *) +equiv(icm_partial(enc)) special icm_partial(("key", "msg", "local_key"), + enc, dec, (ck, k, me, md, u), ("large")) [manual]. -type ciphertext_internal. +(* The difference of probability is the probability of collision between two +random numbers in blocksize among the N+N2 chosen random numbers. *) -expand IND_CPA_sym_enc(ekey, cleartext, ciphertext_internal, enc_internal, dec_internal, injbot, Z, Penc). + param qE, qD [noninteractive]. -(* MAC *) +let enc_dec_oracle(ck: cipherkey) = + (foreach iE <= qE do Oenc(x:blocksize, ke:key) := return(enc(ck,x,ke))) + | (foreach iD <= qD do Odec(m:blocksize, kd:key) := return(dec(ck,m,kd))). -type macres [fixed]. -expand SUF_CMA_det_mac(mkey, ciphertext_internal, macres, mac, check, Pmac). +} -(* Concatenation of MAC *) +(* random_split_N defines functions to split a random value into N values. -fun concat_MAC(ciphertext_internal, macres): ciphertext [data]. + input_t: type of the input value + part%_t: types of the output parts + tuple_t: type of a tuple of the output parts + tuple(part1_t, ..., partN_t): tuple_t builds a tuple from N parts. + split(input_t): tuple_t splits the input into N parts and returns a tuple of these parts + Usage: let tuple(x1, ..., xN) = split(y) in ... -letfun enc(c: cleartext, k: emkey) = - let kENC = get_ekey(k) in - let kMAC = get_mkey(k) in - let e = enc_internal(c, kENC) in - let m = mac(e, kMAC) in - concat_MAC(e, m). + input_t, part%_t, and tuple_t must be defined before. + tuple and split are defined by this macro. *) -letfun dec(e_MAC: ciphertext, k: emkey) = - let kENC = get_ekey(k) in - let kMAC = get_mkey(k) in - let concat_MAC(e, m) = e_MAC in - ( - if check(e, kMAC, m) then - dec_internal(e, kENC) - else - bottom - ) - else - bottom. +def random_split_1(input_t, part1_t, tuple_t, tuple, split) { -} + fun tuple(part1_t): tuple_t [data]. -(* Authenticated encryption, built from AEAD, by choosing the additional data nil. - key: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". - cleartext: type of cleartexts - ciphertext: type of ciphertexts + fun get1(input_t): part1_t. - enc: encryption function - dec: decryption function - injbot: natural injection from cleartext to bitstringbot - Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + letfun split(r: input_t) = tuple(get1(r)). - Penc(t, N, l): probability of breaking the IND-CPA property of the - underlying encryption scheme in time t for one key and N encryption - queries with cleartexts of length at most l. - Pencctxt(t, N, N', l, l', ld, ld'): probability of breaking the - INT-CTXT property of the underlying encryption scheme in time t for - one key, N encryption queries, N' decryption queries with - cleartexts of length at most l and ciphertexts of length at most - l', additional data for encryption of length at most ld, and - additional data for decryption of length at most ld'. + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r))) + <=(0)=> + part1 <-R part1_t; + (O1() := return(part1)). - The types key, cleartext, ciphertext, and the - probabilities Penc, Pencctxt must be declared before this macro is - expanded. The functions enc, dec, injbot, and Z are declared - by this macro. They must not be declared elsewhere, and they can be - used only after expanding the macro. -*) +} -def AuthEnc_from_AEAD(key, cleartext, ciphertext, enc, dec, injbot, Z, Penc, Pencctxt) { +def random_split_2(input_t, part1_t, part2_t, tuple_t, tuple, split) { -type add_data. -const nil: add_data. + fun tuple(part1_t, part2_t): tuple_t [data]. -expand AEAD(key, cleartext, ciphertext, add_data, enc_internal, dec_internal, injbot, Z, Penc, Pencctxt). + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. -letfun enc(c: cleartext, k: key) = - enc_internal(c, nil, k). + letfun split(r: input_t) = tuple(get1(r), get2(r)). -letfun dec(e: ciphertext, k: key) = - dec_internal(e, nil, k). + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; + (O1() := return(part1) | O2() := return(part2)). } -(* Authenticated encryption, built from AEAD_nonce by choosing the nonce randomly, and choosing the additional data nil. - key: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". - cleartext: type of cleartexts - ciphertext: type of ciphertexts +def random_split_3(input_t, part1_t, part2_t, part3_t, tuple_t, tuple, split) { - enc: encryption function - dec: decryption function - injbot: natural injection from cleartext to bitstringbot - Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + fun tuple(part1_t, part2_t, part3_t): tuple_t [data]. - Penc(t, N, l): probability of breaking the IND-CPA property of the - underlying encryption scheme in time t for one key and N encryption - queries with cleartexts of length at most l. - Pencctxt(t, N, N', l, l', ld, ld'): probability of breaking the - INT-CTXT property of the underlying encryption scheme in time t for - one key, N encryption queries, N' decryption queries with - cleartexts of length at most l and ciphertexts of length at most - l', additional data for encryption of length at most ld, and - additional data for decryption of length at most ld'. + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. - The types key, cleartext, ciphertext, and the - probabilities Penc, Pencctxt must be declared before this macro is - expanded. The functions enc, dec, injbot, and Z are declared - by this macro. They must not be declared elsewhere, and they can be - used only after expanding the macro. -*) + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r)). -def AuthEnc_from_AEAD_nonce(key, cleartext, ciphertext, enc, dec, injbot, Z, Penc, Pencctxt) { + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3)). -type nonce [large,fixed]. -type ciphertext_internal. +} -type add_data. -const nil: add_data. +def random_split_4(input_t, part1_t, part2_t, part3_t, part4_t, tuple_t, tuple, split) { -expand AEAD_nonce(key, cleartext, ciphertext_internal, add_data, nonce, enc_internal, dec_internal, injbot, Z, Penc, Pencctxt). + fun tuple(part1_t, part2_t, part3_t, part4_t): tuple_t [data]. -fun concat_nonce(nonce, ciphertext_internal): ciphertext [data]. + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. -letfun enc(c: cleartext, k: key) = - new n: nonce; - let e = enc_internal(c, nil, k, n) in - concat_nonce(n, e). + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r)). -letfun dec(e_nonce: ciphertext, k: key) = - let concat_nonce(n, e) = e_nonce in - dec_internal(e, nil, k, n) - else - bottom. + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4)). } -(* Authenticated encryption with additional data, built from encrypt-then-MAC. - emkey: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". - cleartext: type of cleartexts - ciphertext: type of ciphertexts - add_data: type of additional data +def random_split_5(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, tuple_t, tuple, split) { - enc: encryption function - dec: decryption function - injbot: natural injection from cleartext to bitstringbot - Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t): tuple_t [data]. - Penc(t, N, l): probability of breaking the IND-CPA property of the - underlying encryption scheme in time t for one key and N encryption - queries with cleartexts of length at most l. - Pmac(t, N, N', Nu', l): probability of breaking the SUF-CMA - property of the underlying MAC scheme in time t for one key, N MAC - queries, N' modified verification queries and Nu' unchanged - verification queries for messages of length at most l. + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. - The types emkey, cleartext, ciphertext, add_data, and the - probabilities Penc, Pmac must be declared before this macro is - expanded. The functions enc, dec, injbot, and Z are declared - by this macro. They must not be declared elsewhere, and they can be - used only after expanding the macro. -*) + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r)). -def AEAD_from_Enc_then_MAC(emkey, cleartext, ciphertext, add_data, enc, dec, injbot, Z, Penc, Pmac) { + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5)). -type mkey [fixed,large]. (* Mac key *) -type ekey [fixed,large]. (* Encryption key *) +} -(* Extraction of encryption and MAC keys from the pair *) +def random_split_6(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, tuple_t, tuple, split) { -fun get_ekey(emkey):ekey. -fun get_mkey(emkey):mkey. + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t): tuple_t [data]. -param Nk. + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. -equiv(emkey) - foreach ik <= Nk do r <-R emkey; (O1():= return(get_ekey(r))| O2():= return(get_mkey(r))) -<=(0)=> - foreach ik <= Nk do (O1():= k1 <-R ekey; return(k1) | O2():= k2 <-R mkey; return(k2)). + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r)). -(* IND-CPA encryption *) + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6)). -type ciphertext_internal. +} -expand IND_CPA_sym_enc(ekey, cleartext, ciphertext_internal, enc_internal, dec_internal, injbot, Z, Penc). +def random_split_7(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, tuple_t, tuple, split) { -(* MAC *) + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t): tuple_t [data]. -type macres [fixed]. -expand SUF_CMA_det_mac(mkey, bitstring, macres, mac, check, Pmac). + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. -(* Concatenation of associated data *) + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r)). -fun concat_data(ciphertext_internal, add_data): bitstring [data]. + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7)). -(* Concatenation of MAC *) +} -fun concat_MAC(ciphertext_internal, macres): ciphertext [data]. +def random_split_8(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, tuple_t, tuple, split) { -letfun enc(c: cleartext, d: add_data, k: emkey) = - let kENC = get_ekey(k) in - let kMAC = get_mkey(k) in - let e = enc_internal(c, kENC) in - let m = mac(concat_data(e, d), kMAC) in - concat_MAC(e, m). + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t): tuple_t [data]. -letfun dec(e_MAC: ciphertext, d: add_data, k: emkey) = - let kENC = get_ekey(k) in - let kMAC = get_mkey(k) in - let concat_MAC(e, m) = e_MAC in - ( - if check(concat_data(e,d), kMAC, m) then - dec_internal(e, kENC) - else - bottom - ) - else - bottom. + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. + fun get8(input_t): part8_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8)). } +def random_split_9(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, tuple_t, tuple, split) { -(* Authenticated encryption with additional data, built from AEAD_nonce by choosing the nonce randomly. - key: type of keys, must be "bounded" (to be able to generate random numbers from it), typically "fixed" and "large". - cleartext: type of cleartexts - ciphertext: type of ciphertexts - add_data: type of additional data + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t): tuple_t [data]. - enc: encryption function - dec: decryption function - injbot: natural injection from cleartext to bitstringbot - Z: function that returns for each cleartext a cleartext of the same length consisting only of zeroes. + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. + fun get8(input_t): part8_t. + fun get9(input_t): part9_t. - Penc(t, N, l): probability of breaking the IND-CPA property of the - underlying encryption scheme in time t for one key and N encryption - queries with cleartexts of length at most l. - Pencctxt(t, N, N', l, l', ld, ld'): probability of breaking the - INT-CTXT property of the underlying encryption scheme in time t for - one key, N encryption queries, N' decryption queries with - cleartexts of length at most l and ciphertexts of length at most - l', additional data for encryption of length at most ld, and - additional data for decryption of length at most ld'. + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r)). - The types key, cleartext, ciphertext, add_data, and the - probabilities Penc, Pencctxt must be declared before this macro is - expanded. The functions enc, dec, injbot, and Z are declared - by this macro. They must not be declared elsewhere, and they can be - used only after expanding the macro. -*) + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9)). -def AEAD_from_AEAD_nonce(key, cleartext, ciphertext, add_data, enc, dec, injbot, Z, Penc, Pencctxt) { +} -type nonce [large,fixed]. -type ciphertext_internal. +def random_split_10(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t, tuple_t, tuple, split) { -expand AEAD_nonce(key, cleartext, ciphertext_internal, add_data, nonce, enc_internal, dec_internal, injbot, Z, Penc, Pencctxt). + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t): tuple_t [data]. -fun concat_nonce(nonce, ciphertext_internal): ciphertext [data]. + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. + fun get8(input_t): part8_t. + fun get9(input_t): part9_t. + fun get10(input_t): part10_t. -letfun enc(c: cleartext, d: add_data, k: key) = - new n: nonce; - let e = enc_internal(c, d, k, n) in - concat_nonce(n, e). + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r), get10(r)). -letfun dec(e_nonce: ciphertext, d: add_data, k: key) = - let concat_nonce(n, e) = e_nonce in - dec_internal(e, d, k, n) - else - bottom. + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r)) | O10() := return(get10(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; part10 <-R part10_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9) | O10() := return(part10)). } -(******************************* Hash functions (ROM) ****************************) - -(* Hash function in the random oracle model - key: type of the key of the hash function, which models the choice of the hash function, must be "bounded", typically "fixed" - input%: type of the %-th input of the hash function - output: type of the output of the hash function, must be "bounded" or "nonuniform" (typically "fixed"). - - f: the hash function. - WARNING: f is a keyed hash function. - The key must be generated once and for all at the beginning of the game - and the hash oracle must be made available to the adversary, - by including the process f_oracle(k) where k is the key. - qH is the number of calls to f_oracle. - - The types key, input%, and output must be declared before - this macro. The function f, the process f_oracle, and - the parameter qH are defined by this macro. They must not - be declared elsewhere, and they can be used only after expanding the - macro. - - *) - -def ROM_hash_1(key, input1, output, f, f_oracle, qH) { - -fun f(key, input1):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def ROM_hash_2(key, input1, input2, output, f, f_oracle, qH) { - -fun f(key, input1, input2):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def ROM_hash_3(key, input1, input2, input3, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def ROM_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def ROM_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def ROM_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def ROM_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def ROM_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def ROM_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def ROM_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def ROM_hash(key, input, output, f, f_oracle, qH) { -expand ROM_hash_1(key, input, output, f, f_oracle, qH). -} - -(* ROM with large output. - The only difference with ROM is that we eliminate collisions on the output. - The interface is the same as for ROMs. *) - -def ROM_hash_large_1(key, input1, output, f, f_oracle, qH) { - -fun f(key, input1):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def ROM_hash_large_2(key, input1, input2, output, f, f_oracle, qH) { - -fun f(key, input1, input2):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def ROM_hash_large_3(key, input1, input2, input3, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def ROM_hash_large_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def ROM_hash_large_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def ROM_hash_large_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def ROM_hash_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def ROM_hash_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def ROM_hash_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def ROM_hash_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def ROM_hash_large(key, input, output, f, f_oracle, qH) { -expand ROM_hash_large_1(key, input, output, f, f_oracle, qH). -} - -(* Collision resistant hash function - key: type of the key of the hash function, must be "bounded" or "nonuniform", typically "fixed" - input%: type of the %-th input of the hash function - output: type of the output of the hash function - - f: the hash function. - Phash: probability of breaking collision resistance. - WARNING: A collision resistant hash function is a keyed hash function. - The key must be generated once and for all at the beginning of the game, - and immediately made available to the adversary, for instance by - including the process f_oracle(k), where k is the key. - - The types key, input%, output, and the probability Phash - must be declared before this macro. The function f and the - process f_oracle are defined by this macro. They must not be - declared elsewhere, and they can be used only after expanding the - macro. - - *) - -def CollisionResistant_hash_1(key, input1, output, f, f_oracle, Phash) { - -fun f(key, input1):output. - -collision k <-R key; forall x1:input1, y1:input1; - return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { - -fun f(key, input1, input2):output. - -collision k <-R key; forall x1:input1, x2:input2, y1:input1, y2:input2; - return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3; - return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4; - return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; - return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; - return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; - return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash(key, input, output, f, f_oracle, Phash) { -expand CollisionResistant_hash_1(key, input, output, f, f_oracle, Phash). -} - -(* Hidden-key collision resistant hash function - The interface is similar to collision-resistant hash functions, except for the addition of qH. - WARNING: A hidden-key collision resistant hash function is a keyed hash function. - The key must be generated once and for all at the beginning of the game, - and the hash oracle must be made available to the adversary, - by including the process f_oracle(k) where k is the key. - qH is the number of calls to f_oracle. - Phash(t,N): probability of breaking collision resistance - for an adversary that runs in time at most t - and calls the hash oracle at most N times. *) - -def HiddenKeyCollisionResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { - -fun f(key, input1):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1) := return(f(k, x1)) | - foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) [useful_change] := return(f(k, x1) = f(k, y1))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1) := return(f(k, x1)) | - foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) := return((x1 = y1))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def HiddenKeyCollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def HiddenKeyCollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def HiddenKeyCollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def HiddenKeyCollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def HiddenKeyCollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def HiddenKeyCollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def HiddenKeyCollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def HiddenKeyCollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def HiddenKeyCollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def HiddenKeyCollisionResistant_hash(key, input, output, f, f_oracle, qH, Phash) { -expand HiddenKeyCollisionResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). - } - -(* Second-preimage-resistant hash function - The interface is the same as for collision-resistant hash functions. - *) - -def SecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { - -fun f(key, input1):output. - -collision k <-R key; x1 <-R input1; forall y1:input1; - return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { - -fun f(key, input1, input2):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; - return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; - return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; - return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; - return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; - return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; - return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash(key, input, output, f, f_oracle, Phash) { -expand SecondPreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). -} - -(* Hidden key second-preimage-resistant hash function - The interface is the same as for hidden-key collision-resistant hash functions. - *) - -def HiddenKeySecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { - -fun f(key, input1):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1; - (Ox1() := return(x1) | - foreach i <= Ncoll do Ocoll(y1:input1) [useful_change] := return(f(k, x1) = f(k, y1)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; - (Ox1() := return(x1) | - foreach i <= Ncoll do Ocoll(y1:input1) := return((x1 = y1)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def HiddenKeySecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Ox1() := return(x1) | Ox2() := return(x2) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def HiddenKeySecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def HiddenKeySecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def HiddenKeySecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def HiddenKeySecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def HiddenKeySecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def HiddenKeySecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def HiddenKeySecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def HiddenKeySecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; x10 <-R input10 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def HiddenKeySecondPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { -expand HiddenKeySecondPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). - } - -(* Fixed-hash second-preimage-resistant hash function - input%: type of the %-th input of the hash function - output: type of the output of the hash function - - f(input...):output : the hash function. (It is not keyed.) - Phash: probability of breaking second-preimage resistance. - - The types input%, output, and the probability Phash - must be declared before this macro. The function f - is defined by this macro. It must not be - declared elsewhere, and it can be used only after expanding the - macro. - *) - -def FixedSecondPreimageResistant_hash_1(input1, output, f, Phash) { - -fun f(input1):output. - -collision x1 <-R input1; forall y1:input1; - return(f(x1) = f(y1)) <=(Phash(time))=> return((x1 = y1)). - -} - -def FixedSecondPreimageResistant_hash_2(input1, input2, output, f, Phash) { - -fun f(input1, input2):output. - -collision x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; - return(f(x1, x2) = f(y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). - -} - -def FixedSecondPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { - -fun f(input1, input2, input3):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; - return(f(x1, x2, x3) = f(y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). - -} - -def FixedSecondPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { - -fun f(input1, input2, input3, input4):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; - return(f(x1, x2, x3, x4) = f(y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). - -} - -def FixedSecondPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; - return(f(x1, x2, x3, x4, x5) = f(y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). - -} - -def FixedSecondPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; - return(f(x1, x2, x3, x4, x5, x6) = f(y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). - -} - -def FixedSecondPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; - return(f(x1, x2, x3, x4, x5, x6, x7) = f(y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). - -} - -def FixedSecondPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; - return(f(x1, x2, x3, x4, x5, x6, x7, x8) = f(y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). - -} - -def FixedSecondPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; - return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). - -} - -def FixedSecondPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; - return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). - -} - -def FixedSecondPreimageResistant_hash(input, output, f, Phash) { -expand FixedSecondPreimageResistant_hash_1(input, output, f, Phash). -} - -(* preimage-resistant hash function - The interface is the same as for collision-resistant hash functions. - *) - -def PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash) { - -fun f(key, input1):output. - -fun f'(key, input1):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | - Ox1() := return(x1))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f'(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := - let r = (x1 = y1) in - find suchthat defined(comp1) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2):output. - -fun f'(key, input1, input2):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | - Ox1() := return(x1) | Ox2() := return(x2))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f'(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := - let r = (x1 = y1) && (x2 = y2) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3):output. - -fun f'(key, input1, input2, input3):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f'(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -fun f'(key, input1, input2, input3, input4):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f'(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -fun f'(key, input1, input2, input3, input4, input5):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -fun f'(key, input1, input2, input3, input4, input5, input6):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash(key, input, output, f, f_oracle, Phash) { -expand PreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). -} - -def PreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, Phash) { -expand PreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, Phash). -} - -(* Hidden key preimage-resistant hash function - The interface is the same as for hidden-key collision-resistant hash functions. - *) - -def HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1):output. - -fun f'(key, input1):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | - Ox1() := return(x1))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f'(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := - let r = (x1 = y1) in - find suchthat defined(comp1) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def HiddenKeyPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2):output. - -fun f'(key, input1, input2):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | - Ox1() := return(x1) | Ox2() := return(x2))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f'(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := - let r = (x1 = y1) && (x2 = y2) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def HiddenKeyPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3):output. - -fun f'(key, input1, input2, input3):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f'(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def HiddenKeyPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -fun f'(key, input1, input2, input3, input4):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f'(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def HiddenKeyPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -fun f'(key, input1, input2, input3, input4, input5):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def HiddenKeyPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -fun f'(key, input1, input2, input3, input4, input5, input6):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def HiddenKeyPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def HiddenKeyPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def HiddenKeyPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def HiddenKeyPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def HiddenKeyPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { -expand HiddenKeyPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, qH, Phash) { -expand HiddenKeyPreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, qH, Phash). -} - -(* Fixed-hash preimage-resistant hash function - The interface is the same as for fixed-hash second-preimage-resistant hash functions. - *) - -def FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash) { - -fun f(input1):output. - -fun f'(input1):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; (Oim() := return(f(x1)) | - foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | - Ox1() := return(x1)) - <=(Phash(time))=> - x1 <-R input1; (Oim() := return(f'(x1)) | - foreach i <= Neq do Oeq(y1: input1) := - let r = (x1 = y1) in - find suchthat defined(comp1) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1)). - -} - -def FixedPreimageResistant_hash_1(input1, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash) { - -fun f(input1, input2):output. - -fun f'(input1, input2):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; (Oim() := return(f(x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | - Ox1() := return(x1) | Ox2() := return(x2)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; (Oim() := return(f'(x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := - let r = (x1 = y1) && (x2 = y2) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2)). - -} - -def FixedPreimageResistant_hash_2(input1, input2, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash) { - -fun f(input1, input2, input3):output. - -fun f'(input1, input2, input3):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f(x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f'(x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3)). - -} - -def FixedPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash) { - -fun f(input1, input2, input3, input4):output. - -fun f'(input1, input2, input3, input4):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f(x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f'(x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4)). - -} - -def FixedPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5):output. - -fun f'(input1, input2, input3, input4, input5):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f(x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f'(x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5)). - -} - -def FixedPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6):output. - -fun f'(input1, input2, input3, input4, input5, input6):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f(x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f'(x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6)). - -} - -def FixedPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7)). - -} - -def FixedPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7, input8):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8)). - -} - -def FixedPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9)). - -} - -def FixedPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10)). - -} - -def FixedPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash). -} - -def FixedPreimageResistant_hash(input, output, f, Phash) { -expand FixedPreimageResistant_hash_1(input, output, f, Phash). -} - -def FixedPreimageResistant_hash_all_args(input, output, f, f', Phash) { -expand FixedPreimageResistant_hash_all_args_1(input, output, f, f', Phash). -} - -(* Pseudo random function (PRF) - key: type of keys, must be "bounded" (to be able to generate random numbers from it, and to talk about the runtime of f without mentioned the length of the key), typically "fixed" and "large". - input%: type of the %-th input of the PRF. - output: type of the output of the PRF, must be "bounded" or "nonuniform", typically "fixed". - - f: PRF function - - Pprf(t, N, l): probability of breaking the PRF property - in time t, for one key, N queries to the PRF of length at most l. - - The types key, input, output and the probability Pprf must - be declared before this macro is expanded. The function f - is declared by this macro. It must not be declared elsewhere, - and it can be used only after expanding the macro. - - *) - -def PRF_1(key, input1, output, f, Pprf) { - -fun f(key, input1):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_2(key, input1, input2, output, f, Pprf) { - -fun f(key, input1, input2):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_3(key, input1, input2, input3, output, f, Pprf) { - -fun f(key, input1, input2, input3):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_4(key, input1, input2, input3, input4, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF(key, input, output, f, Pprf) { -expand PRF_1(key, input, output, f, Pprf). -} - -(* Pseudo random function (PRF) with large output. - The only difference with PRF is that we eliminate collisions on the output. - The interface is the same as for PRFs. *) - -def PRF_large_1(key, input1, output, f, Pprf) { - -fun f(key, input1):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_2(key, input1, input2, output, f, Pprf) { - -fun f(key, input1, input2):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_3(key, input1, input2, input3, output, f, Pprf) { - -fun f(key, input1, input2, input3):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_4(key, input1, input2, input3, input4, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large(key, input, output, f, Pprf) { -expand PRF_large_1(key, input, output, f, Pprf). -} - -(* Ideal Cipher Model - cipherkey: type of keys that correspond to the choice of the scheme, must be "bounded" or "nonuniform", typically "fixed". - key: type of keys (typically "large") - blocksize: type of the input and output of the cipher, must be "bounded" or "nonuniform" (to be able to generate random numbers from it; typically "fixed") and "large". - (The modeling of the ideal cipher model is not perfect in that, in - order to encrypt a new message, one chooses a fresh random number, - not necessarily different from previously generated random - numbers. Then CryptoVerif needs to eliminate collisions between - those random numbers, so blocksize must really be "large".) - - enc: encryption function - dec: decryption function - WARNING: the encryption and decryption functions take 2 keys as - input: the key of type cipherkey that corresponds to the choice of - the scheme, and the normal encryption/decryption key. The cipherkey - must be chosen once and for all at the beginning of the game and - the encryption and decryption oracles must be made available to the - adversary, by including a process enc_dec_oracle(ck) where - ck is the cipherkey. - qE is the number of calls of the encryption oracle - qD is the number of calls of the decryption oracle - - The types cipherkey, key, blocksize must be declared before this - macro is expanded. The functions enc, dec, the process - enc_dec_oracle, and the parameters qE, qD are declared by this - macro. They must not be declared elsewhere, and they can be used - only after expanding the macro. - - *) - -def ICM_cipher(cipherkey, key, blocksize, enc, dec, enc_dec_oracle, qE, qD) { - -fun enc(cipherkey, blocksize, key): blocksize. -fun dec(cipherkey, blocksize, key): blocksize. - -equation forall ck:cipherkey, m:blocksize, k:key; - dec(ck, enc(ck, m, k), k) = m. -equation forall ck:cipherkey, m:blocksize, k:key; - enc(ck, dec(ck, m, k), k) = m. -equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; - (dec(ck, m1, k) = dec(ck, m2, k)) = (m1 = m2). -equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; - (enc(ck, m1, k) = enc(ck, m2, k)) = (m1 = m2). - -equiv(icm(enc)) special icm(("key", "msg", "local_key"), enc, dec, - (ck, k, me, md, u), ("large")). - -equiv(icm_partial(enc)) special icm_partial(("key", "msg", "local_key"), - enc, dec, (ck, k, me, md, u), ("large")) [manual]. - -(* The difference of probability is the probability of collision between two -random numbers in blocksize among the N+N2 chosen random numbers. *) - - param qE, qD [noninteractive]. - -let enc_dec_oracle(ck: cipherkey) = - (foreach iE <= qE do Oenc(x:blocksize, ke:key) := return(enc(ck,x,ke))) - | (foreach iD <= qD do Odec(m:blocksize, kd:key) := return(dec(ck,m,kd))). - -} - -(* random_split_N defines functions to split a random value into N values. - - input_t: type of the input value - part%_t: types of the output parts - tuple_t: type of a tuple of the output parts - tuple(part1_t, ..., partN_t): tuple_t builds a tuple from N parts. - split(input_t): tuple_t splits the input into N parts and returns a tuple of these parts - Usage: let tuple(x1, ..., xN) = split(y) in ... - - input_t, part%_t, and tuple_t must be defined before. - tuple and split are defined by this macro. *) - -def random_split_1(input_t, part1_t, tuple_t, tuple, split) { - - fun tuple(part1_t): tuple_t [data]. - - fun get1(input_t): part1_t. - - letfun split(r: input_t) = tuple(get1(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r))) - <=(0)=> - part1 <-R part1_t; - (O1() := return(part1)). - -} - -def random_split_2(input_t, part1_t, part2_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; - (O1() := return(part1) | O2() := return(part2)). - -} - -def random_split_3(input_t, part1_t, part2_t, part3_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3)). - -} - -def random_split_4(input_t, part1_t, part2_t, part3_t, part4_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4)). - -} - -def random_split_5(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5)). - -} - -def random_split_6(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6)). - -} - -def random_split_7(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7)). - -} - -def random_split_8(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - fun get8(input_t): part8_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8)). - -} - -def random_split_9(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - fun get8(input_t): part8_t. - fun get9(input_t): part9_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9)). - -} - -def random_split_10(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - fun get8(input_t): part8_t. - fun get9(input_t): part9_t. - fun get10(input_t): part10_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r), get10(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r)) | O10() := return(get10(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; part10 <-R part10_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9) | O10() := return(part10)). - -} - + +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* The types input_t and output_t MUST be fixed. *) def truncate(input_t, output_t, truncate_f) { @@ -8582,6 +8595,18 @@ def truncate(input_t, output_t, truncate_f) { O_trunc() := return(k). } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + def OptionType_1(option, option_Some, option_None, input) { type option. fun option_Some(input): option [data]. @@ -8597,6 +8622,18 @@ def OptionType_2(option, option_Some, option_None, input1, input2) { equation forall x1: input1, x2: input2; option_Some(x1, x2) <> option_None. } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + def boolean_choice(value_t, test) { fun test(bool, value_t, value_t) : value_t. @@ -8620,6 +8657,18 @@ def boolean_choice_for_encryption(value_t, Length, test) { equation forall x:value_t, y:value_t, b:bool; Length(test(b,x,y)) = test (b,Length(x),Length(y)). } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* DH_proba_collision_minimal says that the probability that exp(g, x) = Y for random x and Y independent of x is at most PCollKey *) @@ -8760,6 +8809,18 @@ equiv(gdh(exp)) } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* The following macros define security properties of AKEM, which we use as assumptions in the proof of HPKE. @@ -8848,17 +8909,17 @@ def Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap } (* Macro Outsider_CCA_Secure_Authenticated_KEM defines an Outsider-CCA secure AKEM. - In addition to the previous arguments, it takes the advantage of the adversary + It takes the previous arguments, except that instead of P_pk_coll, it takes the advantage of the adversary over the Outsider-CCA property, Adv_Outsider_CCA(time, N, Qetot, Qdtot), where time is the runtime of the adversary, N the number of users, and Qetot, Qdtot the total number of queries to the Encap and Decap oracles, respectively. *) -def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA) { - - expand Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_CCA) { param N, Qeperuser, Qdperuser. + table E(pkey, pkey, ciphertext, key). + (* In this security notion, the sender keypair is honest, which means the private key is not known to the adversary. *) equiv(outsider_cca(AuthEncap)) @@ -8879,6 +8940,7 @@ def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, Auth find i2 <= N suchthat defined(s[i2]) && pk_R = pkgen(s[i2]) then ( let AuthEncap_tuple(k: key, ce: ciphertext) = AuthEncap_r(ks, pk_R, skgen(s)) in ( k' <-R key; + insert E(pkgen(s), pk_R, ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -8889,15 +8951,8 @@ def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, Auth )) | foreach id <= Qdperuser do ( OADecap(pk_S: pkey, cd: ciphertext) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - encryption queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(s[i1], pk_R[ie1, i1], k'[ie1, i1], ce[ie1, i1]) && - pkgen(s) = pk_R[ie1, i1] && pkgen(s[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k'[ie1, i1])) + get E(=pk_S, =pkgen(s), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(cd, skgen(s), pk_S)) )) | @@ -8905,19 +8960,19 @@ def Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, Auth ). } -(* Macro Outsider_Secure_Authenticated_KEM defines an Outsider-CCA and Outsider-Auth AKEM. - In addition to the arguments mentioned at the top of the file, it takes the advantage - of the adversary over the Outsider-CCA property, Adv_Outsider_CCA(time, N, Qetot, Qdtot), and +(* Macro Outsider_Auth_Secure_Authenticated_KEM defines an Outsider-Auth AKEM. + It takes the arguments mentioned at the top of the file, except that instead + of P_pk_coll, it takes the advantage of the adversary over the Outsider-Auth property, Adv_Outsider_Auth(time, N, Qetot, Qdtot), where time is the runtime of the adversary, N the number of users, and Qetot, Qdtot the total number of queries to the Encap and Decap oracles, respectively. *) -def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA, Adv_Outsider_Auth) { - - expand Outsider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Outsider_CCA). +def Outsider_Auth_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Outsider_Auth) { param N, Qeperuser, Qdperuser. + table E(pkey, pkey, ciphertext, key). + equiv(outsider_auth(AuthEncap)) foreach i <= N do s <-R keypairseed; ( foreach ie <= Qeperuser do ks <-R kemseed; ( @@ -8934,6 +8989,7 @@ def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEnca foreach ie <= Qeperuser do ks <-R kemseed [unchanged]; ( OAEncap(pk_R: pkey) := let AuthEncap_tuple(k: key, ce: ciphertext) = AuthEncap_r(ks, pk_R, skgen(s)) in ( + insert E(pkgen(s), pk_R, ce, k); return(AuthEncap_tuple(k, ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -8941,27 +8997,14 @@ def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEnca )) | foreach id <= Qdperuser do ( OADecap(pk_S: pkey, cd: ciphertext) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - Oencap and previous Odecap queries using arrays. - The first branch looks into Oencap queries, and in case of - success, the oracle returns the key k computed there. - The second branch (after "orfind") looks into previous - Odecap queries, and in case of success, the oracle returns - the previously computed key k'. *) - find ie1 <= Qeperuser, i1 <= N suchthat - defined(s[i1], pk_R[ie1, i1], k[ie1, i1], ce[ie1, i1]) && - pkgen(s) = pk_R[ie1, i1] && pkgen(s[i1]) = pk_S && ce[ie1, i1] = cd then ( - return(AuthDecap_Some(k[ie1, i1])) - ) orfind id1 <= Qdperuser, i1 <= N suchthat - defined(s[i1], pk_S[id1, i1], k'[id1, i1], cd[id1, i1]) && - pkgen(s) = pkgen(s[i1]) && pk_S[id1, i1] = pk_S && cd[id1, i1] = cd then ( - return(AuthDecap_Some(k'[id1, i1])) + get E(=pk_S, =pkgen(s), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( (* This "find" checks whether pk_S is among the honest public keys pk_i *) find i1 <= N suchthat defined(s[i1]) && pk_S = pkgen(s[i1]) then ( let AuthDecap_Some(k0) = AuthDecap(cd, skgen(s), pk_S) in ( k' <-R key; + insert E(pk_S, pkgen(s), cd, k'); return(AuthDecap_Some(k')) ) else ( return(AuthDecap_None) @@ -8976,17 +9019,17 @@ def Outsider_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEnca } (* Macro Insider_CCA_Secure_Authenticated_KEM defines an Insider-CCA AKEM. - In addition to the arguments mentioned at the top of the file, it takes the advantage + It takes the arguments mentioned at the top of the file, except that instead of P_pk_coll it takes the advantage of the adversary over the Insider-CCA property, Adv_Insider_CCA(time, N, Qetot, Qctot, Qdtot), where time is the runtime of the adversary, N the number of users, and Qetot, Qctot, Qdtot the total number of queries to the Encap, Decap, and Challenge oracles, respectively. *) -def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll, Adv_Insider_CCA) { - - expand Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, P_pk_coll). +def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthEncap_res, AuthDecap_res, key, ciphertext, skgen, pkgen, GenerateKeyPair, AuthEncap, AuthEncap_r, AuthEncap_key_r, AuthEncap_enc_r, AuthEncap_tuple, AuthEncap_None, AuthDecap, AuthDecap_Some, AuthDecap_None, Adv_Insider_CCA) { param N, Qeperuser, Qdperuser, Qcperuser. + table E(pkey, pkey, ciphertext, key). + equiv(insider_cca(AuthEncap)) foreach i <= N do s <-R keypairseed; ( foreach ic <= Qcperuser do ks' <-R kemseed; ( @@ -9007,6 +9050,7 @@ def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthE Ochall(s': keypairseed) := let AuthEncap_tuple(k: key, ce: ciphertext) = AuthEncap_r(ks', pkgen(s), skgen(s')) in ( k' <-R key; + insert E(pkgen(s'), pkgen(s), ce, k'); return(AuthEncap_tuple(k', ce)) ) else ( (* Never happens because AuthEncap always returns AuthEncap_tuple(...) *) @@ -9017,17 +9061,8 @@ def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthE return(AuthEncap_r(ks, pk_R, skgen(s)))) | foreach id <= Qdperuser do ( OADecap(pk_S: pkey, cd: ciphertext) := - (* This "find" implements a lookup in the set E of the paper. - The set is not built explicitly; we look for values in - Ochall queries using arrays -- all variables are implicitly - stored in arrays indexed by replication indices above their - definition. *) - find ic1 <= Qcperuser, i1 <= N suchthat - defined(ce[ic1, i1], k'[ic1, i1], s[i1], s'[ic1, i1]) - && ce[ic1, i1] = cd - && pkgen(s'[ic1, i1]) = pk_S - && pkgen(s[i1]) = pkgen(s) then ( - return(AuthDecap_Some(k'[ic1, i1])) + get E(=pk_S, =pkgen(s), =cd, k'') in ( + return(AuthDecap_Some(k'')) ) else ( return(AuthDecap(cd, skgen(s), pk_S)) ) @@ -9036,6 +9071,18 @@ def Insider_CCA_Secure_Authenticated_KEM(keypairseed, pkey, skey, kemseed, AuthE ). } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* AEAD (authenticated encryption with additional data) with a random nonce. A typical example is AES-GCM. @@ -9130,6 +9177,18 @@ equiv(int_ctxt(enc)) return(bottom)). } +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* Pseudo random function (PRF) key: type of keys, must be "bounded" (to be able to generate random numbers from it, and to talk about the runtime of f without mentioned the length of the key), typically "fixed" and "large". input1: type of the input of the PRF. diff --git a/lib.option.ocvl b/lib.option.ocvl index 940455d..bb16d4d 100644 --- a/lib.option.ocvl +++ b/lib.option.ocvl @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + def OptionType_1(option, option_Some, option_None, input) { type option. fun option_Some(input): option [data]. diff --git a/lib.prf.ocvl b/lib.prf.ocvl index b57d1c5..5343fdf 100644 --- a/lib.prf.ocvl +++ b/lib.prf.ocvl @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* Pseudo random function (PRF) key: type of keys, must be "bounded" (to be able to generate random numbers from it, and to talk about the runtime of f without mentioned the length of the key), typically "fixed" and "large". input1: type of the input of the PRF. diff --git a/lib.truncate.ocvl b/lib.truncate.ocvl index 46f8820..a259551 100644 --- a/lib.truncate.ocvl +++ b/lib.truncate.ocvl @@ -1,3 +1,15 @@ +(* Analysing the HPKE Standard - Supplementary Material + Joël Alwen; Bruno Blanchet; Eduard Hauck; Eike Kiltz; Benjamin Lipp; + Doreen Riepel + +This is supplementary material accompanying the paper: + +Joël Alwen, Bruno Blanchet, Eduard Hauck, Eike Kiltz, Benjamin Lipp, +and Doreen Riepel. Analysing the HPKE Standard. In Anne Canteaut and +Francois-Xavier Standaert, editors, Eurocrypt 2021, Lecture Notes in +Computer Science, Zagreb, Croatia, October 2021. Springer. To appear. +Long version: https://eprint.iacr.org/2020/1499 *) + (* The types input_t and output_t MUST be fixed. *) def truncate(input_t, output_t, truncate_f) { diff --git a/run.bash b/run.bash index 948360a..6cc35af 100755 --- a/run.bash +++ b/run.bash @@ -6,8 +6,8 @@ set -e # Assumptions of this script: # - an environment variable CRYPTOVERIF is defined and points to the # directory where the CryptoVerif folder is located. This is the -# folder that contains for example the files build, and after -# building CryptoVerif, the file default.ocvl +# folder that contains for example the file `build`, and after +# building CryptoVerif, the file `default.ocvl` # If you do not have the environment variable CRYPTOVERIF defined, # you can also uncomment the following line and adapt the path # accordingly: @@ -19,6 +19,26 @@ STDLIB=${CRYPTOVERIF}/default.ocvl LIB=lib.ocvl OUT=out +# Usually no need to modify something after this line. + +file_exists_or_abort() +{ + filename=$1 + if [ ! -f $filename ] + then + echo "File '$filename' not found. Did you execute this script in the directory in which it's stored?" + exit 2 + fi +} + +file_exists_or_abort lib.truncate.ocvl +file_exists_or_abort lib.option.ocvl +file_exists_or_abort lib.choice.ocvl +file_exists_or_abort lib.gdh.ocvl +file_exists_or_abort lib.authkem.ocvl +file_exists_or_abort lib.aead.ocvl +file_exists_or_abort lib.prf.ocvl + # Check presence of standard library if [[ -f ${STDLIB} ]]; then echo "Found the CryptoVerif standard library at ${STDLIB}."