theory UM_wPFS
begin

builtins: hashing, diffie-hellman

section{* The Unified Model (UM) Key-Exchange Protocol *}

/*
 * Protocol:	Unified Model (UM)
 * Modeler: 	Cas Cremers
 * Date: 	January 2012
 * Source:	"Authenticated Diffie-Hellman Key Agreement Protocols"
 * 		Simon Blake-Wilson and Alfred Menezes
 * 		LNCS 1556, 1999
 * Property:	weak Perfect Forward Secrecy (wPFS), from
 * 		"HMQV: A High-Performance Secure Diffie-Hellman Protocol"
 * 		H. Krawczyk
 * 		CRYPTO 2005, LNCS 3621, 2005
 *
 * Status: 	working
 */

/* Protocol rules */

rule generate_ltk:
   [ Fr(~lk) ] -->
   [ !Ltk( $A, ~lk ), !Pk( $A, 'g'^~lk ), Out( 'g'^~lk ) ]

rule Init_1:
   [ Fr( ~ekI ), !Ltk( $I, ~lkI ) ]
   --[ SidI_1(~ekI,$I,$R, 'g'^~ekI ) ]->
   [ Init_1( ~ekI, $I, $R, ~lkI, 'g'^~ekI ),
     !Ephk(~ekI),
     Out( 'g'^~ekI ) ]

rule Init_2:
   [ Init_1( ~ekI, $I, $R, ~lkI , hkI), In( Y ), !Pk( $R,'g'^~lkR ) ]
   --[SidI_2( ~ekI, $I, $R, hkI, Y,
       h( <Y^~ekI, ('g'^~lkR)^~lkI > ) ) ]->
   [ !Sessk( ~ekI, 
       h( <Y^~ekI, ('g'^~lkR)^~lkI > ) ) ]


rule Resp_1:
   [ In( X ), Fr( ~ekR ), !Ltk($R, ~lkR), !Pk($I, 'g'^~lkI) ]
   --[ SidR_1( ~ekR, $I, $R, X, 'g'^~ekR ,
       h( <X^~ekR, ('g'^~lkI)^~lkR > ) ) ]->
   [ Out( 'g'^~ekR ),
     !Ephk(~ekR),
     !Sessk( ~ekR, 
       h( <X^~ekR, ('g'^~lkI)^~lkR > ) ) ]

rule Sessk_reveal: 
   [ !Sessk(~tid, k) ]
   --[ SesskRev(~tid) ]->
   [ Out(k) ]

rule Ephk_reveal:
   [ !Ephk(~ekI) ]
   --[ EphkRev(~ekI) ]->
   [ Out(~ekI) ]

rule Ltk_reveal:
   [ !Ltk($A, k) ]
   --[ LtkRev($A) ]->
   [ Out(k) ]


/* Security properties */

/*
lemma key_agreement_reachable:
  "not (Ex #i1 #i2 ekI ekR I R k hkI hkR.
          SidI_2(ekI, I, R, hkI, hkR, k) @ i1 & SidR_1(ekR, I, R, hkI, hkR, k) @ i2)"
*/

/* An attack is valid in the security model if the session key of the test session is deduced and
   the test session is clean.
*/
lemma wPFS_initiator_key:
  "not (Ex #i1 #i2 ttest I R k hkI hkR.
            SidI_2(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

            /* No ephemeral-key-reveal */
            & (All #i3 t. EphkRev( t ) @ i3 ==> F)

            /* No session-key-reveal */
            & (All #i3 t. SesskRev( t ) @ i3 ==> F)

	    /* Long-term key reveals are after the end of the test
	     * thread. Furthermore, if there is no partner thread, then there is no longterm-key-reveal for
	       the actor or the intended peer.
	       */
            & (All #i3. (LtkRev( I )@ i3 ) ==>
	          ( (i1 < i3) &
	            (Ex #i4 tpartner kpartner.
                      SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i4)))
            & (All #i3. (LtkRev( R )@ i3 ) ==>
	          ( (i1 < i3) &
	            (Ex #i4 tpartner kpartner.
                      SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i4)))
	)"

/* An attack is valid in the security model if the session key of the test session is deduced and
   the test session is clean.
*/
lemma wPFS_responder_key:
  "not (Ex #i1 #i2 ttest I R k hkI hkR.
            SidR_1(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

            /* No ephemeral-key-reveal */
            & (All #i3 t. EphkRev( t ) @ i3 ==> F)

            /* No session-key-reveal */
            & (All #i3 t. SesskRev( t ) @ i3 ==> F)

	    /* Long-term key reveals are after the end of the test
	     * thread. Furthermore, if there is no partner thread, then there is no longterm-key-reveal for
	       the actor or the intended peer.
	       */
            & (All #i3. (LtkRev( I )@ i3 ) ==>
	          ( (i1 < i3) &
	            (Ex #i4 tpartner.
                       SidI_1( tpartner,I,R,hkI ) @i4)))
            & (All #i3. (LtkRev( R )@ i3 ) ==>
	          ( (i1 < i3) &
	            (Ex #i4 tpartner.
                       SidI_1( tpartner,I,R,hkI ) @i4)))
	)"

end