# SmartRight view-only
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/smartright_viewonly.html
#
# Note:
# According to SPORE there are no known attacks on this protocol
#
# Note:
# Scyther finds an attack because the value of VoR in te last message can
# be replaced with an arbitrary value

const hash: Function;
secret unhash: Function;
secret k: Function;
inversekeys (hash,unhash);
usertype SessionKey;
usertype XorKey;
const Vor: XorKey;

protocol smartright(I,R)
{
    role I
    {
        const VoKey: SessionKey;
        const VoR: XorKey;
        const CW;
        var VoRi: Nonce;

        send_1(I,R, {VoKey,{CW}VoR}k(I,R));
        read_2(R,I, VoRi);
        send_3(I,R, VoR, {{VoRi}hash}VoKey);
    }    
    
    role R
    {
        var T: Ticket;
        var VoR: XorKey;
        var VoKey: SessionKey;
        const VoRi: Nonce;

        read_1(I,R, {VoKey,T}k(I,R));
        send_2(R,I, VoRi);
        read_3(I,R, VoR,{{VoRi}hash}VoKey);

        claim_R1(R,Nisynch);
    }
}

const Alice,Bob,Eve: Agent;

untrusted Eve;
const ne: Nonce;