# Kao Chow Authentication v.2
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/kaoChow2.html
#
# Note:
# This protocol uses a ticket so scyther will only be able to verify
# the protocol using the ARACHNE engine (-a)
#

usertype Sessionkey;
secret k: Function;

protocol kaochow2(I,R,S)
{
    role I
    {
        const ni: Nonce;
        var nr: Nonce;
        var kir,kt: Sessionkey;

        send_1 (I,S, I,R,ni);
        read_3 (R,I, R, {I,R,ni,kir,kt}k(I,S), {ni, kir}kt, nr );
        send_4 (I,R, {nr,kir}kt );

        claim_5 (I, Nisynch);
        claim_6 (I, Niagree);
        claim_7 (I, Secret, kir);
    }    
    
    role R
    {
        var ni: Nonce;
        const nr: Nonce;
        var kir,kt: Sessionkey;
        var T: Ticket;

        read_2 (S,R, T, { I,R,ni,kir,kt }k(R,S)  ); 
        send_3 (R,I, R, T, {ni, kir}kt, nr );
        read_4 (I,R, {nr,kir}kt );

        claim_8 (R, Nisynch);
        claim_9 (R, Niagree);
        claim_10 (R, Secret, kir);
    }

    role S
    {
        var ni: Nonce;
        const kir, kt: Sessionkey;

        read_1 (I,S, I,R,ni);
        send_2 (S,R, {I,R,ni,kir,kt}k(I,S), { I,R,ni,kir,kt }k(R,S)  ); 
    }
}

const Alice,Bob,Simon,Eve: Agent;

untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);

run kaochow2.I(Agent,Agent,Simon);
run kaochow2.R(Agent,Agent,Simon);
run kaochow2.S(Agent,Agent,Simon);
run kaochow2.I(Agent,Agent,Simon);
run kaochow2.R(Agent,Agent,Simon);
run kaochow2.S(Agent,Agent,Simon);