# Buttyan Nagy Vajda protocol 2 (3-party)
#
# Modelled after the description in the paper
# "Efficient multi-party challenge-response protocols for entity
# authentication"
#
# Attacks:
#

secret k: Function;

protocol intruderhelp(Swap)
{
    role Swap
    {
        var T: Ticket;
	var R0,R1: Agent;

	recv_!1(Swap,Swap, { T }k(R0,R1) );
	send_!2(Swap,Swap, { T }k(R1,R0) );
    }
}

protocol bunava23(R0,R1,R2)
{
    role R0
    {
        fresh n0: Nonce;
	var n1,n2: Nonce;
        var T0: Ticket;

	send_1(R0,R1, n0);
	recv_3(R2,R0, n2, T0, { R2,{ R1,n0 }k(R0,R1) }k(R0,R2) );
	send_4(R0,R1, { R0,n2 }k(R0,R2), { R0, T0 }k(R0,R1) );

	claim_A1(R0, Niagree);
	claim_A2(R0, Nisynch);
    }

    role R1
    {
        fresh n1: Nonce;
	var n0,n2: Nonce;
        var T1: Ticket;

	recv_1(R0,R1, n0);
	send_2(R1,R2, n1,{R1,n0}k(R1,R2) );
	recv_4(R0,R1, T1, { R0, { R2,n1 }k(R1,R2) }k(R0,R1) );
	send_5(R1,R2, { R1, T1 }k(R1,R2) );

	claim_B1(R1, Niagree);
	claim_B2(R1, Nisynch);
    }

    role R2
    {
        fresh n2: Nonce;
	var n0,n1: Nonce;
        var T2: Ticket;

	recv_2(R1,R2, n1, T2 );
	send_3(R2,R0, n2,{ R2,n1 }k(R1,R2), { R2, T2 }k(R0,R2) );
	recv_5(R1,R2, { R1, { R0,n2 }k(R0,R2) }k(R1,R2) );

	claim_C1(R2, Niagree);
	claim_C2(R2, Nisynch);
    }
}



# General scenario