/* 
	Bilateral Key Exchange with Public Key protocol (BKEPK)

	CMV version with explicit secrecy claims.
*/

usertype Key;

const pk,hash: Function;
secret sk,unhash: Function;

inversekeys (pk,sk);
inversekeys (hash,unhash);

protocol bkepk(A,B)
{
	role B
	{
		const nb: Nonce;
		var na: Nonce;
		var kab: Key;

		send_1 (B,A, B,{ nb,B }pk(A) );
		read_2 (A,B, { hash(nb),na,A,kab }pk(B) );
		send_3 (B,A, { hash(na) }kab );
		claim_4 (B, Secret, na,nb );
	}

	role A
	{
		var nb: Nonce;
		const na: Nonce;
		const kab: Key;

		read_1 (B,A, B,{ nb,B }pk(A) );
		send_2 (A,B, { hash(nb),na,A,kab }pk(B) );
		read_3 (B,A, { hash(na) }kab );
		claim_5 (A, Secret, na,nb );
	}
}

const Alice,Bob,Eve;

compromised sk(Eve);

run bkepk.A(Alice,Bob);
run bkepk.B(Alice,Bob);
run bkepk.A(Alice,Bob);
run bkepk.B(Alice,Bob);

run bkepk.A(Alice,Bob);
run bkepk.B(Alice,Bob);
run bkepk.A(Alice,Bob);
run bkepk.B(Alice,Bob);

run bkepk.A(Alice,Bob);
run bkepk.B(Alice,Bob);