# TMN
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/tmn.html
#
# Note:
# According to Boyd and Mathuria Kb is the session key this is not clear
# from the description in SPORE

usertype Key;

const pk: Function;
secret sk: Function;
inversekeys(pk,sk);
const Fresh: Function;
const Compromised: Function;

protocol tmnSessionKeyCompromise(C)
{
    // Read the names of 3 agents and disclose a session between them including
    // corresponding session key to simulate key compromise
    role C {
        const Ni,Nr: Nonce;
        const Kr,Ki: Key;
        var I,R,S: Agent;

        read_C1(C,C,    I,R,S);
        send_C2(C,C,    R,{Ki}pk(S),
                        I, {Kr}pk(S),
                        {Kr}Ki,
                        Kr
               );
        claim_C3(C,Empty, (Compromised,Kr));
    }
}

protocol tmn(I,R,S)
{
    role I
    {
        const Ki: Key;
        var Kr: Key;

        send_1(I,S, R,{Ki}pk(S) );
        read_4(S,I, R,{Kr}Ki );

        claim_I1(I,Secret,Kr);
        claim_I2(I,Nisynch);
        claim_I3(I,Empty,(Fresh,Kr));
    }    
    
    role R
    {
        const Kr: Key;

        read_2(S,R, I );
        send_3(R,S, I, { Kr }pk(S) );

        claim_R1(R,Secret,Kr);
        claim_R2(R,Nisynch);
        claim_R3(R,Empty,(Fresh,Kr));
    }

    role S
    {
        var Ki,Kr: Key;

        read_1(I,S, R,{Ki}pk(S) );
        send_2(S,R, I );
        read_3(R,S, I, { Kr }pk(S) );
        send_4(S,I, R,{Kr}Ki );
    }
}

const Alice,Bob,Eve,Simon: Agent;
const Ke: Key;


untrusted Eve;
compromised sk(Eve);

# Scenario to recreate an attack in SPORE
#run tmn.I (Alice,Bob,Simon);
#run tmn.R (Alice,Bob,Simon);
#run tmn.S (Alice,Bob,Simon);

run tmn.I (Agent,Agent,Simon);
run tmn.R (Agent,Agent,Simon);
run tmn.S (Agent,Agent,Simon);