theory symmEncOracles
begin
/* senc and sdec take 2 inputs, resp. */
functions: senc/2, sdec/2
/* decryption of encryption of m is m */
equations: sdec(k,senc(k,m))=m
/* ORACLES */
rule OracleInit:
[ Fr(~challKey) ]
-->
[ OracleInit(~challKey),
OracleChallCanBeCalled(~challKey)
]
rule OracleEnc:
[ OracleInit(~challKey),
In(m) ]
-->
[ Out(senc(~challKey,m)) ]
rule OracleDec1:
[ OracleInit(~challKey),
In(senc(~challKey,m)) ]
-->
[ Out(m) ]
//can only be called once
rule OracleChall:
[ OracleInit(~challKey),
Fr(~challMsg),
OracleChallCanBeCalled(~challKey) ]
-->
[ OracleChall(~challMsg),
Out(senc(~challKey,~challMsg))]
// if OracleChall was called before, outputs nothing
rule OracleDec2_no_output:
[ OracleInit(~challKey),
OracleChall(~challMsg),
In(senc(~challKey, ~challMsg)) ]
-->
[ ]
//else
rule OracleDec2_output_m:
[ OracleInit(~challKey),
OracleChall(~challMsg),
In(senc(~challKey, m)),
Neq(~challMsg, m) ]
-->
[ Out(m) ]
//it is impossible to obtain challMsg
lemma UnobtainableChallMsg:
" not( Ex #k . K(~challMsg) @ #k) "
end