Doing expand get, insert and prove unique annotations... No change. Doing simplify (non-expanded game)... No change. Doing expand... No change. Doing remove assignments of findcond... Done. Doing simplify... Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Proof of (one-session) secrecy of sk_u failed: sk_u is not defined only by restrictions or assignments. Proof of (one-session) secrecy of sk_s failed: sk_s is not defined only by restrictions or assignments. Proof of inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s failed: Found termS(U, X_s, S, Ystar, auth_s, sk_s) at 148 but could not prove inj-event(acceptU(x, X, y, Ystar, a, k, u)) Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Proved query event(acceptU(x, X, y, Ystar, a, k, u)) && event(acceptU(x, X, y, Ystar, a, k', u')) ==> (u = u') with public variables sk_u, sk_s Probability: 0.5 * NU^2 / |Z| Sorry, the following queries remain unproved: - inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s - secrecy of sk_s - secrecy of sk_u Ostart() := hk0_1 <-R hashkey; hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); sk_u: hash0 <- h0(hk0_1, concat(U, S, X, Y_u, K_u)); event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then sk_s: hash0 <- h0(hk0_1, concat(U, S, X_s, Y, K_s)); event termS(U, X_s, S, Ystar, auth_s, sk_s); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := return(h0(hk0_1, x1)) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Doing insert instruction let concat(x01,x02,x03,x04,x05) = x1 in at occurrence 254... Done. Trying equivalence rom(h0)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Done. Doing expand... Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on y inside simplify... At 178, output message (S, Ystar) depends on y. No change Doing global dependency analysis on x inside simplify... At 22, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 212, output message (S, Ystar) depends on y. No change Doing global dependency analysis on x inside simplify... At 22, output message (U, X) depends on x. No change Run simplify 2 time(s). Fixpoint reached. Done. Doing move all binders... Done. Doing remove assignments of findcond... No change. Doing merge branches... No change. Doing insert instruction let concat(x11,x12,x13,x14,x15) = x1_1 in at occurrence 583... Done. Trying equivalence rom(h1)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... Eliminated collisions between y and yp Probability: NS * NP / |Z| Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Eliminated collisions between x and xp Probability: NU * NP / |Z| Applied collision x_1 <-R Z; forall y_1: Z, z_1: Z; return((mult(x_1, y_1) = z_1)) <=(1 / |Z|)=> return(false) if y_1 independent-of x_1 && z_1 independent-of x_1 with x_1 -> xp, y_1 -> yp, z_1 -> mult(xp[ri_26], yp[ri_26]) Probability: NP * NP / |Z| Done. Doing expand... Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Eliminated collisions between xp and xp Probability: 0.5 / |Z| * NP * NP Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on xp inside simplify... At 698, output message (U, Xp, S, Ystarp, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 698, output message (U, Xp, S, Ystarp, r_5) depends on yp. No change Doing global dependency analysis on x inside simplify... At 21, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 341, output message (S, Ystar) depends on y. No change Doing global dependency analysis on r_6 inside simplify... At 937, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 315, output message (r_4) depends on r_4. No change Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> xp, X_1 -> g, Y_1 -> x13[ri_25] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp, X_1 -> g, Y_1 -> x14[ri_25] Probability: NP * qH1 / |Z| Doing global dependency analysis on xp inside simplify... At 724, output message (U, Xp, S, Ystarp, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 724, output message (U, Xp, S, Ystarp, r_5) depends on yp. No change Doing global dependency analysis on x inside simplify... At 21, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 359, output message (S, Ystar) depends on y. No change Doing global dependency analysis on r_6 inside simplify... At 1038, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 333, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Maximum reached. Done. Doing SA rename u_33... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on xp inside simplify... At 759, output message (U, Xp, S, Ystarp, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 759, output message (U, Xp, S, Ystarp, r_5) depends on yp. No change Doing global dependency analysis on x inside simplify... At 21, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 423, output message (S, Ystar) depends on y. No change Doing global dependency analysis on r_6 inside simplify... At 1070, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 398, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing simplify... Doing global dependency analysis on xp inside simplify... At 759, output message (U, Xp, S, Ystarp, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 759, output message (U, Xp, S, Ystarp, r_5) depends on yp. No change Doing global dependency analysis on x inside simplify... At 21, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 423, output message (S, Ystar) depends on y. No change Doing global dependency analysis on r_6 inside simplify... At 1070, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 398, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... Done. Doing remove assignments of findcond... No change. Doing merge branches... No change. Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && (X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31]) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) then sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Doing insert instruction find j <= NU suchthat defined(X[j]) && X[j] = X_s then else find jh <= qH1 suchthat defined(x11[jh], x12[jh], x13[jh], x14[jh], r_6[jh]) && (U = x11[jh]) && (S = x12[jh]) && (X_s = x13[jh]) && (Y = x14[jh]) && (auth_s = r_6[jh]) then event_abort Auth at occurrence 431... Done. Doing simplify... Doing global dependency analysis on xp inside simplify... At 1099, output message (U, Xp, S, Ystarp, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 1099, output message (U, Xp, S, Ystarp, r_5) depends on yp. No change Doing global dependency analysis on x inside simplify... At 21, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 425, output message (S, Ystar) depends on y. No change Doing global dependency analysis on r_6 inside simplify... At 1410, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 400, output message (r_4) depends on r_4. No change Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Doing global dependency analysis on xp inside simplify... At 822, output message (U, Xp, S, Ystarp, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 822, output message (U, Xp, S, Ystarp, r_5) depends on yp. No change Doing global dependency analysis on x inside simplify... At 21, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 425, output message (S, Ystar) depends on y. No change Doing global dependency analysis on r_6 inside simplify... At 1133, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 400, output message (r_4) depends on r_4. No change Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Run simplify 2 time(s). Maximum reached. Done. Trying equivalence icm(enc)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... Eliminated collisions between yp and yp Probability: 0.5 / |Z| * NP * NP Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between y and yp Probability: NS * NP / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp, X_1 -> g, Y_1 -> me_O_dec[ri_50] Probability: NP * NU / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp, X_1 -> g, Y_1 -> me_O_dec_1[ri_49] Probability: NP * qD / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y, X_1 -> g, Y_1 -> me_O_dec[ri_55] Probability: NS * NU / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y, X_1 -> g, Y_1 -> me_O_dec_1[ri_54] Probability: NS * qD / |Z| Done. Doing expand... Eliminated collisions between y and yp Probability: NS * NP / |Z| Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between yp and yp Probability: 0.5 / |Z| * NP * NP Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y[i2_932], X_1 -> g, Y_1 -> me_O_dec_1[i2_931] Probability: NS * qD / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y[i2_796], X_1 -> g, Y_1 -> me_O_dec Probability: NS * NU / |Z| Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on xp inside simplify... At 2670, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 2873, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 2854, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 2790, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 2670, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 2271, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on me_O_dec_1 inside simplify... At 2901, output message (me_O_dec_1) depends on me_O_dec_1. No change Doing global dependency analysis on me_O_dec inside simplify... At 2815, output message (me_O_dec[u_43]) depends on me_O_dec. No change Doing global dependency analysis on r_6 inside simplify... At 3178, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 1883, output message (r_4) depends on r_4. No change Eliminated collisions between me_O_dec and x14[ri_33] Probability: qH1 * NU / |G| (me_O_dec collides with a value independent of me_O_dec with probability at most 1 / |G|; x14[ri_33] does not depend on me_O_dec) Eliminated collisions between me_O_dec and x04[ri_13] Probability: qH0 * NU / |G| (me_O_dec collides with a value independent of me_O_dec with probability at most 1 / |G|; x04[ri_13] does not depend on me_O_dec) Eliminated collisions between exp(g, y) and x_1[ri_51] Probability: qE * NS / |Z| (exp(g, y) collides with a value independent of y with probability at most 1 / |Z|; x_1[ri_51] does not depend on y) Eliminated collisions between exp(g, yp) and x_1[ri_46] Probability: qE * NP / |Z| (exp(g, yp) collides with a value independent of yp with probability at most 1 / |Z|; x_1[ri_46] does not depend on yp) Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> xp[i2_1246], X_1 -> g, Y_1 -> x13[ri_33] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp[i2_1246], X_1 -> g, Y_1 -> x14[ri_33] Probability: NP * qH1 / |Z| Doing global dependency analysis on xp inside simplify... At 2057, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 2253, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 2235, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 2173, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 2057, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 1686, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on me_O_dec_1 inside simplify... At 2280, output message (me_O_dec_1) depends on me_O_dec_1. No change Doing global dependency analysis on me_O_dec inside simplify... At 2197, output message (me_O_dec[u_43]) depends on me_O_dec. No change Doing global dependency analysis on r_6 inside simplify... At 2557, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 1665, output message (r_4) depends on r_4. No change Eliminated collisions between exp(me_O_dec[i2_2383], x[i2_2383]) and x15[ri_33] Probability: qH1 * NU / |G| (exp(me_O_dec[i2_2383], x[i2_2383]) collides with a value independent of me_O_dec[i2_2383] with probability at most 1 / |G|; x15[ri_33] does not depend on me_O_dec[i2_2383]) Eliminated collisions between exp(me_O_dec[i2_2355], x[i2_2355]) and x05[ri_13] Probability: qH0 * NU / |G| (exp(me_O_dec[i2_2355], x[i2_2355]) collides with a value independent of me_O_dec[i2_2355] with probability at most 1 / |G|; x05[ri_13] does not depend on me_O_dec[i2_2355]) Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> xp[i2_1968], X_1 -> g, Y_1 -> x13[ri_33] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp[i2_1968], X_1 -> g, Y_1 -> x14[ri_33] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y[ri_14], X_1 -> g, Y_1 -> x_1[u_59] Probability: NS * NU / |Z| Run simplify 2 time(s). Maximum reached. Done. Doing move all binders... Done. Doing remove assignments of findcond... Done. Doing merge branches... No change. Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then Y_u: G <- x_1[u_59]; K_u: G <- exp(x_1[u_59], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Doing insert event Encrypt at occurrence 1233... Done. Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Trying equivalence group_to_exp_strict(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Eliminated collisions between exp(me_O_dec[i2_2649], x[i2_2649]) and x15[ri_33] Probability: qH1 * NU / |G| (exp(me_O_dec[i2_2649], x[i2_2649]) collides with a value independent of me_O_dec[i2_2649] with probability at most 1 / |G|; x15[ri_33] does not depend on me_O_dec[i2_2649]) Eliminated collisions between exp(me_O_dec[i2_2642], x[i2_2642]) and x05[ri_13] Probability: qH0 * NU / |G| (exp(me_O_dec[i2_2642], x[i2_2642]) collides with a value independent of me_O_dec[i2_2642] with probability at most 1 / |G|; x05[ri_13] does not depend on me_O_dec[i2_2642]) Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> xp[i2_2553], X_1 -> g, Y_1 -> x13[ri_33] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp[i2_2553], X_1 -> g, Y_1 -> x14[ri_33] Probability: NP * qH1 / |Z| Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on xp inside simplify... At 1667, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 1862, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 1844, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 1783, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 1667, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 1296, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on x_2 inside simplify... At 1889, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on me_O_dec inside simplify... At 1804, output message (me_O_dec[u_43]) depends on me_O_dec. No change Doing global dependency analysis on r_6 inside simplify... At 2167, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 1276, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence group_to_exp_strict(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_3[i2_3533], X_1 -> g, Y_1 -> x14[ri_33] Probability: NU * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_3[i2_3526], X_1 -> g, Y_1 -> x04[ri_13] Probability: NU * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> xp[i2_3437], X_1 -> g, Y_1 -> x13[ri_33] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp[i2_3437], X_1 -> g, Y_1 -> x14[ri_33] Probability: NP * qH1 / |Z| Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on xp inside simplify... At 1683, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 1882, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 1864, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 1801, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 1683, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 1312, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on x_2 inside simplify... At 1909, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on x_3 inside simplify... At 1822, output message (exp(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on r_6 inside simplify... At 2187, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 1292, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence group_to_exp_strict(exp)... Failed. Done all possible transformations with this equivalence. Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Doing insert instruction find i7 <= NU, i8 <= NU suchthat defined(x[i7], X[i7], x_3[i8]) && (x14 = exp(g, x_3[i8])) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8], x[i7]))) then event_abort cdh orfind i7 <= NU, i9 <= qD suchthat defined(x[i7], X[i7], x_2[i9]) && (x14 = exp(g, x_2[i9])) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9], x[i7]))) then event_abort cdh orfind i7 <= NU, i10 <= NS suchthat defined(x[i7], y[i10], X[i7], Y[i10]) && (x14 = Y[i10]) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10], x[i7]))) then event_abort cdh orfind i7 <= NU, i11 <= NP suchthat defined(x[i7], yp[i11], X[i7], Yp[i11]) && (x14 = Yp[i11]) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11], x[i7]))) then event_abort cdh orfind i6 <= NP suchthat defined(yp[i6], xp[i6], Xp[i6], Yp[i6]) && (x14 = Yp[i6]) && (x13 = Xp[i6]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6], yp[i6]))) then event_abort cdh at occurrence 2069... Warning: event cdh renamed into cdh_1 because cdh is already used. Warning: event cdh renamed into cdh_2 because cdh is already used. Warning: event cdh renamed into cdh_3 because cdh is already used. Warning: event cdh renamed into cdh_4 because cdh is already used. Done. Doing insert instruction find i19 <= NU, i20 <= NU suchthat defined(X[i19], x[i19], x_3[i20]) && (x04 = exp(g, x_3[i20])) && (x03 = X[i19]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20], x[i19]))) then event_abort cdh orfind i17 <= NU, i21 <= qD suchthat defined(X[i17], x[i17], x_2[i21]) && (x04 = exp(g, x_2[i21])) && (x03 = X[i17]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21], x[i17]))) then event_abort cdh orfind i15 <= NU, i22 <= NS suchthat defined(X[i15], Y[i22], x[i15], y[i22]) && (x04 = Y[i22]) && (x03 = X[i15]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22], x[i15]))) then event_abort cdh orfind i13 <= NU, i23 <= NP suchthat defined(X[i13], Yp[i23], x[i13], yp[i23]) && (x04 = Yp[i23]) && (x03 = X[i13]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23], x[i13]))) then event_abort cdh at occurrence 1921... Warning: event cdh renamed into cdh_5 because cdh is already used. Warning: event cdh renamed into cdh_6 because cdh is already used. Warning: event cdh renamed into cdh_7 because cdh is already used. Warning: event cdh renamed into cdh_8 because cdh is already used. Done. Doing simplify... Doing global dependency analysis on xp inside simplify... At 1683, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on yp inside simplify... At 1882, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 1864, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on x_2 inside simplify... At 1909, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on x_3 inside simplify... At 1822, output message (exp(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 1801, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 1683, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 1312, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_6 inside simplify... At 2526, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 1292, output message (r_4) depends on r_4. No change Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_3[i2_4458], X_1 -> g, Y_1 -> x14[ri_33] Probability: NU * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_3[i2_4452], X_1 -> g, Y_1 -> x04[ri_13] Probability: NU * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_2[i2_4440], X_1 -> g, Y_1 -> x14[ri_33] Probability: qD * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_2[i2_4434], X_1 -> g, Y_1 -> x04[ri_13] Probability: qD * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> xp[i2_4387], X_1 -> g, Y_1 -> x13[ri_33] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp[i2_4387], X_1 -> g, Y_1 -> x14[ri_33] Probability: NP * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp[i2_4381], X_1 -> g, Y_1 -> x04[ri_13] Probability: NP * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x[i2_4373], X_1 -> g, Y_1 -> x03[ri_9] Probability: NU * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y, X_1 -> g, Y_1 -> x04[ri_9] Probability: NS * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x[i2_4362], X_1 -> g, Y_1 -> x13[ri_29] Probability: NU * qH1 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y, X_1 -> g, Y_1 -> x14[ri_29] Probability: NS * qH1 / |Z| Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on yp inside simplify... At 698, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on xp inside simplify... At 499, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on y inside simplify... At 680, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on x_2 inside simplify... At 725, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on x_3 inside simplify... At 638, output message (exp(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 617, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 499, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 337, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_6 inside simplify... At 1268, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 317, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Maximum reached. Done. Proved one-session secrecy of sk_u Eliminated collisions between exp(g, mult(yp[i2_4577], x[iU_19])) and x05[iH_5] Probability: qH0 * NP / |Z| (exp(g, mult(yp[i2_4577], x[iU_19])) collides with a value independent of x[iU_19] with probability at most 1 / |Z|; x05[iH_5] does not depend on x[iU_19]) Eliminated collisions between exp(g, mult(y[i2_4572], x[iU_13])) and x05[iH_4] Probability: qH0 * NS / |Z| (exp(g, mult(y[i2_4572], x[iU_13])) collides with a value independent of x[iU_13] with probability at most 1 / |Z|; x05[iH_4] does not depend on x[iU_13]) Eliminated collisions between exp(g, mult(x_2[i2_4567], x[iU_7])) and x05[iH_3] Probability: qD * qH0 / |Z| (exp(g, mult(x_2[i2_4567], x[iU_7])) collides with a value independent of x[iU_7] with probability at most 1 / |Z|; x05[iH_3] does not depend on x[iU_7]) Eliminated collisions between exp(g, mult(x_3[i2_4562], x[iU_1])) and x05[iH_2] Probability: qH0 * NU / |Z| (exp(g, mult(x_3[i2_4562], x[iU_1])) collides with a value independent of x[iU_1] with probability at most 1 / |Z|; x05[iH_2] does not depend on x[iU_1]) Eliminated collisions between y and yp Probability: NS * NP / |Z| Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between y and x_2 Probability: NS * qD / |Z| Eliminated collisions between x_3 and x_3 Probability: 0.5 / |Z| * NU * NU Eliminated collisions between y and x_3 Probability: NS * NU / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> yp[i2_4577], X_1 -> g, Y_1 -> x04[iH_5] Probability: NP * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> y[i2_4572], X_1 -> g, Y_1 -> x04[iH_4] Probability: NS * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_2[i2_4567], X_1 -> g, Y_1 -> x04[iH_3] Probability: qD * qH0 / |Z| Applied collision x_1 <-R Z; forall X_1: G, Y_1: G; return((exp(X_1, x_1) = Y_1)) <=(1 / |Z|)=> return(false) if X_1 independent-of x_1 && Y_1 independent-of x_1 with x_1 -> x_3[i2_4562], X_1 -> g, Y_1 -> x04[iH_2] Probability: NU * qH0 / |Z| Proved secrecy of sk_u Probability: (NS * NP + 0.5 * NS^2 + NS * qD + 0.5 * NU^2 + NS * NU + 2 * qH0 * NP + 2 * qH0 * NS + 2 * qD * qH0 + 2 * qH0 * NU) / |Z| Proof of (one-session) secrecy of sk_s failed: sk_s is defined from r; at 878, bad usage(s) of r. Eliminated collisions between x_2 and y Probability: qD * NS / |Z| Eliminated collisions between md_O_enc and md_O_enc Probability: 0.5 / |G| * NS * NS Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between yp and y Probability: NP * NS / |Z| Eliminated collisions between x_3 and y Probability: NU * NS / |Z| Proved query inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s Probability: (qD * NS + 0.5 * NS^2 + NP * NS + NU * NS) / |Z| + 0.5 * NS^2 / |G| Proof of event(Auth) ==> false with public variables sk_s, sk_u failed: Found Auth at 426 but could not prove false Proof of event(Encrypt) ==> false with public variables sk_u, sk_s failed: Found Encrypt at 244 but could not prove false Proof of event(cdh) ==> false with public variables sk_s, sk_u failed: Found cdh at 993 but could not prove false Proof of event(cdh_1) ==> false with public variables sk_s, sk_u failed: Found cdh_1 at 1031 but could not prove false Proof of event(cdh_2) ==> false with public variables sk_s, sk_u failed: Found cdh_2 at 1068 but could not prove false Proof of event(cdh_3) ==> false with public variables sk_s, sk_u failed: Found cdh_3 at 1105 but could not prove false Proof of event(cdh_4) ==> false with public variables sk_s, sk_u failed: Found cdh_4 at 1142 but could not prove false Proof of event(cdh_5) ==> false with public variables sk_u, sk_s failed: Found cdh_5 at 731 but could not prove false Proof of event(cdh_6) ==> false with public variables sk_u, sk_s failed: Found cdh_6 at 769 but could not prove false Proof of event(cdh_7) ==> false with public variables sk_u, sk_s failed: Found cdh_7 at 806 but could not prove false Proof of event(cdh_8) ==> false with public variables sk_u, sk_s failed: Found cdh_8 at 843 but could not prove false Doing SA rename r... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on yp inside simplify... At 739, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on xp inside simplify... At 541, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on y inside simplify... At 721, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on x_2 inside simplify... At 766, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on x_3 inside simplify... At 679, output message (exp(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 541, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 300, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 658, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on r_6 inside simplify... At 1457, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 280, output message (r_4) depends on r_4. No change Eliminated collisions between x_2 and y Probability: qD * NS / |Z| Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between yp and y Probability: NP * NS / |Z| Eliminated collisions between x_3 and y Probability: NU * NS / |Z| Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on yp inside simplify... At 530, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on xp inside simplify... At 332, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on y inside simplify... At 512, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on x_2 inside simplify... At 557, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on x_3 inside simplify... At 470, output message (exp(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 449, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 332, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 225, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_6 inside simplify... At 1063, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 205, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Fixpoint reached. Done. Proved one-session secrecy of sk_s Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Proved secrecy of sk_s Probability: 0.5 * NS^2 / |Z| + 0.5 * NS^2 / |Z| Proof of event(Auth) ==> false with public variables sk_s, sk_u failed: Found Auth at 311 but could not prove false Proof of event(Encrypt) ==> false with public variables sk_u, sk_s failed: Found Encrypt at 184 but could not prove false Proof of event(cdh) ==> false with public variables sk_s, sk_u failed: Found cdh at 832 but could not prove false Proof of event(cdh_1) ==> false with public variables sk_s, sk_u failed: Found cdh_1 at 870 but could not prove false Proof of event(cdh_2) ==> false with public variables sk_s, sk_u failed: Found cdh_2 at 907 but could not prove false Proof of event(cdh_3) ==> false with public variables sk_s, sk_u failed: Found cdh_3 at 944 but could not prove false Proof of event(cdh_4) ==> false with public variables sk_s, sk_u failed: Found cdh_4 at 981 but could not prove false Proof of event(cdh_5) ==> false with public variables sk_u, sk_s failed: Found cdh_5 at 607 but could not prove false Proof of event(cdh_6) ==> false with public variables sk_u, sk_s failed: Found cdh_6 at 645 but could not prove false Proof of event(cdh_7) ==> false with public variables sk_u, sk_s failed: Found cdh_7 at 682 but could not prove false Proof of event(cdh_8) ==> false with public variables sk_u, sk_s failed: Found cdh_8 at 719 but could not prove false Sorry, the following queries remain unproved: - event(cdh_8) ==> false with public variables sk_u, sk_s - event(cdh_7) ==> false with public variables sk_u, sk_s - event(cdh_6) ==> false with public variables sk_u, sk_s - event(cdh_5) ==> false with public variables sk_u, sk_s - event(cdh_4) ==> false with public variables sk_s, sk_u - event(cdh_3) ==> false with public variables sk_s, sk_u - event(cdh_2) ==> false with public variables sk_s, sk_u - event(cdh_1) ==> false with public variables sk_s, sk_u - event(cdh) ==> false with public variables sk_s, sk_u - event(Encrypt) ==> false with public variables sk_u, sk_s - event(Auth) ==> false with public variables sk_s, sk_u Trying equivalence cdh(exp)... Failed. Doing SA rename K_u... Done. Doing remove assignments of findcond... No change. Doing simplify... Doing global dependency analysis on x_3 inside simplify... At 470, output message (exp(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 332, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on yp inside simplify... At 530, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on md_O_enc inside simplify... At 225, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on y inside simplify... At 512, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on x_2 inside simplify... At 557, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on xp inside simplify... At 332, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 449, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on r_6 inside simplify... At 1211, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 205, output message (r_4) depends on r_4. No change Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Doing global dependency analysis on yp inside simplify... At 530, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on xp inside simplify... At 332, output message (U, Xp, S, md_O_enc_1, r_5) depends on xp. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on y inside simplify... At 512, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on x_2 inside simplify... At 557, output message (exp(g, x_2)) depends on x_2. No change Doing global dependency analysis on x_3 inside simplify... At 470, output message (exp(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 449, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 332, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 225, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_6 inside simplify... At 1026, output message (r_6) depends on r_6. No change Doing global dependency analysis on r_4 inside simplify... At 205, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Fixpoint reached. Done. Trying equivalence cdh(exp) with x_2, x, y, yp, x_3, xp... Failed. Doing remove assignments of binder K_u_4... Done. Doing remove assignments of binder K_u_5... No change. Doing remove assignments of binder K_u_1... No change. Doing remove assignments of binder K_u_2... No change. Doing remove assignments of binder K_u_3... No change. Trying equivalence cdh(exp) with x_2, x, y, yp, x_3, xp... Transf. OK Eliminated collisions between x and xp Probability: NU * NP / |Z| Eliminated collisions between yp and x_3 Probability: NP * NU / |Z| Eliminated collisions between yp and x_2 Probability: NP * qD / |Z| Eliminated collisions between y and yp Probability: NS * NP / |Z| Eliminated collisions between y and x_3 Probability: NS * NU / |Z| Eliminated collisions between y and x_2 Probability: NS * qD / |Z| Eliminated collisions between x_2 and x_3 Probability: qD * NU / |Z| Eliminated collisions between x_3 and x_3 Probability: 0.5 / |Z| * NU * NU Eliminated collisions between x_2 and x_2 Probability: 0.5 / |Z| * qD * qD Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Eliminated collisions between x and x Probability: 0.5 / |Z| * NU * NU Eliminated collisions between yp and yp Probability: 0.5 / |Z| * NP * NP Eliminated collisions between xp and xp Probability: 0.5 / |Z| * NP * NP Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... Done. Doing expand... Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS Done. Doing remove assignments of findcond... No change. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 398, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 281, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 174, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on yp inside simplify... At 479, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on y inside simplify... At 461, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on x_2 inside simplify... At 506, output message (exp'(g, x_2)) depends on x_2. No change Doing global dependency analysis on x_3 inside simplify... At 419, output message (exp'(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on r_6 inside simplify... At 636, output message (r_6) depends on r_6. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on r_4 inside simplify... At 155, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence exp'_to_group(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS No change. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 394, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 279, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 172, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on yp inside simplify... At 473, output message (Yp[u_40]) depends on yp. No change Doing global dependency analysis on y inside simplify... At 455, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on X_1 inside simplify... At 500, output message (X_1) depends on X_1. No change Doing global dependency analysis on x_3 inside simplify... At 415, output message (exp'(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on r_6 inside simplify... At 628, output message (r_6) depends on r_6. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on r_4 inside simplify... At 153, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence exp'_to_group(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS No change. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 388, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 274, output message (U, Xp, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 172, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 467, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on y inside simplify... At 449, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on X_1 inside simplify... At 494, output message (X_1) depends on X_1. No change Doing global dependency analysis on x_3 inside simplify... At 409, output message (exp'(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on r_6 inside simplify... At 622, output message (r_6) depends on r_6. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on r_4 inside simplify... At 153, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence exp'_to_group(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Eliminated collisions between y and y Probability: 0.5 / |Z| * NS * NS No change. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 382, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 269, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 172, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 461, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on y inside simplify... At 443, output message (Y[u_41]) depends on y. No change Doing global dependency analysis on X_1 inside simplify... At 488, output message (X_1) depends on X_1. No change Doing global dependency analysis on x_3 inside simplify... At 403, output message (exp'(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on r_6 inside simplify... At 616, output message (r_6) depends on r_6. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on r_4 inside simplify... At 153, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence exp'_to_group(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Eliminated collisions between X_4 and X_4 Probability: 0.5 / |G| * NS * NS No change. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 376, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 263, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 167, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 455, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 437, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 482, output message (X_1) depends on X_1. No change Doing global dependency analysis on x_3 inside simplify... At 397, output message (exp'(g, x_3[u_43])) depends on x_3. No change Doing global dependency analysis on r_6 inside simplify... At 610, output message (r_6) depends on r_6. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on r_4 inside simplify... At 153, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence exp'_to_group(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Eliminated collisions between X_4 and X_4 Probability: 0.5 / |G| * NS * NS No change. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 370, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 259, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 163, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 447, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 429, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 474, output message (X_1) depends on X_1. No change Doing global dependency analysis on X_5 inside simplify... At 391, output message (X_5[u_43]) depends on X_5. No change Doing global dependency analysis on r_6 inside simplify... At 602, output message (r_6) depends on r_6. No change Doing global dependency analysis on x inside simplify... At 20, output message (U, X) depends on x. No change Doing global dependency analysis on r_4 inside simplify... At 149, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence exp'_to_group(exp)... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Eliminated collisions between X_4 and X_4 Probability: 0.5 / |G| * NS * NS No change. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 364, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 253, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 157, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 441, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 423, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 468, output message (X_1) depends on X_1. No change Doing global dependency analysis on X_5 inside simplify... At 385, output message (X_5[u_43]) depends on X_5. No change Doing global dependency analysis on r_6 inside simplify... At 596, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 144, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... No change. Doing merge branches... No change. Trying equivalence exp'_to_group(exp)... Failed. Done all possible transformations with this equivalence. Doing SA rename Y_u... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 508, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 397, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 133, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 585, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 567, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 612, output message (X_1) depends on X_1. No change Doing global dependency analysis on X_5 inside simplify... At 529, output message (X_5[u_43]) depends on X_5. No change Doing global dependency analysis on r_6 inside simplify... At 740, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 121, output message (r_4) depends on r_4. No change Eliminated collisions between X_4 and X_1[i2_5601] Probability: qD * NS / |G| (X_4 collides with a value independent of X_4 with probability at most 1 / |G|; X_1[i2_5601] does not depend on X_4) Eliminated collisions between X_4 and X_2[i2_5599] Probability: NP * NS / |G| (X_4 collides with a value independent of X_4 with probability at most 1 / |G|; X_2[i2_5599] does not depend on X_4) Eliminated collisions between X_4 and X_5[i2_5598] Probability: NU * NS / |G| (X_4 collides with a value independent of X_4 with probability at most 1 / |G|; X_5[i2_5598] does not depend on X_4) Eliminated collisions between X_4 and X_4 Probability: 0.5 / |G| * NS * NS Doing global dependency analysis on md_O_enc_2 inside simplify... At 327, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 216, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 131, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 404, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 386, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 431, output message (X_1) depends on X_1. No change Doing global dependency analysis on X_5 inside simplify... At 348, output message (X_5[u_43]) depends on X_5. No change Doing global dependency analysis on r_6 inside simplify... At 559, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 119, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Fixpoint reached. Done. Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Trying equivalence move_array(G) with X_5.... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on X_4 inside simplify... At 409, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on r_6 inside simplify... At 582, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on md_O_enc inside simplify... At 130, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_4 inside simplify... At 118, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 336, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 215, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 333, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 215, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 130, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 444, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 426, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 490, output message (X_1) depends on X_1. No change Doing global dependency analysis on Y_1 inside simplify... At 484, output message (Y_1) depends on Y_1. No change Doing global dependency analysis on r_6 inside simplify... At 618, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 118, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Maximum reached. Done. Doing SA rename u_43... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 335, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 215, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 130, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 419, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 401, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 465, output message (X_1) depends on X_1. No change Doing global dependency analysis on Y_1 inside simplify... At 459, output message (Y_1) depends on Y_1. No change Doing global dependency analysis on r_6 inside simplify... At 593, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 118, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 328, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 215, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 130, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 418, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 400, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 464, output message (X_1) depends on X_1. No change Doing global dependency analysis on Y_1 inside simplify... At 458, output message (Y_1) depends on Y_1. No change Doing global dependency analysis on r_6 inside simplify... At 592, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 118, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Maximum reached. Done. Doing simplify... Doing global dependency analysis on md_O_enc_2 inside simplify... At 328, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 215, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 130, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on X_2 inside simplify... At 412, output message (X_2[u_40]) depends on X_2. No change Doing global dependency analysis on X_4 inside simplify... At 394, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on X_1 inside simplify... At 458, output message (X_1) depends on X_1. No change Doing global dependency analysis on Y_1 inside simplify... At 452, output message (Y_1) depends on Y_1. No change Doing global dependency analysis on r_6 inside simplify... At 586, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 118, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... Done. Doing merge branches... No change. Doing merge variables (X_1, Y_1) (no branch variables)... No change. Doing merge variables (r_12, r_10) (no branch variables)... No change. Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_66 = ri_62 <= qD suchthat defined(Ystar_u[u_68[ri_62]], Y_1[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0) then return(Ystar_u[u_68[u_66]]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_64 = ri_61 <= qD suchthat defined(Y_1[ri_61], Ystar_u[u_68[ri_61]]) && (m = Ystar_u[u_68[ri_61]]) && (kd = pw0) then return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_68 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Doing merge variables (X_1, Y_1)... Done. Doing merge branches... Done. Trying equivalence move_array(G) with X_2.... Transf. OK Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on X_4 inside simplify... At 349, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on r_6 inside simplify... At 484, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on md_O_enc inside simplify... At 71, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 257, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 155, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 71, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 254, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_4 inside simplify... At 365, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on Y_3 inside simplify... At 384, output message (Y_3) depends on Y_3. No change Doing global dependency analysis on X_1 inside simplify... At 390, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 518, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Eliminated collisions between md_O_enc_1 and md_O_enc_1 Probability: 0.5 / |G| * NP * NP Run simplify 2 time(s). Maximum reached. Done. Doing SA rename u_40... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc_1 inside simplify... At 155, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 71, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 257, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_4 inside simplify... At 342, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on Y_3 inside simplify... At 361, output message (Y_3) depends on Y_3. No change Doing global dependency analysis on X_1 inside simplify... At 367, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 495, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc_1 inside simplify... At 155, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 71, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 250, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_4 inside simplify... At 342, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on Y_3 inside simplify... At 361, output message (Y_3) depends on Y_3. No change Doing global dependency analysis on X_1 inside simplify... At 367, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 495, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Maximum reached. Done. Doing simplify... Doing global dependency analysis on md_O_enc_1 inside simplify... At 155, output message (U, X_3, S, md_O_enc_1, r_5) depends on md_O_enc_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 71, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 250, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_4 inside simplify... At 336, output message (X_4[u_41]) depends on X_4. No change Doing global dependency analysis on Y_3 inside simplify... At 355, output message (Y_3) depends on Y_3. No change Doing global dependency analysis on X_1 inside simplify... At 361, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 489, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... Done. Doing merge branches... No change. Doing merge variables (X_1, Y_3) (no branch variables)... Done. Doing merge branches... Done. Trying equivalence move_array(G) with X_4.... Transf. OK Eliminated collisions between r_6 and r_6 Probability: 0.5 / |hash1| * qH1 * qH1 Proba. computed Transf. done Succeeded. Doing simplify (non-expanded game)... No change. Doing expand... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 248, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 242, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on Y_4 inside simplify... At 354, output message (Y_4) depends on Y_4. No change Doing global dependency analysis on X_1 inside simplify... At 360, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 488, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Eliminated collisions between md_O_enc and md_O_enc Probability: 0.5 / |G| * NS * NS Run simplify 2 time(s). Maximum reached. Done. Doing SA rename u_41... Done. Doing remove assignments of findcond... Done. Doing simplify... Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 245, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on Y_4 inside simplify... At 331, output message (Y_4) depends on Y_4. No change Doing global dependency analysis on X_1 inside simplify... At 337, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 465, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 238, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on Y_4 inside simplify... At 331, output message (Y_4) depends on Y_4. No change Doing global dependency analysis on X_1 inside simplify... At 337, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 465, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Maximum reached. Done. Doing simplify... Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 238, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on Y_4 inside simplify... At 325, output message (Y_4) depends on Y_4. No change Doing global dependency analysis on X_1 inside simplify... At 331, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 459, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Run simplify 1 time(s). Fixpoint reached. No change. Doing move all binders... No change. Doing remove assignments of findcond... Done. Doing merge branches... No change. Doing merge variables (X_1, Y_4) (no branch variables)... Done. Doing merge branches... No change. Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], X_1[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = X_1[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then X_1 <-R G; return(X_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Doing insert instruction find jh' <= qH1, jd <= qD suchthat defined(x11[jh'], x12[jh'], x13[jh'], x14[jh'], r_6[jh'], m[jd], kd[jd], X_1[jd]) && (m[jd] = md_O_enc) && (U = x11[jh']) && (S = x12[jh']) && (X_s = x13[jh']) && (x14[jh'] = X_1[jd]) && (auth_s = r_6[jh']) && (kd[jd] = pw0) then event_abort Auth2 at occurrence 112... Done. Doing simplify... Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 266, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_1 inside simplify... At 328, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 462, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 225, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_1 inside simplify... At 287, output message (X_1) depends on X_1. No change Doing global dependency analysis on r_6 inside simplify... At 421, output message (r_6) depends on r_6. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on r_4 inside simplify... At 59, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Fixpoint reached. Done. Doing merge branches... Done. Doing simplify with collision elimination at variables: pw0... Doing global dependency analysis on md_O_enc_2 inside simplify... At 225, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_1 inside simplify... At 275, output message (X_1) depends on X_1. No change Doing global dependency analysis on md_O_enc inside simplify... At 70, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_6 inside simplify... At 403, output message (r_6) depends on r_6. No change Doing global dependency analysis on pw0 inside simplify... Done. Restarting simplify Eliminated collisions between pw0 and kd[jd_1] Probability: NS / |passwd| (pw0 collides with a value independent of pw0[...] with probability at most 1 / |passwd|; kd[jd_1] does not depend on pw0[...]) Eliminated collisions between pw0 and ke[ri_56] Probability: NU / |passwd| (pw0 collides with a value independent of pw0[...] with probability at most 1 / |passwd|; ke[ri_56] does not depend on pw0[...]) Eliminated collisions between X_1 and X_1 Probability: 0.5 / |G| * qD * qD Eliminated collisions between r_6 and r_6 Probability: 0.5 / |hash1| * qH1 * qH1 Eliminated collisions between md_O_enc_2 and md_O_enc_2 Probability: 0.5 / |G| * qE * qE Doing global dependency analysis on md_O_enc_2 inside simplify... At 165, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_1 inside simplify... At 215, output message (X_1) depends on X_1. No change Doing global dependency analysis on X_6 inside simplify... At 15, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on md_O_enc inside simplify... At 57, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_4 inside simplify... At 46, output message (r_4) depends on r_4. No change Doing global dependency analysis on md_O_enc_2 inside simplify... At 163, output message (md_O_enc_2) depends on md_O_enc_2. No change Doing global dependency analysis on X_1 inside simplify... At 213, output message (X_1) depends on X_1. No change Doing global dependency analysis on X_6 inside simplify... At 14, output message (U, X_6) depends on X_6. No change Doing global dependency analysis on md_O_enc inside simplify... At 56, output message (S, md_O_enc) depends on md_O_enc. No change Doing global dependency analysis on r_4 inside simplify... At 45, output message (r_4) depends on r_4. No change Run simplify 2 time(s). Fixpoint reached. Done. Proved query event(Auth) ==> false with public variables sk_s, sk_u Proved query event(Encrypt) ==> false with public variables sk_u, sk_s Proved query event(cdh) ==> false with public variables sk_s, sk_u Proved query event(cdh_1) ==> false with public variables sk_s, sk_u Proved query event(cdh_2) ==> false with public variables sk_s, sk_u Proved query event(cdh_3) ==> false with public variables sk_s, sk_u Proved query event(cdh_4) ==> false with public variables sk_s, sk_u Proved query event(cdh_5) ==> false with public variables sk_u, sk_s Proved query event(cdh_6) ==> false with public variables sk_u, sk_s Proved query event(cdh_7) ==> false with public variables sk_u, sk_s Proved query event(cdh_8) ==> false with public variables sk_u, sk_s Proved query event(Auth2) ==> false with public variables sk_s, sk_u ===================== Proof starts ======================= Initial state Game 1 is Ostart() := hk0_1 <-R hashkey; hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); sk_u: hash0 <- h0(hk0_1, concat(U, S, X, Y_u, K_u)); event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then sk_s: hash0 <- h0(hk0_1, concat(U, S, X_s, Y, K_s)); event termS(U, X_s, S, Ystar, auth_s, sk_s); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); sk_p: hash0 <- h0(hk0_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := return(h0(hk0_1, x1)) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Applying remove assignments of findcond - Remove assignments on sk_p (definition removed, all usages removed) yields Game 2 is Ostart() := hk0_1 <-R hashkey; hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); sk_u: hash0 <- h0(hk0_1, concat(U, S, X, Y_u, K_u)); event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then sk_s: hash0 <- h0(hk0_1, concat(U, S, X_s, Y, K_s)); event termS(U, X_s, S, Ystar, auth_s, sk_s); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := {254} return(h0(hk0_1, x1)) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Proved event(acceptU(x, X, y, Ystar, a, k, u)) && event(acceptU(x, X, y, Ystar, a, k', u')) ==> (u = u') with public variables sk_u, sk_s in game 2 up to probability 0.5 * NU^2 / |Z| Applying insert instruction let concat(x01,x02,x03,x04,x05) = x1 in at occurrence 254 yields Game 3 is Ostart() := hk0_1 <-R hashkey; hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); sk_u: hash0 <- h0(hk0_1, concat(U, S, X, Y_u, K_u)); event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then sk_s: hash0 <- h0(hk0_1, concat(U, S, X_s, Y, K_s)); event termS(U, X_s, S, Ystar, auth_s, sk_s); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in return(h0(hk0_1, x1)) else return(h0(hk0_1, x1)) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Applying equivalence rom(h0) - Equivalence rom(h0) with variables: hk0_1 -> hk yields Game 4 is Ostart() := hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); sk_u: hash0 <- (x_O: bitstring <- concat(U, S, X, Y_u, K_u); {64}find [unique] u_15 = ri_15 <= NU suchthat defined(x_O[ri_15], r[ri_15]) && (x_O = x_O[ri_15]) then r[u_15] orfind u_14 = ri_14 <= NS suchthat defined(x_O_1[ri_14], r_1[ri_14]) && (x_O = x_O_1[ri_14]) then r_1[u_14] orfind u_13 = ri_13 <= qH0 suchthat defined(x_O_2[ri_13], r_2[ri_13]) && (x_O = x_O_2[ri_13]) then r_2[u_13] orfind u_12 = ri_12 <= qH0 suchthat defined(x_O_3[ri_12], r_3[ri_12]) && {97}(x_O = x_O_3[ri_12]) then r_3[u_12] else r <-R hash0; r); event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then sk_s: hash0 <- (x_O_1: bitstring <- concat(U, S, X_s, Y, K_s); {188}find [unique] u_11 = ri_11 <= NU suchthat defined(x_O[ri_11], r[ri_11]) && (x_O_1 = x_O[ri_11]) then r[u_11] orfind u_10 = ri_10 <= NS suchthat defined(x_O_1[ri_10], r_1[ri_10]) && (x_O_1 = x_O_1[ri_10]) then r_1[u_10] orfind u_9 = ri_9 <= qH0 suchthat defined(x_O_2[ri_9], r_2[ri_9]) && (x_O_1 = x_O_2[ri_9]) then r_2[u_9] orfind u_8 = ri_8 <= qH0 suchthat defined(x_O_3[ri_8], r_3[ri_8]) && {221}(x_O_1 = x_O_3[ri_8]) then r_3[u_8] else r_1 <-R hash0; r_1); event termS(U, X_s, S, Ystar, auth_s, sk_s); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in return((x_O_2: bitstring <- x1; {347}find [unique] u_7 = ri_7 <= NU suchthat defined(x_O[ri_7], r[ri_7]) && (x_O_2 = x_O[ri_7]) then r[u_7] orfind u_6 = ri_6 <= NS suchthat defined(x_O_1[ri_6], r_1[ri_6]) && (x_O_2 = x_O_1[ri_6]) then r_1[u_6] orfind u_5 = ri_5 <= qH0 suchthat defined(x_O_2[ri_5], r_2[ri_5]) && (x_O_2 = x_O_2[ri_5]) then r_2[u_5] orfind u_4 = ri_4 <= qH0 suchthat defined(x_O_3[ri_4], r_3[ri_4]) && {380}(x_O_2 = x_O_3[ri_4]) then r_3[u_4] else r_2 <-R hash0; r_2)) else return((x_O_3: bitstring <- x1; {397}find [unique] u_3 = ri_3 <= NU suchthat defined(x_O[ri_3], r[ri_3]) && {400}(x_O_3 = x_O[ri_3]) then r[u_3] orfind u_2 = ri_2 <= NS suchthat defined(x_O_1[ri_2], r_1[ri_2]) && {410}(x_O_3 = x_O_1[ri_2]) then r_1[u_2] orfind u_1 = ri_1 <= qH0 suchthat defined(x_O_2[ri_1], r_2[ri_1]) && {420}(x_O_3 = x_O_2[ri_1]) then r_2[u_1] orfind u = ri <= qH0 suchthat defined(x_O_3[ri], r_3[ri]) && (x_O_3 = x_O_3[ri]) then r_3[u] else r_3 <-R hash0; r_3)) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Applying simplify (non-expanded game) [probability (0.5 * NS^2 + 0.5 * NU^2) / |Z|] - Simplification pass - Replaced (x_O = x_O_3[ri_12]) with false at 97 - Remove branch 4 in find at 64 - Replaced (x_O_1 = x_O_3[ri_8]) with false at 221 - Remove branch 4 in find at 188 - Replaced (x_O_2 = x_O_3[ri_4]) with false at 380 - Remove branch 4 in find at 347 - Replaced (x_O_3 = x_O_2[ri_1]) with false at 420 - Remove branch 3 in find at 397 - Replaced (x_O_3 = x_O_1[ri_2]) with false at 410 - Remove branch 2 in find at 397 - Replaced (x_O_3 = x_O[ri_3]) with false at 400 - Remove branch 1 in find at 397 yields Game 5 is Ostart() := hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); sk_u: hash0 <- (x_O: bitstring <- concat(U, S, X, Y_u, K_u); {64}find [unique] u_15 = ri_15 <= NU suchthat defined(x_O[ri_15], r[ri_15]) && (x_O = x_O[ri_15]) then r[u_15] orfind u_14 = ri_14 <= NS suchthat defined(x_O_1[ri_14], r_1[ri_14]) && (x_O = x_O_1[ri_14]) then r_1[u_14] orfind u_13 = ri_13 <= qH0 suchthat defined(x_O_2[ri_13], r_2[ri_13]) && (x_O = x_O_2[ri_13]) then r_2[u_13] else r <-R hash0; r); event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then sk_s: hash0 <- (x_O_1: bitstring <- concat(U, S, X_s, Y, K_s); {178}find [unique] u_11 = ri_11 <= NU suchthat defined(x_O[ri_11], r[ri_11]) && (x_O_1 = x_O[ri_11]) then r[u_11] orfind u_10 = ri_10 <= NS suchthat defined(x_O_1[ri_10], r_1[ri_10]) && (x_O_1 = x_O_1[ri_10]) then r_1[u_10] orfind u_9 = ri_9 <= qH0 suchthat defined(x_O_2[ri_9], r_2[ri_9]) && (x_O_1 = x_O_2[ri_9]) then r_2[u_9] else r_1 <-R hash0; r_1); event termS(U, X_s, S, Ystar, auth_s, sk_s); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in return((x_O_2: bitstring <- x1; find [unique] u_7 = ri_7 <= NU suchthat defined(x_O[ri_7], r[ri_7]) && (x_O_2 = x_O[ri_7]) then r[u_7] orfind u_6 = ri_6 <= NS suchthat defined(x_O_1[ri_6], r_1[ri_6]) && (x_O_2 = x_O_1[ri_6]) then r_1[u_6] orfind u_5 = ri_5 <= qH0 suchthat defined(x_O_2[ri_5], r_2[ri_5]) && (x_O_2 = x_O_2[ri_5]) then r_2[u_5] else r_2 <-R hash0; r_2)) else return((x_O_3: bitstring <- x1; find [unique] u = ri <= qH0 suchthat defined(x_O_3[ri], r_3[ri]) && (x_O_3 = x_O_3[ri]) then r_3[u] else r_3 <-R hash0; r_3)) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Applying expand [probability (0.5 * NU^2 + 0.5 * NS^2) / |Z|] - Expand if/find/let - Remove branch 2 in find at 178 - Remove branch 1 in find at 64 yields Game 6 is Ostart() := hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); x_O: bitstring <- concat(U, S, X, Y_u, K_u); find [unique] u_14 = ri_14 <= NS suchthat defined(x_O_1[ri_14], r_1[ri_14]) && (x_O = x_O_1[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(x_O_2[ri_13], r_2[ri_13]) && (x_O = x_O_2[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, sk_u, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then x_O_1: bitstring <- concat(U, S, X_s, Y, K_s); find [unique] u_11 = ri_11 <= NU suchthat defined(x_O[ri_11], r[ri_11]) && (x_O_1 = x_O[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, sk_s); return() orfind u_9 = ri_9 <= qH0 suchthat defined(x_O_2[ri_9], r_2[ri_9]) && (x_O_1 = x_O_2[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, sk_s); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, sk_s); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in x_O_2: bitstring <- x1; find [unique] u_7 = ri_7 <= NU suchthat defined(x_O[ri_7], r[ri_7]) && (x_O_2 = x_O[ri_7]) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(x_O_1[ri_6], r_1[ri_6]) && (x_O_2 = x_O_1[ri_6]) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(x_O_2[ri_5], r_2[ri_5]) && (x_O_2 = x_O_2[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else x_O_3: bitstring <- x1; find [unique] u = ri <= qH0 suchthat defined(x_O_3[ri], r_3[ri]) && (x_O_3 = x_O_3[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Applying remove assignments of findcond - Remove assignments on x_O_3 (definition point kept, all usages removed) - Remove assignments on x_O_2 (definition point kept, all usages removed) - Remove assignments on sk_s (definition kept, all usages removed) - Remove assignments on sk_s (definition kept, all usages removed) - Remove assignments on sk_s (definition kept, all usages removed) - Remove assignments on sk_u (definition kept, all usages removed) - Remove assignments on sk_u (definition kept, all usages removed) - Remove assignments on sk_u (definition kept, all usages removed) yields Game 7 is Ostart() := hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); x_O: bitstring <- concat(U, S, X, Y_u, K_u); {63} find [unique] u_14 = ri_14 <= NS suchthat defined(x_O_1[ri_14], r_1[ri_14]) && {66}(x_O = x_O_1[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(x1[ri_13], x_O_2[ri_13], r_2[ri_13]) && {100}(x_O = x1[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then x_O_1: bitstring <- concat(U, S, X_s, Y, K_s); {215} find [unique] u_11 = ri_11 <= NU suchthat defined(x_O[ri_11], r[ri_11]) && {218}(x_O_1 = x_O[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(x1[ri_9], x_O_2[ri_9], r_2[ri_9]) && {249}(x_O_1 = x1[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in x_O_2: bitstring <- cst_bitstring; {394} find [unique] u_7 = ri_7 <= NU suchthat defined(x_O[ri_7], r[ri_7]) && {397}(x1 = x_O[ri_7]) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(x_O_1[ri_6], r_1[ri_6]) && {410}(x1 = x_O_1[ri_6]) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(x1[ri_5], x_O_2[ri_5], r_2[ri_5]) && {424}(x1 = x1[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else x_O_3: bitstring <- cst_bitstring; {444} find [unique] u = ri <= qH0 suchthat defined(x1[ri], x_O_3[ri], r_3[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Applying simplify - Simplification pass - Replaced defined condition x1[ri], x_O_3[ri], r_3[ri] with r_3[ri], x1[ri] in find at 444 - Replaced (x1 = x1[ri_5]) with ((x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5])) at 424 - Replaced defined condition x1[ri_5], x_O_2[ri_5], r_2[ri_5] with r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5] in find at 394 - Replaced (x1 = x_O_1[ri_6]) with ((x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U)) at 410 - Replaced defined condition x_O_1[ri_6], r_1[ri_6] with r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6] in find at 394 - Replaced (x1 = x_O[ri_7]) with ((x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U)) at 397 - Replaced defined condition x_O[ri_7], r[ri_7] with r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7] in find at 394 - Replaced (x_O_1 = x1[ri_9]) with ((K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9])) at 249 - Replaced defined condition x1[ri_9], x_O_2[ri_9], r_2[ri_9] with r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9] in find at 215 - Replaced (x_O_1 = x_O[ri_11]) with ((X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11])) at 218 - Replaced defined condition x_O[ri_11], r[ri_11] with r[ri_11], Y_u[ri_11], x[ri_11] in find at 215 - Replaced (x_O = x1[ri_13]) with ((K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) at 100 - Replaced defined condition x1[ri_13], x_O_2[ri_13], r_2[ri_13] with r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13] in find at 63 - Replaced (x_O = x_O_1[ri_14]) with ((X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) at 66 - Replaced defined condition x_O_1[ri_14], r_1[ri_14] with r_1[ri_14], Y[ri_14], X_s[ri_14] in find at 63 yields Game 8 is Ostart() := hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); x_O: bitstring <- concat(U, S, X, Y_u, K_u); find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then x_O_1: bitstring <- concat(U, S, X_s, Y, K_s); find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in x_O_2: bitstring <- cst_bitstring; find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else x_O_3: bitstring <- cst_bitstring; find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := return(h1(hk1_1, x1_1)) )) Applying move all binders - Move assignment to x_O_3 - Move assignment to x_O_2 - Move assignment to x_O_1 - Move assignment to x_O yields Game 9 is Ostart() := hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := {583} return(h1(hk1_1, x1_1)) )) Applying insert instruction let concat(x11,x12,x13,x14,x15) = x1_1 in at occurrence 583 yields Game 10 is Ostart() := hk1_1 <-R hashkey; ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- h1(hk1_1, concat(U, S, X, Y_u, K_u)); find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if auth_s = h1(hk1_1, concat(U, S, X_s, Y, K_s)) then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- h1(hk1_1, concat(U, S, Xp, Yp, Kp)); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in return(h1(hk1_1, x1_1)) else return(h1(hk1_1, x1_1)) )) Applying equivalence rom(h1) [probability NS / |hash1|] - Equivalence rom(h1) with variables: hk1_1 -> hk yields Game 11 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- (x_O_4: bitstring <- concat(U, S, X, Y_u, K_u); {51}find [unique] u_35 = ri_35 <= NU suchthat defined(x_O_4[ri_35], r_4[ri_35]) && (x_O_4 = x_O_4[ri_35]) then r_4[u_35] orfind u_34 = ri_34 <= NP suchthat defined(x_O_5[ri_34], r_5[ri_34]) && {64}(x_O_4 = x_O_5[ri_34]) then r_5[u_34] orfind u_33 = ri_33 <= qH1 suchthat defined(x_O_6[ri_33], r_6[ri_33]) && (x_O_4 = x_O_6[ri_33]) then r_6[u_33] orfind u_32 = ri_32 <= qH1 suchthat defined(x_O_7[ri_32], r_7[ri_32]) && {84}(x_O_4 = x_O_7[ri_32]) then r_7[u_32] else r_4 <-R hash1; r_4); find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); if (x_Oeq: bitstring <- concat(U, S, X_s, Y, K_s); X_Oeq: hash1 <- auth_s; {269}find [unique] u_31 = ri_31 <= NU suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_Oeq = x_O_4[ri_31]) then (X_Oeq = r_4[u_31]) orfind u_30 = ri_30 <= NP suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {285}(x_Oeq = x_O_5[ri_30]) then (X_Oeq = r_5[u_30]) orfind u_29 = ri_29 <= qH1 suchthat defined(x_O_6[ri_29], r_6[ri_29]) && (x_Oeq = x_O_6[ri_29]) then (X_Oeq = r_6[u_29]) orfind u_28 = ri_28 <= qH1 suchthat defined(x_O_7[ri_28], r_7[ri_28]) && {311}(x_Oeq = x_O_7[ri_28]) then (X_Oeq = r_7[u_28]) else false) then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- (x_O_5: bitstring <- concat(U, S, Xp, Yp, Kp); {485}find [unique] u_27 = ri_27 <= NU suchthat defined(x_O_4[ri_27], r_4[ri_27]) && {488}(x_O_5 = x_O_4[ri_27]) then r_4[u_27] orfind u_26 = ri_26 <= NP suchthat defined(x_O_5[ri_26], r_5[ri_26]) && (x_O_5 = x_O_5[ri_26]) then r_5[u_26] orfind u_25 = ri_25 <= qH1 suchthat defined(x_O_6[ri_25], r_6[ri_25]) && (x_O_5 = x_O_6[ri_25]) then r_6[u_25] orfind u_24 = ri_24 <= qH1 suchthat defined(x_O_7[ri_24], r_7[ri_24]) && {518}(x_O_5 = x_O_7[ri_24]) then r_7[u_24] else r_5 <-R hash1; r_5); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in return((x_O_6: bitstring <- x1_1; {729}find [unique] u_23 = ri_23 <= NU suchthat defined(x_O_4[ri_23], r_4[ri_23]) && (x_O_6 = x_O_4[ri_23]) then r_4[u_23] orfind u_22 = ri_22 <= NP suchthat defined(x_O_5[ri_22], r_5[ri_22]) && (x_O_6 = x_O_5[ri_22]) then r_5[u_22] orfind u_21 = ri_21 <= qH1 suchthat defined(x_O_6[ri_21], r_6[ri_21]) && (x_O_6 = x_O_6[ri_21]) then r_6[u_21] orfind u_20 = ri_20 <= qH1 suchthat defined(x_O_7[ri_20], r_7[ri_20]) && {762}(x_O_6 = x_O_7[ri_20]) then r_7[u_20] else r_6 <-R hash1; r_6)) else return((x_O_7: bitstring <- x1_1; {779}find [unique] u_19 = ri_19 <= NU suchthat defined(x_O_4[ri_19], r_4[ri_19]) && {782}(x_O_7 = x_O_4[ri_19]) then r_4[u_19] orfind u_18 = ri_18 <= NP suchthat defined(x_O_5[ri_18], r_5[ri_18]) && {792}(x_O_7 = x_O_5[ri_18]) then r_5[u_18] orfind u_17 = ri_17 <= qH1 suchthat defined(x_O_6[ri_17], r_6[ri_17]) && {802}(x_O_7 = x_O_6[ri_17]) then r_6[u_17] orfind u_16 = ri_16 <= qH1 suchthat defined(x_O_7[ri_16], r_7[ri_16]) && (x_O_7 = x_O_7[ri_16]) then r_7[u_16] else r_7 <-R hash1; r_7)) )) Applying simplify (non-expanded game) [probability (NS * NP + 0.5 * NU^2 + NU * NP + NP^2) / |Z|] - Simplification pass - Replaced (x_O_4 = x_O_7[ri_32]) with false at 84 - Remove branch 4 in find at 51 - Replaced (x_O_4 = x_O_5[ri_34]) with false at 64 - Remove branch 2 in find at 51 - Replaced (x_Oeq = x_O_7[ri_28]) with false at 311 - Remove branch 4 in find at 269 - Replaced (x_Oeq = x_O_5[ri_30]) with false at 285 - Remove branch 2 in find at 269 - Replaced (x_O_5 = x_O_7[ri_24]) with false at 518 - Remove branch 4 in find at 485 - Replaced (x_O_5 = x_O_4[ri_27]) with false at 488 - Remove branch 1 in find at 485 - Replaced (x_O_6 = x_O_7[ri_20]) with false at 762 - Remove branch 4 in find at 729 - Replaced (x_O_7 = x_O_6[ri_17]) with false at 802 - Remove branch 3 in find at 779 - Replaced (x_O_7 = x_O_5[ri_18]) with false at 792 - Remove branch 2 in find at 779 - Replaced (x_O_7 = x_O_4[ri_19]) with false at 782 - Remove branch 1 in find at 779 yields Game 12 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); auth_u: hash1 <- (x_O_4: bitstring <- concat(U, S, X, Y_u, K_u); {51}find [unique] u_35 = ri_35 <= NU suchthat defined(x_O_4[ri_35], r_4[ri_35]) && (x_O_4 = x_O_4[ri_35]) then r_4[u_35] orfind u_33 = ri_33 <= qH1 suchthat defined(x_O_6[ri_33], r_6[ri_33]) && (x_O_4 = x_O_6[ri_33]) then r_6[u_33] else r_4 <-R hash1; r_4); find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); {235} if (x_Oeq: bitstring <- concat(U, S, X_s, Y, K_s); X_Oeq: hash1 <- auth_s; find [unique] u_31 = ri_31 <= NU suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_Oeq = x_O_4[ri_31]) then (X_Oeq = r_4[u_31]) orfind u_29 = ri_29 <= qH1 suchthat defined(x_O_6[ri_29], r_6[ri_29]) && (x_Oeq = x_O_6[ri_29]) then (X_Oeq = r_6[u_29]) else false) then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); authp: hash1 <- (x_O_5: bitstring <- concat(U, S, Xp, Yp, Kp); {439}find [unique] u_26 = ri_26 <= NP suchthat defined(x_O_5[ri_26], r_5[ri_26]) && (x_O_5 = x_O_5[ri_26]) then r_5[u_26] orfind u_25 = ri_25 <= qH1 suchthat defined(x_O_6[ri_25], r_6[ri_25]) && (x_O_5 = x_O_6[ri_25]) then r_6[u_25] else r_5 <-R hash1; r_5); return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in return((x_O_6: bitstring <- x1_1; find [unique] u_23 = ri_23 <= NU suchthat defined(x_O_4[ri_23], r_4[ri_23]) && (x_O_6 = x_O_4[ri_23]) then r_4[u_23] orfind u_22 = ri_22 <= NP suchthat defined(x_O_5[ri_22], r_5[ri_22]) && (x_O_6 = x_O_5[ri_22]) then r_5[u_22] orfind u_21 = ri_21 <= qH1 suchthat defined(x_O_6[ri_21], r_6[ri_21]) && (x_O_6 = x_O_6[ri_21]) then r_6[u_21] else r_6 <-R hash1; r_6)) else return((x_O_7: bitstring <- x1_1; find [unique] u_16 = ri_16 <= qH1 suchthat defined(x_O_7[ri_16], r_7[ri_16]) && (x_O_7 = x_O_7[ri_16]) then r_7[u_16] else r_7 <-R hash1; r_7)) )) Applying expand [probability (0.5 * NU^2 + 0.5 * NP^2) / |Z|] - Expand if/find/let - Remove branch 1 in find at 439 - Test at 235 always false - Remove branch 1 in find at 51 yields Game 13 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); x_O_4: bitstring <- concat(U, S, X, Y_u, K_u); find [unique] u_33 = ri_33 <= qH1 suchthat defined(x_O_6[ri_33], r_6[ri_33]) && (x_O_4 = x_O_6[ri_33]) then auth_u: hash1 <- r_6[u_33]; find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) else r_4 <-R hash1; auth_u: hash1 <- r_4; find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, auth_u, r_1[u_14], iU); return(auth_u) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, auth_u, r_2[u_13], iU); return(auth_u) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, auth_u, r, iU); return(auth_u) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); x_Oeq: bitstring <- concat(U, S, X_s, Y, K_s); X_Oeq: hash1 <- auth_s; find [unique] u_31 = ri_31 <= NU suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_Oeq = x_O_4[ri_31]) then ( if X_Oeq = r_4[u_31] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(x_O_6[ri_29], r_6[ri_29]) && (x_Oeq = x_O_6[ri_29]) then ( if X_Oeq = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); x_O_5: bitstring <- concat(U, S, Xp, Yp, Kp); find [unique] u_25 = ri_25 <= qH1 suchthat defined(x_O_6[ri_25], r_6[ri_25]) && (x_O_5 = x_O_6[ri_25]) then authp: hash1 <- r_6[u_25]; return(U, Xp, S, Ystarp, authp) else r_5 <-R hash1; authp: hash1 <- r_5; return(U, Xp, S, Ystarp, authp) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in x_O_6: bitstring <- x1_1; find [unique] u_23 = ri_23 <= NU suchthat defined(x_O_4[ri_23], r_4[ri_23]) && (x_O_6 = x_O_4[ri_23]) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(x_O_5[ri_22], r_5[ri_22]) && (x_O_6 = x_O_5[ri_22]) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(x_O_6[ri_21], r_6[ri_21]) && (x_O_6 = x_O_6[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else x_O_7: bitstring <- x1_1; find [unique] u_16 = ri_16 <= qH1 suchthat defined(x_O_7[ri_16], r_7[ri_16]) && (x_O_7 = x_O_7[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on x_O_7 (definition point kept, all usages removed) - Remove assignments on x_O_6 (definition point kept, all usages removed) - Remove assignments on authp (definition removed, all usages removed) - Remove assignments on authp (definition removed, all usages removed) - Remove assignments on X_Oeq (definition removed, all usages removed) - Remove assignments on auth_u (definition removed, all usages removed) - Remove assignments on auth_u (definition removed, all usages removed) yields Game 14 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); x_O_4: bitstring <- concat(U, S, X, Y_u, K_u); {50} find [unique] u_33 = ri_33 <= qH1 suchthat defined(x1_1[ri_33], x_O_6[ri_33], r_6[ri_33]) && (x_O_4 = x1_1[ri_33]) then {59} find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_33], r_1[u_14], iU); return(r_6[u_33]) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_33], r_2[u_13], iU); return(r_6[u_33]) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_33], r, iU); return(r_6[u_33]) else r_4 <-R hash1; find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); x_Oeq: bitstring <- concat(U, S, X_s, Y, K_s); {363} find [unique] u_31 = ri_31 <= NU suchthat defined(x_O_4[ri_31], r_4[ri_31]) && {366}(x_Oeq = x_O_4[ri_31]) then ( if auth_s = r_4[u_31] then {378} find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && {382}((X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11])) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(x1_1[ri_29], x_O_6[ri_29], r_6[ri_29]) && {500}(x_Oeq = x1_1[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); x_O_5: bitstring <- concat(U, S, Xp, Yp, Kp); {675} find [unique] u_25 = ri_25 <= qH1 suchthat defined(x1_1[ri_25], x_O_6[ri_25], r_6[ri_25]) && {679}(x_O_5 = x1_1[ri_25]) then return(U, Xp, S, Ystarp, r_6[u_25]) else r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in x_O_6: bitstring <- cst_bitstring; {894} find [unique] u_23 = ri_23 <= NU suchthat defined(x_O_4[ri_23], r_4[ri_23]) && {897}(x1_1 = x_O_4[ri_23]) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(x_O_5[ri_22], r_5[ri_22]) && {910}(x1_1 = x_O_5[ri_22]) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(x1_1[ri_21], x_O_6[ri_21], r_6[ri_21]) && {924}(x1_1 = x1_1[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else x_O_7: bitstring <- cst_bitstring; {944} find [unique] u_16 = ri_16 <= qH1 suchthat defined(x1_1[ri_16], x_O_7[ri_16], r_7[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability (0.5 * NU^2 + 2 * NP * qH1) / |Z|] - Simplification pass - Replaced defined condition x1_1[ri_16], x_O_7[ri_16], r_7[ri_16] with r_7[ri_16], x1_1[ri_16] in find at 944 - Replaced (x1_1 = x1_1[ri_21]) with ((x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21])) at 924 - Replaced defined condition x1_1[ri_21], x_O_6[ri_21], r_6[ri_21] with r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21] in find at 894 - Replaced (x1_1 = x_O_5[ri_22]) with ((x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U)) at 910 - Replaced defined condition x_O_5[ri_22], r_5[ri_22] with r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22] in find at 894 - Replaced (x1_1 = x_O_4[ri_23]) with ((x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U)) at 897 - Replaced defined condition x_O_4[ri_23], r_4[ri_23] with r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23] in find at 894 - Replaced (x_O_5 = x1_1[ri_25]) with false at 679 - Remove branch 1 in find at 675 - Find at 675 removed (else branch kept if any) - Replaced (x_Oeq = x1_1[ri_29]) with ((K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29])) at 500 - Replaced defined condition x1_1[ri_29], x_O_6[ri_29], r_6[ri_29] with r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29] in find at 363 - Replaced (x_Oeq = x_O_4[ri_31]) with ((X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31])) at 366 - Replaced ((X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11])) with (u_31 = ri_11) at 382 - In branch 1 of find at 378, substituting u_11 with u_31 - Replaced defined condition r[ri_11], Y_u[ri_11], x[ri_11] with r[u_31] in find at 378 - Replaced defined condition x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], Y_u[ri_31], x[ri_31] in find at 363 - Simplified find at 59 in branch of find at 50 yields Game 15 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); x_O_4: bitstring <- concat(U, S, X, Y_u, K_u); {50} find [unique] u_33 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(x1_1[ri_33], x_O_6[ri_33], r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14]) && {57}((x_O_4 = x1_1[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_33], r_1[u_14], iU); return(r_6[u_33]) orfind u_33 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(x1_1[ri_33], x_O_6[ri_33], r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && {113}((x_O_4 = x1_1[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_33], r_2[u_13], iU); return(r_6[u_33]) else {174} find [unique] u_33 = ri_33 <= qH1 suchthat defined(x1_1[ri_33], x_O_6[ri_33], r_6[ri_33]) && {178}(x_O_4 = x1_1[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_33], r, iU); return(r_6[u_33]) else r_4 <-R hash1; find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); x_Oeq: bitstring <- concat(U, S, X_s, Y, K_s); find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && (X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31]) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) && {408}(u_31 = u_31) then u_11 <= NU <- u_31; sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); x_O_5: bitstring <- concat(U, S, Xp, Yp, Kp); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in x_O_6: bitstring <- cst_bitstring; find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else x_O_7: bitstring <- cst_bitstring; find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Replaced (u_31 = u_31) with true at 408 - Replaced (x_O_4 = x1_1[ri_33]) with ((K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) at 178 - Replaced defined condition x1_1[ri_33], x_O_6[ri_33], r_6[ri_33] with r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33] in find at 174 - Replaced ((x_O_4 = x1_1[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with ((K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) at 113 - Replaced defined condition x1_1[ri_33], x_O_6[ri_33], r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13] with r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33] in find at 50 - Replaced ((x_O_4 = x1_1[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) with ((K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) at 57 - Replaced defined condition x1_1[ri_33], x_O_6[ri_33], r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14] with r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33] in find at 50 yields Game 16 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); x_O_4: bitstring <- concat(U, S, X, Y_u, K_u); find [unique] u_33 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_33], r_1[u_14], iU); return(r_6[u_33]) orfind u_33 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_33], r_2[u_13], iU); return(r_6[u_33]) else find [unique] u_33 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_33], r, iU); return(r_6[u_33]) else r_4 <-R hash1; find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); x_Oeq: bitstring <- concat(U, S, X_s, Y, K_s); find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && (X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31]) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) then u_11 <= NU <- u_31; sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); x_O_5: bitstring <- concat(U, S, Xp, Yp, Kp); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in x_O_6: bitstring <- cst_bitstring; find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else x_O_7: bitstring <- cst_bitstring; find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying SA rename u_33 - Rename variable u_33 into u_38, u_37, u_36 yields Game 17 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); x_O_4: bitstring <- concat(U, S, X, Y_u, K_u); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else r_4 <-R hash1; find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); x_Oeq: bitstring <- concat(U, S, X_s, Y, K_s); find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && (X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31]) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) then u_11 <= NU <- u_31; sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); x_O_5: bitstring <- concat(U, S, Xp, Yp, Kp); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in x_O_6: bitstring <- cst_bitstring; find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else x_O_7: bitstring <- cst_bitstring; find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on x_O_7 (definition removed, all usages removed) - Remove assignments on x_O_6 (definition removed, all usages removed) - Remove assignments on x_O_5 (definition removed, all usages removed) - Remove assignments on x_Oeq (definition removed, all usages removed) - Remove assignments on u_11 (definition removed, all usages removed) - Remove assignments on x_O_4 (definition removed, all usages removed) yields Game 18 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else r_4 <-R hash1; find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := K_s: G <- exp(X_s, y); find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && (X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31]) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) then sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying move all binders - Move random number generation r_4 yields Game 19 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := {431} K_s: G <- exp(X_s, y); find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && (X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31]) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) then sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying insert instruction find j <= NU suchthat defined(X[j]) && X[j] = X_s then else find jh <= qH1 suchthat defined(x11[jh], x12[jh], x13[jh], x14[jh], r_6[jh]) && (U = x11[jh]) && (S = x12[jh]) && (X_s = x13[jh]) && (Y = x14[jh]) && (auth_s = r_6[jh]) then event_abort Auth at occurrence 431 [probability Pr[event Auth in game 20 with public variables sk_s, sk_u]] yields Game 20 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := {431} find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- {439}exp(X_s, y); {444} find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && {448}((X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31])) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) then sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then {614} find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && {618}((X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11])) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y); {775} find [unique] u_31 = ri_31 <= NU suchthat defined(r_4[ri_31], Y_u[ri_31], x[ri_31]) && (X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31]) then ( if auth_s = r_4[u_31] then find [unique] suchthat defined(r[u_31]) then sk_s: hash0 <- r[u_31]; event termS(U, X_s, S, Ystar, auth_s, r[u_31]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( {938} if {939}(auth_s = r_6[u_29]) then find [unique] u_11 = ri_11 <= NU suchthat defined(r[ri_11], Y_u[ri_11], x[ri_11]) && (X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11]) then sk_s: hash0 <- r[u_11]; event termS(U, X_s, S, Ystar, auth_s, r[u_11]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability 0.5 * NU^2 / |Z|] - Simplification pass - Replaced (auth_s = r_6[u_29]) with false at 939 - Test at 938 always false - Remove branch 1 in find at 775 - Find at 775 removed (else branch kept if any) - Replaced exp(X_s, y) with exp(g, mult(x[j], y)) at 439 - Replaced ((X_s = exp(g, x[ri_11])) && (Y = Y_u[ri_11])) with ((j = ri_11) && (Y = Y_u[ri_11])) at 618 - In branch 1 of find at 614, substituting u_11 with j - Replaced defined condition r[ri_11], Y_u[ri_11], x[ri_11] with r[j], Y_u[j] in find at 614 - Replaced ((X_s = exp(g, x[ri_31])) && (Y = Y_u[ri_31])) with ((j = ri_31) && (Y = Y_u[ri_31])) at 448 - In branch 1 of find at 444, substituting u_31 with j - Replaced defined condition r_4[ri_31], Y_u[ri_31], x[ri_31] with r_4[j], Y_u[j] in find at 444 - Replaced defined condition X[j_1] with x[j_1], X[j_1] in find at 431 yields Game 21 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); {40} find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {50}((K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {275} find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], X_s[ri_14]) && {279}((X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && {453}((j = j) && (Y = Y_u[j])) then ( u_31 <= NU <- j; if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && {627}((j = j) && (Y = Y_u[j])) then u_11 <= NU <- j; sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability 0.5 * NU^2 / |Z|] - Simplification pass - Replaced ((j = j) && (Y = Y_u[j])) with (Y = Y_u[j]) at 627 - Replaced ((j = j) && (Y = Y_u[j])) with (Y = Y_u[j]) at 453 - Replaced ((X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) with ((j[ri_14] = iU) && (Y_u = Y[ri_14])) at 279 - Replaced defined condition r_1[ri_14], Y[ri_14], X_s[ri_14] with r_1[ri_14], Y[ri_14], j[ri_14] in find at 275 - Replaced ((K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (X_s[ri_14] = exp(g, x)) && (Y_u = Y[ri_14])) with ((K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y_u = Y[ri_14])) at 50 - Replaced defined condition r_6[ri_33], r_1[ri_14], Y[ri_14], X_s[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33] with r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33] in find at 40 yields Game 22 is Ostart() := ck_1 <-R cipherkey; pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- dec(ck_1, Ystar_u, pw0); K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- enc(ck_1, Y, pw0); return(S, Ystar); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( u_31 <= NU <- j; if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then u_11 <= NU <- j; sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- enc(ck_1, Yp, pw0); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return(enc(ck_1, x_1, ke)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return(dec(ck_1, m, kd)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence icm(enc) [probability (qE^2 + 2 * NP * qE + 2 * NS * qE + 2 * qD * qE + 2 * NU * qE + NP^2 + 2 * NS * NP + 2 * qD * NP + 2 * NU * NP + NS^2 + 2 * qD * NS + 2 * NU * NS + qD^2 + 2 * NU * qD + NU^2 - qE - NP - NS - qD - NU) / |G|] - Equivalence icm(enc) with variables: ck_1 -> ck_2 yields Game 23 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- (md_O_dec: G <- Ystar_u; k_O_dec: passwd <- pw0; find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], md_O_dec[ri_60], k_O_dec[ri_60]) && (md_O_dec = md_O_dec[ri_60]) && (k_O_dec = k_O_dec[ri_60]) then me_O_dec[u_63] orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], md_O_dec_1[ri_59], k_O_dec_1[ri_59]) && (md_O_dec = md_O_dec_1[ri_59]) && (k_O_dec = k_O_dec_1[ri_59]) then me_O_dec_1[u_62] orfind u_61 = ri_58 <= NS suchthat defined(me_O_enc[ri_58], md_O_enc[ri_58], k_O_enc[ri_58]) && (md_O_dec = md_O_enc[ri_58]) && (k_O_dec = k_O_enc[ri_58]) then me_O_enc[u_61] orfind u_60 = ri_57 <= NP suchthat defined(me_O_enc_1[ri_57], md_O_enc_1[ri_57], k_O_enc_1[ri_57]) && (md_O_dec = md_O_enc_1[ri_57]) && (k_O_dec = k_O_enc_1[ri_57]) then me_O_enc_1[u_60] orfind u_59 = ri_56 <= qE suchthat defined(me_O_enc_2[ri_56], md_O_enc_2[ri_56], k_O_enc_2[ri_56]) && (md_O_dec = md_O_enc_2[ri_56]) && (k_O_dec = k_O_enc_2[ri_56]) then me_O_enc_2[u_59] else me_O_dec <-R G; me_O_dec); K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- (me_O_enc: G <- Y; k_O_enc: passwd <- pw0; {506}find [unique] u_58 = ri_55 <= NU suchthat defined(md_O_dec[ri_55], me_O_dec[ri_55], k_O_dec[ri_55]) && {510}((me_O_enc = me_O_dec[ri_55]) && (k_O_enc = k_O_dec[ri_55])) then md_O_dec[u_58] orfind u_57 = ri_54 <= qD suchthat defined(md_O_dec_1[ri_54], me_O_dec_1[ri_54], k_O_dec_1[ri_54]) && {527}((me_O_enc = me_O_dec_1[ri_54]) && (k_O_enc = k_O_dec_1[ri_54])) then md_O_dec_1[u_57] orfind u_56 = ri_53 <= NS suchthat defined(md_O_enc[ri_53], me_O_enc[ri_53], k_O_enc[ri_53]) && (me_O_enc = me_O_enc[ri_53]) && (k_O_enc = k_O_enc[ri_53]) then md_O_enc[u_56] orfind u_55 = ri_52 <= NP suchthat defined(md_O_enc_1[ri_52], me_O_enc_1[ri_52], k_O_enc_1[ri_52]) && {561}((me_O_enc = me_O_enc_1[ri_52]) && (k_O_enc = k_O_enc_1[ri_52])) then md_O_enc_1[u_55] orfind u_54 = ri_51 <= qE suchthat defined(md_O_enc_2[ri_51], me_O_enc_2[ri_51], k_O_enc_2[ri_51]) && (me_O_enc = me_O_enc_2[ri_51]) && (k_O_enc = k_O_enc_2[ri_51]) then md_O_enc_2[u_54] else md_O_enc <-R G; md_O_enc); return(S, Ystar); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( u_31 <= NU <- j; if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then u_11 <= NU <- j; sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- (me_O_enc_1: G <- Yp; k_O_enc_1: passwd <- pw0; {979}find [unique] u_53 = ri_50 <= NU suchthat defined(md_O_dec[ri_50], me_O_dec[ri_50], k_O_dec[ri_50]) && {983}((me_O_enc_1 = me_O_dec[ri_50]) && (k_O_enc_1 = k_O_dec[ri_50])) then md_O_dec[u_53] orfind u_52 = ri_49 <= qD suchthat defined(md_O_dec_1[ri_49], me_O_dec_1[ri_49], k_O_dec_1[ri_49]) && {1000}((me_O_enc_1 = me_O_dec_1[ri_49]) && (k_O_enc_1 = k_O_dec_1[ri_49])) then md_O_dec_1[u_52] orfind u_51 = ri_48 <= NS suchthat defined(md_O_enc[ri_48], me_O_enc[ri_48], k_O_enc[ri_48]) && {1017}((me_O_enc_1 = me_O_enc[ri_48]) && (k_O_enc_1 = k_O_enc[ri_48])) then md_O_enc[u_51] orfind u_50 = ri_47 <= NP suchthat defined(md_O_enc_1[ri_47], me_O_enc_1[ri_47], k_O_enc_1[ri_47]) && (me_O_enc_1 = me_O_enc_1[ri_47]) && (k_O_enc_1 = k_O_enc_1[ri_47]) then md_O_enc_1[u_50] orfind u_49 = ri_46 <= qE suchthat defined(md_O_enc_2[ri_46], me_O_enc_2[ri_46], k_O_enc_2[ri_46]) && (me_O_enc_1 = me_O_enc_2[ri_46]) && (k_O_enc_1 = k_O_enc_2[ri_46]) then md_O_enc_2[u_49] else md_O_enc_1 <-R G; md_O_enc_1); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return((me_O_enc_2: G <- x_1; k_O_enc_2: passwd <- ke; find [unique] u_48 = ri_45 <= NU suchthat defined(md_O_dec[ri_45], me_O_dec[ri_45], k_O_dec[ri_45]) && (me_O_enc_2 = me_O_dec[ri_45]) && (k_O_enc_2 = k_O_dec[ri_45]) then md_O_dec[u_48] orfind u_47 = ri_44 <= qD suchthat defined(md_O_dec_1[ri_44], me_O_dec_1[ri_44], k_O_dec_1[ri_44]) && (me_O_enc_2 = me_O_dec_1[ri_44]) && (k_O_enc_2 = k_O_dec_1[ri_44]) then md_O_dec_1[u_47] orfind u_46 = ri_43 <= NS suchthat defined(md_O_enc[ri_43], me_O_enc[ri_43], k_O_enc[ri_43]) && (me_O_enc_2 = me_O_enc[ri_43]) && (k_O_enc_2 = k_O_enc[ri_43]) then md_O_enc[u_46] orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], me_O_enc_1[ri_42], k_O_enc_1[ri_42]) && (me_O_enc_2 = me_O_enc_1[ri_42]) && (k_O_enc_2 = k_O_enc_1[ri_42]) then md_O_enc_1[u_45] orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], me_O_enc_2[ri_41], k_O_enc_2[ri_41]) && (me_O_enc_2 = me_O_enc_2[ri_41]) && (k_O_enc_2 = k_O_enc_2[ri_41]) then md_O_enc_2[u_44] else md_O_enc_2 <-R G; md_O_enc_2)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return((md_O_dec_1: G <- m; k_O_dec_1: passwd <- kd; find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], md_O_dec[ri_40], k_O_dec[ri_40]) && (md_O_dec_1 = md_O_dec[ri_40]) && (k_O_dec_1 = k_O_dec[ri_40]) then me_O_dec[u_43] orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], md_O_dec_1[ri_39], k_O_dec_1[ri_39]) && (md_O_dec_1 = md_O_dec_1[ri_39]) && (k_O_dec_1 = k_O_dec_1[ri_39]) then me_O_dec_1[u_42] orfind u_41 = ri_38 <= NS suchthat defined(me_O_enc[ri_38], md_O_enc[ri_38], k_O_enc[ri_38]) && (md_O_dec_1 = md_O_enc[ri_38]) && (k_O_dec_1 = k_O_enc[ri_38]) then me_O_enc[u_41] orfind u_40 = ri_37 <= NP suchthat defined(me_O_enc_1[ri_37], md_O_enc_1[ri_37], k_O_enc_1[ri_37]) && (md_O_dec_1 = md_O_enc_1[ri_37]) && (k_O_dec_1 = k_O_enc_1[ri_37]) then me_O_enc_1[u_40] orfind u_39 = ri_36 <= qE suchthat defined(me_O_enc_2[ri_36], md_O_enc_2[ri_36], k_O_enc_2[ri_36]) && (md_O_dec_1 = md_O_enc_2[ri_36]) && (k_O_dec_1 = k_O_enc_2[ri_36]) then me_O_enc_2[u_39] else me_O_dec_1 <-R G; me_O_dec_1)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify (non-expanded game) [probability (0.5 * NP^2 + 0.5 * NS^2 + NS * NP + NP * NU + NP * qD + NS * NU + NS * qD) / |Z|] - Simplification pass - Replaced ((me_O_enc = me_O_enc_1[ri_52]) && (k_O_enc = k_O_enc_1[ri_52])) with false at 561 - Remove branch 4 in find at 506 - Replaced ((me_O_enc = me_O_dec_1[ri_54]) && (k_O_enc = k_O_dec_1[ri_54])) with false at 527 - Remove branch 2 in find at 506 - Replaced ((me_O_enc = me_O_dec[ri_55]) && (k_O_enc = k_O_dec[ri_55])) with false at 510 - Remove branch 1 in find at 506 - Replaced ((me_O_enc_1 = me_O_enc[ri_48]) && (k_O_enc_1 = k_O_enc[ri_48])) with false at 1017 - Remove branch 3 in find at 979 - Replaced ((me_O_enc_1 = me_O_dec_1[ri_49]) && (k_O_enc_1 = k_O_dec_1[ri_49])) with false at 1000 - Remove branch 2 in find at 979 - Replaced ((me_O_enc_1 = me_O_dec[ri_50]) && (k_O_enc_1 = k_O_dec[ri_50])) with false at 983 - Remove branch 1 in find at 979 yields Game 24 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := Y_u: G <- (md_O_dec: G <- Ystar_u; k_O_dec: passwd <- pw0; find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], md_O_dec[ri_60], k_O_dec[ri_60]) && (md_O_dec = md_O_dec[ri_60]) && (k_O_dec = k_O_dec[ri_60]) then me_O_dec[u_63] orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], md_O_dec_1[ri_59], k_O_dec_1[ri_59]) && (md_O_dec = md_O_dec_1[ri_59]) && (k_O_dec = k_O_dec_1[ri_59]) then me_O_dec_1[u_62] orfind u_61 = ri_58 <= NS suchthat defined(me_O_enc[ri_58], md_O_enc[ri_58], k_O_enc[ri_58]) && (md_O_dec = md_O_enc[ri_58]) && (k_O_dec = k_O_enc[ri_58]) then me_O_enc[u_61] orfind u_60 = ri_57 <= NP suchthat defined(me_O_enc_1[ri_57], md_O_enc_1[ri_57], k_O_enc_1[ri_57]) && (md_O_dec = md_O_enc_1[ri_57]) && (k_O_dec = k_O_enc_1[ri_57]) then me_O_enc_1[u_60] orfind u_59 = ri_56 <= qE suchthat defined(me_O_enc_2[ri_56], md_O_enc_2[ri_56], k_O_enc_2[ri_56]) && (md_O_dec = md_O_enc_2[ri_56]) && (k_O_dec = k_O_enc_2[ri_56]) then me_O_enc_2[u_59] else me_O_dec <-R G; me_O_dec); K_u: G <- exp(Y_u, x); {128} find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {360} find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); Ystar: G <- (me_O_enc: G <- Y; k_O_enc: passwd <- pw0; {506}find [unique] u_56 = ri_53 <= NS suchthat defined(md_O_enc[ri_53], me_O_enc[ri_53], k_O_enc[ri_53]) && (me_O_enc = me_O_enc[ri_53]) && (k_O_enc = k_O_enc[ri_53]) then md_O_enc[u_56] orfind u_54 = ri_51 <= qE suchthat defined(md_O_enc_2[ri_51], me_O_enc_2[ri_51], k_O_enc_2[ri_51]) && (me_O_enc = me_O_enc_2[ri_51]) && (k_O_enc = k_O_enc_2[ri_51]) then md_O_enc_2[u_54] else md_O_enc <-R G; md_O_enc); return(S, Ystar); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( u_31 <= NU <- j; if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then u_11 <= NU <- j; sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); Ystarp: G <- (me_O_enc_1: G <- Yp; k_O_enc_1: passwd <- pw0; {928}find [unique] u_50 = ri_47 <= NP suchthat defined(md_O_enc_1[ri_47], me_O_enc_1[ri_47], k_O_enc_1[ri_47]) && (me_O_enc_1 = me_O_enc_1[ri_47]) && (k_O_enc_1 = k_O_enc_1[ri_47]) then md_O_enc_1[u_50] orfind u_49 = ri_46 <= qE suchthat defined(md_O_enc_2[ri_46], me_O_enc_2[ri_46], k_O_enc_2[ri_46]) && (me_O_enc_1 = me_O_enc_2[ri_46]) && (k_O_enc_1 = k_O_enc_2[ri_46]) then md_O_enc_2[u_49] else md_O_enc_1 <-R G; md_O_enc_1); r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := return((me_O_enc_2: G <- x_1; k_O_enc_2: passwd <- ke; find [unique] u_48 = ri_45 <= NU suchthat defined(md_O_dec[ri_45], me_O_dec[ri_45], k_O_dec[ri_45]) && (me_O_enc_2 = me_O_dec[ri_45]) && (k_O_enc_2 = k_O_dec[ri_45]) then md_O_dec[u_48] orfind u_47 = ri_44 <= qD suchthat defined(md_O_dec_1[ri_44], me_O_dec_1[ri_44], k_O_dec_1[ri_44]) && (me_O_enc_2 = me_O_dec_1[ri_44]) && (k_O_enc_2 = k_O_dec_1[ri_44]) then md_O_dec_1[u_47] orfind u_46 = ri_43 <= NS suchthat defined(md_O_enc[ri_43], me_O_enc[ri_43], k_O_enc[ri_43]) && (me_O_enc_2 = me_O_enc[ri_43]) && (k_O_enc_2 = k_O_enc[ri_43]) then md_O_enc[u_46] orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], me_O_enc_1[ri_42], k_O_enc_1[ri_42]) && (me_O_enc_2 = me_O_enc_1[ri_42]) && (k_O_enc_2 = k_O_enc_1[ri_42]) then md_O_enc_1[u_45] orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], me_O_enc_2[ri_41], k_O_enc_2[ri_41]) && (me_O_enc_2 = me_O_enc_2[ri_41]) && (k_O_enc_2 = k_O_enc_2[ri_41]) then md_O_enc_2[u_44] else md_O_enc_2 <-R G; md_O_enc_2)) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := return((md_O_dec_1: G <- m; k_O_dec_1: passwd <- kd; find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], md_O_dec[ri_40], k_O_dec[ri_40]) && (md_O_dec_1 = md_O_dec[ri_40]) && (k_O_dec_1 = k_O_dec[ri_40]) then me_O_dec[u_43] orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], md_O_dec_1[ri_39], k_O_dec_1[ri_39]) && (md_O_dec_1 = md_O_dec_1[ri_39]) && (k_O_dec_1 = k_O_dec_1[ri_39]) then me_O_dec_1[u_42] orfind u_41 = ri_38 <= NS suchthat defined(me_O_enc[ri_38], md_O_enc[ri_38], k_O_enc[ri_38]) && (md_O_dec_1 = md_O_enc[ri_38]) && (k_O_dec_1 = k_O_enc[ri_38]) then me_O_enc[u_41] orfind u_40 = ri_37 <= NP suchthat defined(me_O_enc_1[ri_37], md_O_enc_1[ri_37], k_O_enc_1[ri_37]) && (md_O_dec_1 = md_O_enc_1[ri_37]) && (k_O_dec_1 = k_O_enc_1[ri_37]) then me_O_enc_1[u_40] orfind u_39 = ri_36 <= qE suchthat defined(me_O_enc_2[ri_36], md_O_enc_2[ri_36], k_O_enc_2[ri_36]) && (md_O_dec_1 = md_O_enc_2[ri_36]) && (k_O_dec_1 = k_O_enc_2[ri_36]) then me_O_enc_2[u_39] else me_O_dec_1 <-R G; me_O_dec_1)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying expand [probability (NS * NP + 0.5 * NS^2 + 0.5 * NP^2 + NS * qD + NS * NU) / |Z|] - Expand if/find/let - Remove branch 1 in find at 928 - Remove branch 1 in find at 506 - Remove branch 1 in find at 360 - Remove branch 1 in find at 128 - Remove branch 1 in find at 360 - Remove branch 1 in find at 128 - Remove branch 1 in find at 360 - Remove branch 1 in find at 128 - Remove branch 1 in find at 360 - Remove branch 1 in find at 128 yields Game 25 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := md_O_dec: G <- Ystar_u; k_O_dec: passwd <- pw0; find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], md_O_dec[ri_60], k_O_dec[ri_60]) && (md_O_dec = md_O_dec[ri_60]) && (k_O_dec = k_O_dec[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(Y_u, x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], md_O_dec_1[ri_59], k_O_dec_1[ri_59]) && (md_O_dec = md_O_dec_1[ri_59]) && (k_O_dec = k_O_dec_1[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(Y_u, x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(me_O_enc[ri_58], md_O_enc[ri_58], k_O_enc[ri_58]) && (md_O_dec = md_O_enc[ri_58]) && (k_O_dec = k_O_enc[ri_58]) then Y_u: G <- me_O_enc[u_61]; K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(me_O_enc_1[ri_57], md_O_enc_1[ri_57], k_O_enc_1[ri_57]) && (md_O_dec = md_O_enc_1[ri_57]) && (k_O_dec = k_O_enc_1[ri_57]) then Y_u: G <- me_O_enc_1[u_60]; K_u: G <- exp(Y_u, x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(me_O_enc_2[ri_56], md_O_enc_2[ri_56], k_O_enc_2[ri_56]) && (md_O_dec = md_O_enc_2[ri_56]) && (k_O_dec = k_O_enc_2[ri_56]) then Y_u: G <- me_O_enc_2[u_59]; K_u: G <- exp(Y_u, x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && (j[ri_14] = iU) && (Y_u = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(Y_u, x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y_u = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y_u = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); me_O_enc: G <- Y; k_O_enc: passwd <- pw0; find [unique] u_54 = ri_51 <= qE suchthat defined(md_O_enc_2[ri_51], me_O_enc_2[ri_51], k_O_enc_2[ri_51]) && (me_O_enc = me_O_enc_2[ri_51]) && (k_O_enc = k_O_enc_2[ri_51]) then Ystar: G <- md_O_enc_2[u_54]; return(S, Ystar); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( u_31 <= NU <- j; if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then u_11 <= NU <- j; sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) else md_O_enc <-R G; Ystar: G <- md_O_enc; return(S, Ystar); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( u_31 <= NU <- j; if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then u_11 <= NU <- j; sk_s: hash0 <- r[j]; event termS(U, X_s, S, Ystar, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, Ystar, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, Ystar, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); me_O_enc_1: G <- Yp; k_O_enc_1: passwd <- pw0; find [unique] u_49 = ri_46 <= qE suchthat defined(md_O_enc_2[ri_46], me_O_enc_2[ri_46], k_O_enc_2[ri_46]) && (me_O_enc_1 = me_O_enc_2[ri_46]) && (k_O_enc_1 = k_O_enc_2[ri_46]) then Ystarp: G <- md_O_enc_2[u_49]; r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) else md_O_enc_1 <-R G; Ystarp: G <- md_O_enc_1; r_5 <-R hash1; return(U, Xp, S, Ystarp, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := me_O_enc_2: G <- x_1; k_O_enc_2: passwd <- ke; find [unique] u_48 = ri_45 <= NU suchthat defined(md_O_dec[ri_45], me_O_dec[ri_45], k_O_dec[ri_45]) && (me_O_enc_2 = me_O_dec[ri_45]) && (k_O_enc_2 = k_O_dec[ri_45]) then return(md_O_dec[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(md_O_dec_1[ri_44], me_O_dec_1[ri_44], k_O_dec_1[ri_44]) && (me_O_enc_2 = me_O_dec_1[ri_44]) && (k_O_enc_2 = k_O_dec_1[ri_44]) then return(md_O_dec_1[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(md_O_enc[ri_43], me_O_enc[ri_43], k_O_enc[ri_43]) && (me_O_enc_2 = me_O_enc[ri_43]) && (k_O_enc_2 = k_O_enc[ri_43]) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], me_O_enc_1[ri_42], k_O_enc_1[ri_42]) && (me_O_enc_2 = me_O_enc_1[ri_42]) && (k_O_enc_2 = k_O_enc_1[ri_42]) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], me_O_enc_2[ri_41], k_O_enc_2[ri_41]) && (me_O_enc_2 = me_O_enc_2[ri_41]) && (k_O_enc_2 = k_O_enc_2[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := md_O_dec_1: G <- m; k_O_dec_1: passwd <- kd; find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], md_O_dec[ri_40], k_O_dec[ri_40]) && (md_O_dec_1 = md_O_dec[ri_40]) && (k_O_dec_1 = k_O_dec[ri_40]) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], md_O_dec_1[ri_39], k_O_dec_1[ri_39]) && (md_O_dec_1 = md_O_dec_1[ri_39]) && (k_O_dec_1 = k_O_dec_1[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(me_O_enc[ri_38], md_O_enc[ri_38], k_O_enc[ri_38]) && (md_O_dec_1 = md_O_enc[ri_38]) && (k_O_dec_1 = k_O_enc[ri_38]) then return(me_O_enc[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(me_O_enc_1[ri_37], md_O_enc_1[ri_37], k_O_enc_1[ri_37]) && (md_O_dec_1 = md_O_enc_1[ri_37]) && (k_O_dec_1 = k_O_enc_1[ri_37]) then return(me_O_enc_1[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(me_O_enc_2[ri_36], md_O_enc_2[ri_36], k_O_enc_2[ri_36]) && (md_O_dec_1 = md_O_enc_2[ri_36]) && (k_O_dec_1 = k_O_enc_2[ri_36]) then return(me_O_enc_2[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on md_O_dec_1 (definition point kept, all usages removed) - Remove assignments on k_O_dec_1 (definition removed, all usages removed) - Remove assignments on me_O_enc_2 (definition point kept, all usages removed) - Remove assignments on k_O_enc_2 (definition removed, all usages removed) - Remove assignments on me_O_enc_1 (definition removed, all usages removed) - Remove assignments on k_O_enc_1 (definition removed, all usages removed) - Remove assignments on Ystarp (definition removed, all usages removed) - Remove assignments on Ystarp (definition removed, all usages removed) - Remove assignments on me_O_enc (definition removed, all usages removed) - Remove assignments on k_O_enc (definition removed, all usages removed) - Remove assignments on Ystar (definition removed, all usages removed) - Remove assignments on u_31 (definition removed, all usages removed) - Remove assignments on u_11 (definition removed, all usages removed) - Remove assignments on Ystar (definition removed, all usages removed) - Remove assignments on u_31 (definition removed, all usages removed) - Remove assignments on u_11 (definition removed, all usages removed) - Remove assignments on md_O_dec (definition point kept, all usages removed) - Remove assignments on k_O_dec (definition removed, all usages removed) - Remove assignments on Y_u (definition kept, array references kept) - Remove assignments on Y_u (definition kept, array references kept) - Remove assignments on Y_u (definition kept, array references kept) - Remove assignments on Y_u (definition kept, array references kept) - Remove assignments on Y_u (definition kept, array references kept) - Remove assignments on Y_u (definition kept, array references kept) yields Game 26 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := md_O_dec: G <- cst_G; {29} find [unique] u_63 = ri_60 <= NU suchthat defined(Ystar_u[ri_60], pw0, md_O_dec[ri_60], me_O_dec[ri_60]) && {33}((Ystar_u = Ystar_u[ri_60]) && (pw0 = pw0)) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(m[ri_59], kd[ri_59], md_O_dec_1[ri_59], me_O_dec_1[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(pw0, Y[ri_58], md_O_enc[ri_58]) && {580}((Ystar_u = md_O_enc[ri_58]) && (pw0 = pw0)) then Y_u: G <- Y[u_61]; K_u: G <- {594}exp(Y[u_61], x); {600} find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {610}((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y[u_61] = Y[ri_14])) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {837} find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && {841}((j[ri_14] = iU) && (Y[u_61] = Y[ri_14])) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(Yp[ri_57], pw0, Kp[ri_57], md_O_enc_1[ri_57]) && {971}((Ystar_u = md_O_enc_1[ri_57]) && (pw0 = pw0)) then Y_u: G <- Yp[u_60]; K_u: G <- {985}exp(Yp[u_60], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], me_O_enc_2[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then Y_u: G <- x_1[u_59]; K_u: G <- exp(x_1[u_59], x); find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (x_1[u_59] = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && (j[ri_14] = iU) && (x_1[u_59] = Y[ri_14]) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); {1644} find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {1657}((K_u = x15[ri_33]) && (me_O_dec = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else {1740} find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {1747}((K_u = x15[ri_33]) && (me_O_dec = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {1801} find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && {1808}((K_u = x05[ri_13]) && (me_O_dec = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); {1902} find [unique] u_54 = ri_51 <= qE suchthat defined(x_1[ri_51], ke[ri_51], me_O_enc_2[ri_51], md_O_enc_2[ri_51]) && {1907}((Y = x_1[ri_51]) && (pw0 = ke[ri_51])) then return(S, md_O_enc_2[u_54]); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc_2[u_54], auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc_2[u_54], auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc_2[u_54], auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc_2[u_54], auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc_2[u_54], auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc_2[u_54], auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) else md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); {2639} find [unique] u_49 = ri_46 <= qE suchthat defined(x_1[ri_46], ke[ri_46], me_O_enc_2[ri_46], md_O_enc_2[ri_46]) && {2644}((Yp = x_1[ri_46]) && (pw0 = ke[ri_46])) then r_5 <-R hash1; return(U, Xp, S, md_O_enc_2[u_49], r_5) else md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := me_O_enc_2: G <- cst_G; {2689} find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], pw0, md_O_dec[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], md_O_dec_1[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(pw0, Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(Yp[ri_42], pw0, Kp[ri_42], md_O_enc_1[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(x_1[ri_41], ke[ri_41], me_O_enc_2[ri_41], md_O_enc_2[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := md_O_dec_1: G <- cst_G; {2800} find [unique] u_43 = ri_40 <= NU suchthat defined(Ystar_u[ri_40], pw0, md_O_dec[ri_40], me_O_dec[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(m[ri_39], kd[ri_39], md_O_dec_1[ri_39], me_O_dec_1[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(pw0, Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], pw0, Kp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], me_O_enc_2[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability (0.5 * NS^2 + 2 * NP * qH1 + qE * NS + qE * NP) / |Z| + (qH1 * NU + qH0 * NU) / |G|] - Simplification pass - Replaced defined condition x_1[ri_36], ke[ri_36], me_O_enc_2[ri_36], md_O_enc_2[ri_36] with x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36] in find at 2800 - Replaced defined condition Yp[ri_37], pw0, Kp[ri_37], md_O_enc_1[ri_37] with Yp[ri_37], md_O_enc_1[ri_37] in find at 2800 - Replaced defined condition pw0, Y[ri_38], md_O_enc[ri_38] with Y[ri_38], md_O_enc[ri_38] in find at 2800 - Replaced defined condition m[ri_39], kd[ri_39], md_O_dec_1[ri_39], me_O_dec_1[ri_39] with me_O_dec_1[ri_39], kd[ri_39], m[ri_39] in find at 2800 - Replaced defined condition Ystar_u[ri_40], pw0, md_O_dec[ri_40], me_O_dec[ri_40] with me_O_dec[ri_40], Ystar_u[ri_40] in find at 2800 - Replaced defined condition x_1[ri_41], ke[ri_41], me_O_enc_2[ri_41], md_O_enc_2[ri_41] with md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41] in find at 2689 - Replaced defined condition Yp[ri_42], pw0, Kp[ri_42], md_O_enc_1[ri_42] with md_O_enc_1[ri_42], Yp[ri_42] in find at 2689 - Replaced defined condition pw0, Y[ri_43], md_O_enc[ri_43] with Y[ri_43], md_O_enc[ri_43] in find at 2689 - Replaced defined condition m[ri_44], kd[ri_44], md_O_dec_1[ri_44], me_O_dec_1[ri_44] with m[ri_44], kd[ri_44], me_O_dec_1[ri_44] in find at 2689 - Replaced defined condition Ystar_u[ri_45], pw0, md_O_dec[ri_45], me_O_dec[ri_45] with Ystar_u[ri_45], me_O_dec[ri_45] in find at 2689 - Replaced ((Yp = x_1[ri_46]) && (pw0 = ke[ri_46])) with false at 2644 - Remove branch 1 in find at 2639 - Find at 2639 removed (else branch kept if any) - Replaced ((Y = x_1[ri_51]) && (pw0 = ke[ri_51])) with false at 1907 - Remove branch 1 in find at 1902 - Find at 1902 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (me_O_dec = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 1657 - Remove branch 1 in find at 1644 - Find at 1644 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (me_O_dec = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) with false at 1747 - Remove branch 1 in find at 1740 - Find at 1740 removed (else branch kept if any) - Replaced ((K_u = x05[ri_13]) && (me_O_dec = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 1808 - Remove branch 1 in find at 1801 - Find at 1801 removed (else branch kept if any) - Replaced defined condition x_1[ri_56], ke[ri_56], me_O_enc_2[ri_56], md_O_enc_2[ri_56] with x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56] in find at 29 - Replaced ((Ystar_u = md_O_enc_1[ri_57]) && (pw0 = pw0)) with (Ystar_u = md_O_enc_1[ri_57]) at 971 - Replaced exp(Yp[u_60], x) with exp(g, mult(yp[u_60], x)) at 985 - Replaced defined condition Yp[ri_57], pw0, Kp[ri_57], md_O_enc_1[ri_57] with yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57] in find at 29 - Replaced ((Ystar_u = md_O_enc[ri_58]) && (pw0 = pw0)) with (Ystar_u = md_O_enc[ri_58]) at 580 - Replaced exp(Y[u_61], x) with exp(g, mult(y[u_61], x)) at 594 - Replaced ((j[ri_14] = iU) && (Y[u_61] = Y[ri_14])) with ((j[ri_14] = iU) && (u_61 = ri_14)) at 841 - In branch 1 of find at 837, substituting u_14 with u_61 - Replaced defined condition r_1[ri_14], Y[ri_14], j[ri_14] with r_1[u_61], j[u_61] in find at 837 - Replaced ((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (Y[u_61] = Y[ri_14])) with ((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (u_61 = ri_14)) at 610 - In branch 1 of find at 600, substituting u_14 with u_61 - Replaced defined condition r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33] with r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33] in find at 600 - Replaced defined condition pw0, Y[ri_58], md_O_enc[ri_58] with y[ri_58], Y[ri_58], md_O_enc[ri_58] in find at 29 - Replaced defined condition m[ri_59], kd[ri_59], md_O_dec_1[ri_59], me_O_dec_1[ri_59] with me_O_dec_1[ri_59], kd[ri_59], m[ri_59] in find at 29 - Replaced ((Ystar_u = Ystar_u[ri_60]) && (pw0 = pw0)) with (Ystar_u = Ystar_u[ri_60]) at 33 - Replaced defined condition Ystar_u[ri_60], pw0, md_O_dec[ri_60], me_O_dec[ri_60] with me_O_dec[ri_60], Ystar_u[ri_60] in find at 29 yields Game 27 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := md_O_dec: G <- cst_G; find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {604}((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) && (u_61 = u_61)) then u_14 <= NS <- u_61; sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && {840}((j[u_61] = iU) && (u_61 = u_61)) then u_14 <= NS <- u_61; sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then Y_u: G <- x_1[u_59]; K_u: G <- exp(x_1[u_59], x); {1266} find [unique] u_36 = ri_33 <= qH1, u_14 = ri_14 <= NS suchthat defined(r_6[ri_33], r_1[ri_14], Y[ri_14], j[ri_14], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {1276}((K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (x_1[u_59] = Y[ri_14])) then sk_u: hash0 <- r_1[u_14]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_14], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {1503} find [unique] u_14 = ri_14 <= NS suchthat defined(r_1[ri_14], Y[ri_14], j[ri_14]) && {1507}((j[ri_14] = iU) && (x_1[u_59] = Y[ri_14])) then sk_u: hash0 <- r_1[u_14]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_14], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := me_O_enc_2: G <- cst_G; find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := md_O_dec_1: G <- cst_G; find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability (2 * NP * qH1 + NS * NU) / |Z| + (qH1 * NU + qH0 * NU) / |G|] - Simplification pass - Replaced ((j[ri_14] = iU) && (x_1[u_59] = Y[ri_14])) with false at 1507 - Remove branch 1 in find at 1503 - Replaced ((K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[ri_14] = iU) && (x_1[u_59] = Y[ri_14])) with false at 1276 - Remove branch 1 in find at 1266 - Replaced ((j[u_61] = iU) && (u_61 = u_61)) with (j[u_61] = iU) at 840 - Replaced ((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) && (u_61 = u_61)) with ((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU)) at 604 yields Game 28 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := md_O_dec: G <- cst_G; find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then u_14 <= NS <- u_61; sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then u_14 <= NS <- u_61; sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then Y_u: G <- x_1[u_59]; K_u: G <- exp(x_1[u_59], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := me_O_enc_2: G <- cst_G; find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := md_O_dec_1: G <- cst_G; find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying move all binders - Move assignment to md_O_dec_1 - Move assignment to me_O_enc_2 - Move assignment to md_O_dec yields Game 29 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then u_14 <= NS <- u_61; sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then u_14 <= NS <- u_61; sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then Y_u: G <- x_1[u_59]; K_u: G <- exp(x_1[u_59], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on u_14 (definition removed, all usages removed) - Remove assignments on u_14 (definition removed, all usages removed) yields Game 30 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then {1233} Y_u: G <- x_1[u_59]; K_u: G <- exp(x_1[u_59], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (x_1[u_59] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (x_1[u_59] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying insert event Encrypt at occurrence 1233 [probability Pr[event Encrypt in game 31 with public variables sk_u, sk_s]] yields Game 31 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- me_O_dec_1[u_62]; K_u: G <- exp(me_O_dec_1[u_62], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec_1[u_62] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec_1[u_62] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(x_1[ri_56], ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = me_O_dec_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(me_O_dec_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else me_O_dec_1 <-R G; return(me_O_dec_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence group_to_exp_strict(exp) - Equivalence group_to_exp_strict(exp) with variables: me_O_dec_1 -> X_1 yields Game 32 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- (m_1: Z <- x; exp(g, mult(x_2[u_62], m_1))); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(x_2[ri_44], m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; me_O_dec_1: G <- cst_G; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying expand [probability 2 * NP * qH1 / |Z| + (qH1 * NU + qH0 * NU) / |G|] - Expand if/find/let yields Game 33 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], me_O_dec_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); m_1: Z <- x; K_u: G <- exp(g, mult(x_2[u_62], m_1)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(x_2[ri_44], m[ri_44], kd[ri_44], me_O_dec_1[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], me_O_dec_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; me_O_dec_1: G <- cst_G; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on me_O_dec_1 (definition removed, all usages removed) - Remove assignments on m_1 (definition removed, all usages removed) yields Game 34 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- me_O_dec[u_63]; K_u: G <- exp(me_O_dec[u_63], x); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (me_O_dec[u_63] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (me_O_dec[u_63] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else me_O_dec <-R G; Y_u: G <- me_O_dec; K_u: G <- exp(me_O_dec, x); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = me_O_dec[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(me_O_dec[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence group_to_exp_strict(exp) - Equivalence group_to_exp_strict(exp) with variables: me_O_dec -> X_1 yields Game 35 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- (m_3: Z <- x; exp(g, mult(x_3[u_63], m_3))); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; me_O_dec: G <- cst_G; Y_u: G <- exp(g, x_3); K_u: G <- (m_2: Z <- x; exp(g, mult(x_3, m_2))); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(x_3[ri_45], Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying expand [probability (NU * qH1 + NU * qH0 + 2 * NP * qH1) / |Z|] - Expand if/find/let yields Game 36 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], me_O_dec[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); m_3: Z <- x; K_u: G <- exp(g, mult(x_3[u_63], m_3)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; me_O_dec: G <- cst_G; Y_u: G <- exp(g, x_3); m_2: Z <- x; K_u: G <- exp(g, mult(x_3, m_2)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(x_3[ri_45], Ystar_u[ri_45], me_O_dec[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], me_O_dec[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on me_O_dec (definition removed, all usages removed) - Remove assignments on m_2 (definition removed, all usages removed) - Remove assignments on m_3 (definition removed, all usages removed) yields Game 37 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in {2069} find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying insert instruction find i7 <= NU, i8 <= NU suchthat defined(x[i7], X[i7], x_3[i8]) && (x14 = exp(g, x_3[i8])) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8], x[i7]))) then event_abort cdh orfind i7 <= NU, i9 <= qD suchthat defined(x[i7], X[i7], x_2[i9]) && (x14 = exp(g, x_2[i9])) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9], x[i7]))) then event_abort cdh orfind i7 <= NU, i10 <= NS suchthat defined(x[i7], y[i10], X[i7], Y[i10]) && (x14 = Y[i10]) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10], x[i7]))) then event_abort cdh orfind i7 <= NU, i11 <= NP suchthat defined(x[i7], yp[i11], X[i7], Yp[i11]) && (x14 = Yp[i11]) && (x13 = X[i7]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11], x[i7]))) then event_abort cdh orfind i6 <= NP suchthat defined(yp[i6], xp[i6], Xp[i6], Yp[i6]) && (x14 = Yp[i6]) && (x13 = Xp[i6]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6], yp[i6]))) then event_abort cdh at occurrence 2069 [probability Pr[event cdh_4 in game 38 with public variables sk_s, sk_u] + Pr[event cdh_3 in game 38 with public variables sk_s, sk_u] + Pr[event cdh_2 in game 38 with public variables sk_s, sk_u] + Pr[event cdh_1 in game 38 with public variables sk_s, sk_u] + Pr[event cdh in game 38 with public variables sk_s, sk_u]] yields Game 38 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && (K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13]) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && (K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29]) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in {1921} find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying insert instruction find i19 <= NU, i20 <= NU suchthat defined(X[i19], x[i19], x_3[i20]) && (x04 = exp(g, x_3[i20])) && (x03 = X[i19]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20], x[i19]))) then event_abort cdh orfind i17 <= NU, i21 <= qD suchthat defined(X[i17], x[i17], x_2[i21]) && (x04 = exp(g, x_2[i21])) && (x03 = X[i17]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21], x[i17]))) then event_abort cdh orfind i15 <= NU, i22 <= NS suchthat defined(X[i15], Y[i22], x[i15], y[i22]) && (x04 = Y[i22]) && (x03 = X[i15]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22], x[i15]))) then event_abort cdh orfind i13 <= NU, i23 <= NP suchthat defined(X[i13], Yp[i23], x[i13], yp[i23]) && (x04 = Yp[i23]) && (x03 = X[i13]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23], x[i13]))) then event_abort cdh at occurrence 1921 [probability Pr[event cdh_8 in game 39 with public variables sk_u, sk_s] + Pr[event cdh_7 in game 39 with public variables sk_u, sk_s] + Pr[event cdh_6 in game 39 with public variables sk_u, sk_s] + Pr[event cdh_5 in game 39 with public variables sk_u, sk_s]] yields Game 39 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); {50} find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {63}((K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else {152} find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {159}((K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {216} find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && {223}((K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); {336} find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {349}((K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else {438} find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {445}((K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {502} find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && {509}((K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); {615} find [unique] u_36 = ri_33 <= qH1 suchthat defined(r_6[ri_33], r_1[u_61], j[u_61], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {626}((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU)) then sk_u: hash0 <- r_1[u_61]; event acceptU(U, X, S, Ystar_u, r_6[u_36], r_1[u_61], iU); return(r_6[u_36]) orfind u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {700}((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else {785} find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {792}((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {847} find [unique] suchthat defined(r_1[u_61], j[u_61]) && (j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) orfind u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && {890}((K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); {994} find [unique] u_37 = ri_33 <= qH1, u_13 = ri_13 <= qH0 suchthat defined(r_6[ri_33], r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {1007}((K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; event acceptU(U, X, S, Ystar_u, r_6[u_37], r_2[u_13], iU); return(r_6[u_37]) else {1092} find [unique] u_38 = ri_33 <= qH1 suchthat defined(r_6[ri_33], x11[ri_33], x12[ri_33], x13[ri_33], x14[ri_33], x15[ri_33]) && {1099}((K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) then r <-R hash0; sk_u: hash0 <- r; event acceptU(U, X, S, Ystar_u, r_6[u_38], r, iU); return(r_6[u_38]) else {1154} find [unique] u_13 = ri_13 <= qH0 suchthat defined(r_2[ri_13], x01[ri_13], x02[ri_13], x03[ri_13], x04[ri_13], x05[ri_13]) && {1161}((K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) then sk_u: hash0 <- r_2[u_13]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_2[u_13], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); {1335} find [unique] suchthat defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then ( if auth_s = r_4[j] then {1353} find [unique] suchthat defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && {1386}((K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9])) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) orfind u_29 = ri_29 <= qH1 suchthat defined(r_6[ri_29], x11[ri_29], x12[ri_29], x13[ri_29], x14[ri_29], x15[ri_29]) && {1465}((K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29])) then ( if auth_s = r_6[u_29] then find [unique] suchthat defined(r[j], Y_u[j]) && (Y = Y_u[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() orfind u_9 = ri_9 <= qH0 suchthat defined(r_2[ri_9], x01[ri_9], x02[ri_9], x03[ri_9], x04[ri_9], x05[ri_9]) && (K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9]) then sk_s: hash0 <- r_2[u_9]; event termS(U, X_s, S, md_O_enc, auth_s, r_2[u_9]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else {2072} find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_6 = ri_6 <= NS suchthat defined(r_1[ri_6], X_s[ri_6], Y[ri_6], K_s[ri_6]) && (x05 = K_s[ri_6]) && (x04 = Y[ri_6]) && (x03 = X_s[ri_6]) && (x02 = S) && (x01 = U) then return(r_1[u_6]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else {2408} find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_22 = ri_22 <= NP suchthat defined(r_5[ri_22], Xp[ri_22], Yp[ri_22], Kp[ri_22]) && (x15 = Kp[ri_22]) && (x14 = Yp[ri_22]) && (x13 = Xp[ri_22]) && (x12 = S) && (x11 = U) then return(r_5[u_22]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability (qD * qH1 + qD * qH0 + 2 * NP * qH1 + NP * qH0 + 2 * NU * qH0 + NS * qH0 + 2 * NU * qH1 + NS * qH1) / |Z|] - Simplification pass - Remove branch 2 in find at 2408 - Remove branch 2 in find at 2072 - Replaced ((K_s = x15[ri_29]) && (Y = x14[ri_29]) && (X_s = x13[ri_29]) && (S = x12[ri_29]) && (U = x11[ri_29])) with false at 1465 - Remove branch 2 in find at 1335 - Replaced ((K_s = x05[ri_9]) && (Y = x04[ri_9]) && (X_s = x03[ri_9]) && (S = x02[ri_9]) && (U = x01[ri_9])) with false at 1386 - Remove branch 2 in find at 1353 - Replaced ((K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 1161 - Remove branch 1 in find at 1154 - Find at 1154 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) with false at 1099 - Remove branch 1 in find at 1092 - Find at 1092 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (Yp[u_60] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Yp[u_60] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 1007 - Remove branch 1 in find at 994 - Find at 994 removed (else branch kept if any) - Replaced ((K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 890 - Remove branch 2 in find at 847 - Replaced ((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) with false at 792 - Remove branch 1 in find at 785 - Find at 785 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (Y[u_61] = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 700 - Remove branch 2 in find at 615 - Replaced ((K_u = x15[ri_33]) && (Y[u_61] = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (j[u_61] = iU)) with false at 626 - Remove branch 1 in find at 615 - Find at 615 removed (else branch kept if any) - Replaced ((K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 509 - Remove branch 1 in find at 502 - Find at 502 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) with false at 445 - Remove branch 1 in find at 438 - Find at 438 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (exp(g, x_2[u_62]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_2[u_62]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 349 - Remove branch 1 in find at 336 - Find at 336 removed (else branch kept if any) - Replaced ((K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 223 - Remove branch 1 in find at 216 - Find at 216 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33])) with false at 159 - Remove branch 1 in find at 152 - Find at 152 removed (else branch kept if any) - Replaced ((K_u = x15[ri_33]) && (exp(g, x_3[u_63]) = x14[ri_33]) && (X = x13[ri_33]) && (S = x12[ri_33]) && (U = x11[ri_33]) && (K_u = x05[ri_13]) && (exp(g, x_3[u_63]) = x04[ri_13]) && (X = x03[ri_13]) && (S = x02[ri_13]) && (U = x01[ri_13])) with false at 63 - Remove branch 1 in find at 50 - Find at 50 removed (else branch kept if any) yields Game 40 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); {155} if defined(r_1[u_61], j[u_61]) && {160}(j[u_61] = iU) then sk_u: hash0 <- r_1[u_61]; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_1[u_61], iU); return(r_4) else r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth else {464} K_s: G <- exp(X_s, y) ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Remove let at 464 - Replaced (j[u_61] = iU) with false at 160 - Remove branch 1 in find at 155 - Find at 155 removed (else branch kept if any) yields Game 41 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r <-R hash0; sk_u: hash0 <- r; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r[j]) then sk_s: hash0 <- r[j]; event termS(U, X_s, S, md_O_enc, auth_s, r[j]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else find [unique] u_7 = ri_7 <= NU suchthat defined(r[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r[u_7]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Proved inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s in game 41 up to probability (NU * NS + NP * NS + 0.5 * NS^2 + qD * NS) / |Z| + 0.5 * NS^2 / |G| Proved secrecy of sk_u in game 41 up to probability (4 * qH0 * NU + 4 * qD * qH0 + 4 * qH0 * NS + 4 * qH0 * NP + 2 * NS * NU + NU^2 + 2 * NS * qD + NS^2 + 2 * NS * NP) / |Z| Applying SA rename r - Rename variable r into r_12, r_11, r_10, r_9, r_8 yields Game 42 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_8, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_9, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_10, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_11, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; event acceptU(U, X, S, Ystar_u, r_4, r_12, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( K_s: G <- exp(g, mult(x[j], y)); if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then find [unique] suchthat defined(r_8[j]) then sk_s: hash0 <- r_8[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_8[j]); return() orfind suchthat defined(r_9[j]) then sk_s: hash0 <- r_9[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_9[j]); return() orfind suchthat defined(r_10[j]) then sk_s: hash0 <- r_10[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_10[j]); return() orfind suchthat defined(r_11[j]) then sk_s: hash0 <- r_11[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_11[j]); return() orfind suchthat defined(r_12[j]) then sk_s: hash0 <- r_12[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_12[j]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); Kp: G <- exp(g, mult(xp, yp)); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else find [unique] u_7 = ri_7 <= NU suchthat defined(r_8[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_8[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_9[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_9[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_10[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_10[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_11[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_11[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_12[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_12[u_7]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on Kp (definition removed, all usages removed) - Remove assignments on K_s (definition removed, all usages removed) yields Game 43 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; {55} event acceptU(U, X, S, Ystar_u, r_4, r_8, iU); return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; {111} event acceptU(U, X, S, Ystar_u, r_4, r_9, iU); return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; {160} event acceptU(U, X, S, Ystar_u, r_4, r_10, iU); return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; {209} event acceptU(U, X, S, Ystar_u, r_4, r_11, iU); return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; {264} event acceptU(U, X, S, Ystar_u, r_4, r_12, iU); return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := {306} find j = j_1 <= NU suchthat defined(x[j_1], X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then {332} find [unique] suchthat defined(r_8[j]) then sk_s: hash0 <- r_8[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_8[j]); return() orfind suchthat defined(r_9[j]) then sk_s: hash0 <- r_9[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_9[j]); return() orfind suchthat defined(r_10[j]) then sk_s: hash0 <- r_10[j]; {392} event termS(U, X_s, S, md_O_enc, auth_s, r_10[j]); return() orfind suchthat defined(r_11[j]) then sk_s: hash0 <- r_11[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_11[j]); return() orfind suchthat defined(r_12[j]) then sk_s: hash0 <- r_12[j]; event termS(U, X_s, S, md_O_enc, auth_s, r_12[j]); return() else r_1 <-R hash0; sk_s: hash0 <- r_1; {467} event termS(U, X_s, S, md_O_enc, auth_s, r_1); return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else {929} find [unique] u_7 = ri_7 <= NU suchthat defined(r_8[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_8[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_9[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_9[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_10[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_10[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_11[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_11[u_7]) orfind u_7 = ri_7 <= NU suchthat defined(r_12[ri_7], X[ri_7], Y_u[ri_7], K_u[ri_7]) && (x05 = K_u[ri_7]) && (x04 = Y_u[ri_7]) && (x03 = X[ri_7]) && (x02 = S) && (x01 = U) then return(r_12[u_7]) orfind u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability (qD * NS + 0.5 * NS^2 + NP * NS + NU * NS) / |Z|] - Simplification pass - Remove branch 5 in find at 929 - Remove branch 4 in find at 929 - Remove branch 3 in find at 929 - Remove branch 2 in find at 929 - Remove branch 1 in find at 929 - Removed event at 467 (no longer used in queries) - Remove branch 5 in find at 332 - Remove branch 4 in find at 332 - Removed event at 392 (no longer used in queries) - Remove branch 2 in find at 332 - Remove branch 1 in find at 332 - Replaced defined condition x[j_1], X[j_1] with X[j_1] in find at 306 - Removed event at 264 (no longer used in queries) - Removed event at 209 (no longer used in queries) - Removed event at 160 (no longer used in queries) - Removed event at 111 (no longer used in queries) - Removed event at 55 (no longer used in queries) yields Game 44 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u: G <- exp(g, mult(x_3[u_63], x)); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u: G <- exp(g, mult(x_2[u_62], x)); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u: G <- exp(g, mult(y[u_61], x)); r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u: G <- exp(g, mult(yp[u_60], x)); r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u: G <- exp(g, mult(x_3, x)); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u[ri_23]) && (x15 = K_u[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Proved secrecy of sk_s in game 44 up to probability 2 * NS^2 / |Z| Applying SA rename K_u - Rename variable K_u into K_u_5, K_u_4, K_u_3, K_u_2, K_u_1 yields Game 45 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u_1: G <- exp(g, mult(x_3[u_63], x)); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u_2: G <- exp(g, mult(x_2[u_62], x)); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u_3: G <- exp(g, mult(y[u_61], x)); r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u_4: G <- exp(g, mult(yp[u_60], x)); r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u_5: G <- exp(g, mult(x_3, x)); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else {982} find [unique] u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u_1[ri_23]) && (x15 = K_u_1[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u_2[ri_23]) && (x15 = K_u_2[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u_3[ri_23]) && (x15 = K_u_3[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u_4[ri_23]) && (x15 = K_u_4[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_23 = ri_23 <= NU suchthat defined(r_4[ri_23], X[ri_23], Y_u[ri_23], K_u_5[ri_23]) && (x15 = K_u_5[ri_23]) && (x14 = Y_u[ri_23]) && (x13 = X[ri_23]) && (x12 = S) && (x11 = U) then return(r_4[u_23]) orfind u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability 0.5 * NS^2 / |Z|] - Simplification pass - Remove branch 5 in find at 982 - Remove branch 4 in find at 982 - Remove branch 3 in find at 982 - Remove branch 2 in find at 982 - Remove branch 1 in find at 982 yields Game 46 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); K_u_1: G <- exp(g, mult(x_3[u_63], x)); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); K_u_2: G <- exp(g, mult(x_2[u_62], x)); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; K_u_3: G <- exp(g, mult(y[u_61], x)); r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; K_u_4: G <- exp(g, mult(yp[u_60], x)); r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); K_u_5: G <- exp(g, mult(x_3, x)); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of binder K_u_4 - Remove assignments on K_u_5 (definition removed, all usages removed) - Remove assignments on K_u_1 (definition removed, all usages removed) - Remove assignments on K_u_2 (definition removed, all usages removed) - Remove assignments on K_u_3 (definition removed, all usages removed) - Remove assignments on K_u_4 (definition removed, all usages removed) yields Game 47 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp(g, x_2[u_62]); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(y[ri_58], Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(yp[ri_57], Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp(g, xp); yp <-R Z; Yp: G <- exp(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x[i19_1], x_3[i20_1]) && (x04 = exp(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_3[i20_1], x[i19_1]))) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x[i17_1], x_2[i21_1]) && (x04 = exp(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(x_2[i21_1], x[i17_1]))) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1], x[i15_1], y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(y[i22_1], x[i15_1]))) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1], x[i13_1], yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (x05 = exp(g, mult(yp[i23_1], x[i13_1]))) then event_abort cdh_8 else find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(x[i7_1], X[i7_1], x_3[i8_1]) && (x14 = exp(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_3[i8_1], x[i7_1]))) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(x[i7_2], X[i7_2], x_2[i9_1]) && (x14 = exp(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(x_2[i9_1], x[i7_2]))) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(x[i7_3], y[i10_1], X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(y[i10_1], x[i7_3]))) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(x[i7_4], yp[i11_1], X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(yp[i11_1], x[i7_4]))) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(yp[i6_1], xp[i6_1], Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (x15 = exp(g, mult(xp[i6_1], yp[i6_1]))) then event_abort cdh_4 else find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence cdh(exp) with x_2, x, y, yp, x_3, xp [probability (qH0 + qH1) * pCDH(time_1) + (2 * NP * NU + NP * qD + NS * NP + NS * NU + NS * qD + qD * NU + 0.5 * qD^2 + 0.5 * NS^2 + NU^2 + NP^2) / |Z|] - Equivalence cdh(exp) with variables: y -> b, x_2 -> b, x_3 -> b, x -> a_1, yp -> b, xp -> a_1 yields Game 48 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp'(g, x_2[u_62]); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp'(g, xp); yp <-R Z; Yp: G <- exp'(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp'(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp'(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp'(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x_3[i20_1]) && (x04 = exp'(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (m_11: G <- x05; {548}find else {549}find else false) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x_2[i21_1]) && (x04 = exp'(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (m_12: G <- x05; {581}find else {582}find else false) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (m_13: G <- x05; {612}find else {613}find else false) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (m_6: G <- x05; {643}find else {644}find else false) then event_abort cdh_8 else find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(X[i7_1], x_3[i8_1]) && (x14 = exp'(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (m_7: G <- x15; {751}find else {752}find else false) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(X[i7_2], x_2[i9_1]) && (x14 = exp'(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (m_8: G <- x15; {784}find else {785}find else false) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (m_9: G <- x15; {815}find else {816}find else false) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (m_10: G <- x15; {846}find else {847}find else false) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (m_5: G <- x15; {877}find else {878}find else false) then event_abort cdh_4 else find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify (non-expanded game) - Simplification pass - Find at 548 removed (else branch kept if any) - Find at 549 removed (else branch kept if any) - Find at 581 removed (else branch kept if any) - Find at 582 removed (else branch kept if any) - Find at 612 removed (else branch kept if any) - Find at 613 removed (else branch kept if any) - Find at 643 removed (else branch kept if any) - Find at 644 removed (else branch kept if any) - Find at 751 removed (else branch kept if any) - Find at 752 removed (else branch kept if any) - Find at 784 removed (else branch kept if any) - Find at 785 removed (else branch kept if any) - Find at 815 removed (else branch kept if any) - Find at 816 removed (else branch kept if any) - Find at 846 removed (else branch kept if any) - Find at 847 removed (else branch kept if any) - Find at 877 removed (else branch kept if any) - Find at 878 removed (else branch kept if any) yields Game 49 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp'(g, x_2[u_62]); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp'(g, xp); yp <-R Z; Yp: G <- exp'(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp'(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp'(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp'(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in {518} find i19 = i19_1 <= NU, i20 = i20_1 <= NU suchthat defined(X[i19_1], x_3[i20_1]) && (x04 = exp'(g, x_3[i20_1])) && (x03 = X[i19_1]) && (x02 = S) && (x01 = U) && (m_11: G <- x05; false) then event_abort cdh_5 orfind i17 = i17_1 <= NU, i21 = i21_1 <= qD suchthat defined(X[i17_1], x_2[i21_1]) && (x04 = exp'(g, x_2[i21_1])) && (x03 = X[i17_1]) && (x02 = S) && (x01 = U) && (m_12: G <- x05; false) then event_abort cdh_6 orfind i15 = i15_1 <= NU, i22 = i22_1 <= NS suchthat defined(X[i15_1], Y[i22_1]) && (x04 = Y[i22_1]) && (x03 = X[i15_1]) && (x02 = S) && (x01 = U) && (m_13: G <- x05; false) then event_abort cdh_7 orfind i13 = i13_1 <= NU, i23 = i23_1 <= NP suchthat defined(X[i13_1], Yp[i23_1]) && (x04 = Yp[i23_1]) && (x03 = X[i13_1]) && (x02 = S) && (x01 = U) && (m_6: G <- x05; false) then event_abort cdh_8 else find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in {713} find i7 = i7_1 <= NU, i8 = i8_1 <= NU suchthat defined(X[i7_1], x_3[i8_1]) && (x14 = exp'(g, x_3[i8_1])) && (x13 = X[i7_1]) && (x12 = S) && (x11 = U) && (m_7: G <- x15; false) then event_abort cdh orfind i7 = i7_2 <= NU, i9 = i9_1 <= qD suchthat defined(X[i7_2], x_2[i9_1]) && (x14 = exp'(g, x_2[i9_1])) && (x13 = X[i7_2]) && (x12 = S) && (x11 = U) && (m_8: G <- x15; false) then event_abort cdh_1 orfind i7 = i7_3 <= NU, i10 = i10_1 <= NS suchthat defined(X[i7_3], Y[i10_1]) && (x14 = Y[i10_1]) && (x13 = X[i7_3]) && (x12 = S) && (x11 = U) && (m_9: G <- x15; false) then event_abort cdh_2 orfind i7 = i7_4 <= NU, i11 = i11_1 <= NP suchthat defined(X[i7_4], Yp[i11_1]) && (x14 = Yp[i11_1]) && (x13 = X[i7_4]) && (x12 = S) && (x11 = U) && (m_10: G <- x15; false) then event_abort cdh_3 orfind i6 = i6_1 <= NP suchthat defined(Xp[i6_1], Yp[i6_1]) && (x14 = Yp[i6_1]) && (x13 = Xp[i6_1]) && (x12 = S) && (x11 = U) && (m_5: G <- x15; false) then event_abort cdh_4 else find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying expand [probability 0.5 * NS^2 / |Z|] - Expand if/find/let - Remove branch 5 in find at 713 - Remove branch 4 in find at 713 - Remove branch 3 in find at 713 - Remove branch 2 in find at 713 - Remove branch 1 in find at 713 - Find at 713 removed (else branch kept if any) - Remove branch 4 in find at 518 - Remove branch 3 in find at 518 - Remove branch 2 in find at 518 - Remove branch 1 in find at 518 - Find at 518 removed (else branch kept if any) yields Game 50 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- exp'(g, x_2[u_62]); r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp'(g, xp); yp <-R Z; Yp: G <- exp'(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = exp'(g, x_2[ri_44])) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(exp'(g, x_2[u_42])) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else x_2 <-R Z; return(exp'(g, x_2)) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence exp'_to_group(exp) - Equivalence exp'_to_group(exp) with variables: x_2 -> x_1 yields Game 51 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], x_2[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp'(g, xp); yp <-R Z; Yp: G <- exp'(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(X_1[ri_44], m[ri_44], kd[ri_44], x_2[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], x_2[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; x_2: Z <- cst_Z; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on x_2 (definition removed, all usages removed) yields Game 52 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp'(g, xp); yp <-R Z; Yp: G <- exp'(g, yp); md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence exp'_to_group(exp) - Equivalence exp'_to_group(exp) with variables: yp -> x_1 yields Game 53 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(Yp[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- Yp[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp'(g, xp); X_2 <-R G; Yp: G <- X_2; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42], Yp[ri_42]) && (x_1 = Yp[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(Yp[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(Yp[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on Yp (definition removed, all usages removed) yields Game 54 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := xp <-R Z; Xp: G <- exp'(g, xp); X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence exp'_to_group(exp) - Equivalence exp'_to_group(exp) with variables: xp -> x_1 yields Game 55 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; Xp: G <- X_3; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, Xp, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on Xp (definition removed, all usages removed) yields Game 56 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := y <-R Z; Y: G <- exp'(g, y); md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence exp'_to_group(exp) - Equivalence exp'_to_group(exp) with variables: y -> x_1 yields Game 57 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(Y[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- Y[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; Y: G <- X_4; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (Y = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (Y = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(Y[ri_43], md_O_enc[ri_43]) && (x_1 = Y[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(Y[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(Y[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on Y (definition removed, all usages removed) yields Game 58 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- exp'(g, x_3[u_63]); r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(X_4[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- X_4[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else x_3 <-R Z; Y_u: G <- exp'(g, x_3); r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (X_4 = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], x_3[ri_45]) && (x_1 = exp'(g, x_3[ri_45])) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(exp'(g, x_3[u_43])) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence exp'_to_group(exp) - Equivalence exp'_to_group(exp) with variables: x_3 -> x_1 yields Game 59 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], x_3[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- X_5[u_63]; r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(X_4[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- X_4[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; x_3: Z <- cst_Z; Y_u: G <- X_5; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (X_4 = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(X_5[ri_45], Ystar_u[ri_45], x_3[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], x_3[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on x_3 (definition removed, all usages removed) yields Game 60 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := x <-R Z; X: G <- exp'(g, x); return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- X_5[u_63]; r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(X_4[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- X_4[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; Y_u: G <- X_5; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (X_4 = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence exp'_to_group(exp) - Equivalence exp'_to_group(exp) with variables: x -> x_1 yields Game 61 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; X: G <- X_6; return(U, X); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- X_5[u_63]; r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(X_4[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- X_4[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; Y_u: G <- X_5; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X[j_1]) && (X[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (X_4 = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on X (definition removed, all usages removed) yields Game 62 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u: G <- X_5[u_63]; r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(X_4[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u: G <- X_4[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; Y_u: G <- X_5; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_4[j], Y_u[j]) && (X_4 = Y_u[j]) then if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying SA rename Y_u - Rename variable Y_u into Y_u_5, Y_u_4, Y_u_3, Y_u_2, Y_u_1 yields Game 63 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then Y_u_1: G <- X_5[u_63]; r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then Y_u_2: G <- X_1[u_62]; r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(X_4[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then Y_u_3: G <- X_4[u_61]; r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then Y_u_4: G <- X_2[u_60]; r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; Y_u_5: G <- X_5; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( find [unique] suchthat defined(r_4[j], Y_u_1[j]) && (X_4 = Y_u_1[j]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) orfind suchthat defined(r_4[j], Y_u_2[j]) && (X_4 = Y_u_2[j]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) orfind suchthat defined(r_4[j], Y_u_3[j]) && (X_4 = Y_u_3[j]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) orfind suchthat defined(r_4[j], Y_u_4[j]) && (X_4 = Y_u_4[j]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) orfind suchthat defined(r_4[j], Y_u_5[j]) && (X_4 = Y_u_5[j]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_1 <-R hash0; sk_s: hash0 <- r_1; return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on Y_u_5 (definition removed, all usages removed) - Remove assignments on Y_u_1 (definition removed, all usages removed) - Remove assignments on Y_u_2 (definition removed, all usages removed) - Remove assignments on Y_u_3 (definition removed, all usages removed) - Remove assignments on Y_u_4 (definition removed, all usages removed) - Rename variable r_1 into r_17, r_16, r_15, r_14, r_13 yields Game 64 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := {22} find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(X_4[ri_58], md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(X_2[ri_57], md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( {146} find [unique] suchthat defined(X_5[u_63[j]], r_8[j], r_4[j]) && {154}(X_4 = X_5[u_63[j]]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_13 <-R hash0; sk_s: hash0 <- r_13; return() ) orfind suchthat defined(X_1[u_62[j]], r_9[j], r_4[j]) && {196}(X_4 = X_1[u_62[j]]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_14 <-R hash0; sk_s: hash0 <- r_14; return() ) orfind suchthat defined(X_4[u_61[j]], r_10[j], r_4[j]) && {238}(X_4 = X_4[u_61[j]]) then ( if auth_s = r_4[j] then {252} if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_15 <-R hash0; sk_s: hash0 <- r_15; return() ) orfind suchthat defined(X_2[u_60[j]], r_11[j], r_4[j]) && {280}(X_4 = X_2[u_60[j]]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_16 <-R hash0; sk_s: hash0 <- r_16; return() ) orfind suchthat defined(X_5[j], r_4[j]) && {319}(X_4 = X_5[j]) then ( if auth_s = r_4[j] then if defined(r_10[j]) then sk_s: hash0 <- r_10[j]; return() else r_17 <-R hash0; sk_s: hash0 <- r_17; return() ) ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability (0.5 * NS^2 + qD * NS + NP * NS + NU * NS) / |G|] - Simplification pass - Replaced (X_4 = X_5[j]) with false at 319 - Remove branch 5 in find at 146 - Replaced (X_4 = X_2[u_60[j]]) with false at 280 - Remove branch 4 in find at 146 - Replaced (X_4 = X_1[u_62[j]]) with false at 196 - Remove branch 2 in find at 146 - Replaced (X_4 = X_5[u_63[j]]) with false at 154 - Remove branch 1 in find at 146 - Replaced (X_4 = X_4[u_61[j]]) with (iS = u_61[j]) at 238 - Transformed find at 252 into a test - Test at 252 always true - Replaced defined condition X_4[u_61[j]], r_10[j], r_4[j] with r_10[j], r_4[j], u_61[j] in find at 146 - Replaced defined condition X_2[ri_57], md_O_enc_1[ri_57] with md_O_enc_1[ri_57] in find at 22 - Replaced defined condition X_4[ri_58], md_O_enc[ri_58] with md_O_enc[ri_58] in find at 22 yields Game 65 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5 <-R G; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (x_1 = X_5[ri_45]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return(X_5[u_43]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence move_array(G) with X_5. [probability qE * NU / |G|] - Equivalence move_array(G) with variables: X_5 -> X_7. yields Game 66 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5: G <- cst_G; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (X': G <- x_1; find [unique] u_65 = ri_62 <= qD suchthat defined(u_43[ri_62], Y_1[ri_62]) && (u_43[ri_62] = ri_45) then (X' = Y_1[u_65]) else false) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then return((find [unique] u_64 = ri_61 <= qD suchthat defined(Y_1[ri_61], u_43[ri_61]) && (u_43[ri_61] = u_43) then Y_1[u_64] else Y_1 <-R G; Y_1)) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying expand - Expand if/find/let yields Game 67 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(X_5[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else X_5: G <- cst_G; r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], X_5[ri_45]) && (X': G <- x_1; find [unique] u_65 = ri_62 <= qD suchthat defined(u_43[ri_62], Y_1[ri_62]) && (u_43[ri_62] = ri_45) then ((X' = Y_1[u_65]) && (ke = pw0)) else false) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU suchthat defined(X_5[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then find [unique] u_64 = ri_61 <= qD suchthat defined(Y_1[ri_61], u_43[ri_61]) && (u_43[ri_61] = u_43) then return(Y_1[u_64]) else Y_1 <-R G; return(Y_1) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on X' (definition removed, all usages removed) - Remove assignments on X_5 (definition removed, all usages removed) yields Game 68 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {229} find [unique] u_48 = ri_45 <= NU suchthat defined(Ystar_u[ri_45], r_12[ri_45]) && {232}(find [unique] u_65 = ri_62 <= qD suchthat defined(u_43[ri_62], Y_1[ri_62]) && (u_43[ri_62] = ri_45) then ((x_1 = Y_1[u_65]) && (ke = pw0)) else false) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {343} find [unique] u_43 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then {356} find [unique] u_64 = ri_61 <= qD suchthat defined(Y_1[ri_61], u_43[ri_61]) && (u_43[ri_61] = u_43) then return(Y_1[u_64]) else Y_1 <-R G; return(Y_1) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Simplified find at 356 in branch of find at 343 - Simplified find at 232 in condition of find at 229 yields Game 69 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {229} find [unique] u_48 = ri_45 <= NU, u_66 = ri_62 <= qD suchthat defined(Ystar_u[ri_45], r_12[ri_45], u_43[ri_62], Y_1[ri_62]) && (u_43[ri_62] = ri_45) && (x_1 = Y_1[ri_62]) && (ke = pw0) then return(Ystar_u[u_48]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {340} find [unique] u_43 = ri_40 <= NU, u_64 = ri_61 <= qD suchthat defined(r_12[ri_40], Ystar_u[ri_40], Y_1[ri_61]) && {344}((m = Ystar_u[ri_40]) && (kd = pw0) && (ri_40 = ri_40) && (ri_61 = iD)) then return(Y_1[u_64]) orfind u_43 = ri_40 <= NU, u_64 = ri_61 <= qD suchthat defined(r_12[ri_40], Ystar_u[ri_40], Y_1[ri_61], u_43[ri_61]) && (m = Ystar_u[ri_40]) && (kd = pw0) && (u_43[ri_61] = ri_40) then return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_43 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Replaced ((m = Ystar_u[ri_40]) && (kd = pw0) && (ri_40 = ri_40) && (ri_61 = iD)) with false at 344 - Remove branch 1 in find at 340 - In branch 1 of find at 229, substituting u_48 with u_43[u_66] - Replaced defined condition Ystar_u[ri_45], r_12[ri_45], u_43[ri_62], Y_1[ri_62] with Ystar_u[u_43[ri_62]], Y_1[ri_62] in find at 229 yields Game 70 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_66 = ri_62 <= qD suchthat defined(Ystar_u[u_43[ri_62]], Y_1[ri_62]) && (u_43[ri_62] = u_43[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0) then u_48 <= NU <- u_43[u_66]; return(Ystar_u[u_43[u_66]]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_43 = ri_40 <= NU, u_64 = ri_61 <= qD suchthat defined(r_12[ri_40], Ystar_u[ri_40], Y_1[ri_61], u_43[ri_61]) && (m = Ystar_u[ri_40]) && (kd = pw0) && (u_43[ri_61] = ri_40) then return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_43 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying SA rename u_43 - Rename variable u_43 into u_68, u_67 yields Game 71 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_66 = ri_62 <= qD suchthat defined(u_68[ri_62], Ystar_u[u_68[ri_62]], Y_1[ri_62]) && (u_68[ri_62] = u_68[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0) then u_48 <= NU <- u_68[u_66]; return(Ystar_u[u_68[u_66]]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_67 = ri_40 <= NU, u_64 = ri_61 <= qD suchthat defined(r_12[ri_40], Ystar_u[ri_40], Y_1[ri_61], u_68[ri_61]) && (m = Ystar_u[ri_40]) && (kd = pw0) && (u_68[ri_61] = ri_40) then return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_68 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on u_48 (definition removed, all usages removed) yields Game 72 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {229} find [unique] u_66 = ri_62 <= qD suchthat defined(u_68[ri_62], Ystar_u[u_68[ri_62]], Y_1[ri_62]) && {234}((u_68[ri_62] = u_68[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0)) then return(Ystar_u[u_68[u_66]]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {342} find [unique] u_67 = ri_40 <= NU, u_64 = ri_61 <= qD suchthat defined(r_12[ri_40], Ystar_u[ri_40], Y_1[ri_61], u_68[ri_61]) && (m = Ystar_u[ri_40]) && (kd = pw0) && (u_68[ri_61] = ri_40) then return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_68 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - In branch 1 of find at 342, substituting u_67 with u_68[u_64] - Replaced defined condition r_12[ri_40], Ystar_u[ri_40], Y_1[ri_61], u_68[ri_61] with Y_1[ri_61], Ystar_u[u_68[ri_61]] in find at 342 - Replaced ((u_68[ri_62] = u_68[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0)) with ((x_1 = Y_1[ri_62]) && (ke = pw0)) at 234 - Replaced defined condition u_68[ri_62], Ystar_u[u_68[ri_62]], Y_1[ri_62] with Ystar_u[u_68[ri_62]], Y_1[ri_62] in find at 229 yields Game 73 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_66 = ri_62 <= qD suchthat defined(Ystar_u[u_68[ri_62]], Y_1[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0) then return(Ystar_u[u_68[u_66]]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_64 = ri_61 <= qD suchthat defined(Y_1[ri_61], Ystar_u[u_68[ri_61]]) && {339}((m = Ystar_u[u_68[ri_61]]) && (kd = pw0) && (u_68[ri_61] = u_68[ri_61])) then u_67 <= NU <- u_68[u_64]; return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_68 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Replaced ((m = Ystar_u[u_68[ri_61]]) && (kd = pw0) && (u_68[ri_61] = u_68[ri_61])) with ((m = Ystar_u[u_68[ri_61]]) && (kd = pw0)) at 339 yields Game 74 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_66 = ri_62 <= qD suchthat defined(Ystar_u[u_68[ri_62]], Y_1[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0) then return(Ystar_u[u_68[u_66]]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_64 = ri_61 <= qD suchthat defined(Y_1[ri_61], Ystar_u[u_68[ri_61]]) && (m = Ystar_u[u_68[ri_61]]) && (kd = pw0) then u_67 <= NU <- u_68[u_64]; return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_68 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on u_67 (definition removed, all usages removed) yields Game 75 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) orfind u_62 = ri_59 <= qD suchthat defined(X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_66 = ri_62 <= qD suchthat defined(Ystar_u[u_68[ri_62]], Y_1[ri_62]) && (x_1 = Y_1[ri_62]) && (ke = pw0) then return(Ystar_u[u_68[u_66]]) orfind u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_64 = ri_61 <= qD suchthat defined(Y_1[ri_61], Ystar_u[u_68[ri_61]]) && (m = Ystar_u[u_68[ri_61]]) && (kd = pw0) then return(Y_1[u_64]) orfind u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_68 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then Y_1 <-R G; return(Y_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying merge variables (X_1, Y_1) yields Game 76 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := {22} find [unique] u_62 = ri_59 <= qD suchthat defined(X_7[ri_59], X_1[ri_59], kd[ri_59], m[ri_59]) && (Ystar_u = m[ri_59]) && (pw0 = kd[ri_59]) then {37} r_9 <-R hash0; sk_u: hash0 <- r_9; r_4 <-R hash1; return(r_4) orfind u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_60 = ri_57 <= NP suchthat defined(md_O_enc_1[ri_57]) && (Ystar_u = md_O_enc_1[ri_57]) then {67} r_11 <-R hash0; sk_u: hash0 <- r_11; r_4 <-R hash1; return(r_4) orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) orfind u_63 = ri_60 <= NU suchthat defined(r_12[ri_60], Ystar_u[ri_60]) && (Ystar_u = Ystar_u[ri_60]) then {102} r_8 <-R hash0; sk_u: hash0 <- r_8; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else {393} find [unique] u_68 = ri_40 <= NU suchthat defined(r_12[ri_40], Ystar_u[ri_40]) && (m = Ystar_u[ri_40]) && (kd = pw0) then X_1 <-R G; Y_2: G <- cst_G; return(X_1) else X_1 <-R G; X_7: G <- cst_G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying merge branches - Merge branch(es) at 37 with else branch of find at 22 - Merge branch(es) at 67 with else branch of find at 22 - Merge branch(es) at 102 with else branch of find at 22 - Merge all branches of find at 393 yields Game 77 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_45 = ri_42 <= NP suchthat defined(X_2[ri_42], md_O_enc_1[ri_42]) && (x_1 = X_2[ri_42]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_40 = ri_37 <= NP suchthat defined(X_2[ri_37], md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return(X_2[u_40]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else X_1 <-R G; X_7: G <- cst_G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence move_array(G) with X_2. [probability qE * NP / |G|] - Equivalence move_array(G) with variables: X_2 -> X_8. yields Game 78 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2: G <- cst_G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42]) && (X'_1: G <- x_1; find [unique] u_70 = ri_64 <= qD suchthat defined(u_40[ri_64], Y_3[ri_64]) && (u_40[ri_64] = ri_42) then (X'_1 = Y_3[u_70]) else false) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_40 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then return((find [unique] u_69 = ri_63 <= qD suchthat defined(Y_3[ri_63], u_40[ri_63]) && (u_40[ri_63] = u_40) then Y_3[u_69] else Y_3 <-R G; Y_3)) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else X_1 <-R G; X_7: G <- cst_G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying expand - Expand if/find/let yields Game 79 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; X_2: G <- cst_G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42]) && (X'_1: G <- x_1; find [unique] u_70 = ri_64 <= qD suchthat defined(u_40[ri_64], Y_3[ri_64]) && (u_40[ri_64] = ri_42) then ((X'_1 = Y_3[u_70]) && (ke = pw0)) else false) then return(md_O_enc_1[u_45]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_40 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then find [unique] u_69 = ri_63 <= qD suchthat defined(Y_3[ri_63], u_40[ri_63]) && (u_40[ri_63] = u_40) then return(Y_3[u_69]) else Y_3 <-R G; return(Y_3) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else X_1 <-R G; X_7: G <- cst_G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on X_7 (definition removed, all usages removed) - Remove assignments on X'_1 (definition removed, all usages removed) - Remove assignments on X_2 (definition removed, all usages removed) yields Game 80 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {169} find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_45 = ri_42 <= NP suchthat defined(md_O_enc_1[ri_42]) && {211}(find [unique] u_70 = ri_64 <= qD suchthat defined(u_40[ri_64], Y_3[ri_64]) && (u_40[ri_64] = ri_42) then ((x_1 = Y_3[u_70]) && (ke = pw0)) else false) then return(md_O_enc_1[u_45]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {264} find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_40 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then {316} find [unique] u_69 = ri_63 <= qD suchthat defined(Y_3[ri_63], u_40[ri_63]) && (u_40[ri_63] = u_40) then return(Y_3[u_69]) else Y_3 <-R G; return(Y_3) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Simplified find at 316 in branch of find at 264 - Simplified find at 211 in condition of find at 169 yields Game 81 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {169} find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_45 = ri_42 <= NP, u_71 = ri_64 <= qD suchthat defined(md_O_enc_1[ri_42], u_40[ri_64], Y_3[ri_64]) && (u_40[ri_64] = ri_42) && (x_1 = Y_3[ri_64]) && (ke = pw0) then return(md_O_enc_1[u_45]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {261} find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_40 = ri_37 <= NP, u_69 = ri_63 <= qD suchthat defined(md_O_enc_1[ri_37], Y_3[ri_63]) && {304}((m = md_O_enc_1[ri_37]) && (kd = pw0) && (ri_37 = ri_37) && (ri_63 = iD)) then return(Y_3[u_69]) orfind u_40 = ri_37 <= NP, u_69 = ri_63 <= qD suchthat defined(md_O_enc_1[ri_37], Y_3[ri_63], u_40[ri_63]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) && (u_40[ri_63] = ri_37) then return(Y_3[u_69]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else find [unique] u_40 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then Y_3 <-R G; return(Y_3) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability 0.5 * NP^2 / |G|] - Simplification pass - Replaced ((m = md_O_enc_1[ri_37]) && (kd = pw0) && (ri_37 = ri_37) && (ri_63 = iD)) with false at 304 - Remove branch 3 in find at 261 - In branch 3 of find at 169, substituting u_45 with u_40[u_71] - Replaced defined condition md_O_enc_1[ri_42], u_40[ri_64], Y_3[ri_64] with md_O_enc_1[u_40[ri_64]], Y_3[ri_64] in find at 169 yields Game 82 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_71 = ri_64 <= qD suchthat defined(md_O_enc_1[u_40[ri_64]], Y_3[ri_64]) && (u_40[ri_64] = u_40[ri_64]) && (x_1 = Y_3[ri_64]) && (ke = pw0) then u_45 <= NP <- u_40[u_71]; return(md_O_enc_1[u_40[u_71]]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_40 = ri_37 <= NP, u_69 = ri_63 <= qD suchthat defined(md_O_enc_1[ri_37], Y_3[ri_63], u_40[ri_63]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) && (u_40[ri_63] = ri_37) then return(Y_3[u_69]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else find [unique] u_40 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then Y_3 <-R G; return(Y_3) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying SA rename u_40 - Rename variable u_40 into u_73, u_72 yields Game 83 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_71 = ri_64 <= qD suchthat defined(u_73[ri_64], md_O_enc_1[u_73[ri_64]], Y_3[ri_64]) && (u_73[ri_64] = u_73[ri_64]) && (x_1 = Y_3[ri_64]) && (ke = pw0) then u_45 <= NP <- u_73[u_71]; return(md_O_enc_1[u_73[u_71]]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_72 = ri_37 <= NP, u_69 = ri_63 <= qD suchthat defined(md_O_enc_1[ri_37], Y_3[ri_63], u_73[ri_63]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) && (u_73[ri_63] = ri_37) then return(Y_3[u_69]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else find [unique] u_73 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then Y_3 <-R G; return(Y_3) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on u_45 (definition removed, all usages removed) yields Game 84 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {169} find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_71 = ri_64 <= qD suchthat defined(u_73[ri_64], md_O_enc_1[u_73[ri_64]], Y_3[ri_64]) && {214}((u_73[ri_64] = u_73[ri_64]) && (x_1 = Y_3[ri_64]) && (ke = pw0)) then return(md_O_enc_1[u_73[u_71]]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {264} find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_72 = ri_37 <= NP, u_69 = ri_63 <= qD suchthat defined(md_O_enc_1[ri_37], Y_3[ri_63], u_73[ri_63]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) && (u_73[ri_63] = ri_37) then return(Y_3[u_69]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else find [unique] u_73 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then Y_3 <-R G; return(Y_3) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - In branch 3 of find at 264, substituting u_72 with u_73[u_69] - Replaced defined condition md_O_enc_1[ri_37], Y_3[ri_63], u_73[ri_63] with Y_3[ri_63], md_O_enc_1[u_73[ri_63]] in find at 264 - Replaced ((u_73[ri_64] = u_73[ri_64]) && (x_1 = Y_3[ri_64]) && (ke = pw0)) with ((x_1 = Y_3[ri_64]) && (ke = pw0)) at 214 - Replaced defined condition u_73[ri_64], md_O_enc_1[u_73[ri_64]], Y_3[ri_64] with md_O_enc_1[u_73[ri_64]], Y_3[ri_64] in find at 169 yields Game 85 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_71 = ri_64 <= qD suchthat defined(md_O_enc_1[u_73[ri_64]], Y_3[ri_64]) && (x_1 = Y_3[ri_64]) && (ke = pw0) then return(md_O_enc_1[u_73[u_71]]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_69 = ri_63 <= qD suchthat defined(Y_3[ri_63], md_O_enc_1[u_73[ri_63]]) && {301}((m = md_O_enc_1[u_73[ri_63]]) && (kd = pw0) && (u_73[ri_63] = u_73[ri_63])) then u_72 <= NP <- u_73[u_69]; return(Y_3[u_69]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else find [unique] u_73 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then Y_3 <-R G; return(Y_3) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Replaced ((m = md_O_enc_1[u_73[ri_63]]) && (kd = pw0) && (u_73[ri_63] = u_73[ri_63])) with ((m = md_O_enc_1[u_73[ri_63]]) && (kd = pw0)) at 301 yields Game 86 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_71 = ri_64 <= qD suchthat defined(md_O_enc_1[u_73[ri_64]], Y_3[ri_64]) && (x_1 = Y_3[ri_64]) && (ke = pw0) then return(md_O_enc_1[u_73[u_71]]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_69 = ri_63 <= qD suchthat defined(Y_3[ri_63], md_O_enc_1[u_73[ri_63]]) && (m = md_O_enc_1[u_73[ri_63]]) && (kd = pw0) then u_72 <= NP <- u_73[u_69]; return(Y_3[u_69]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else find [unique] u_73 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then Y_3 <-R G; return(Y_3) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on u_72 (definition removed, all usages removed) yields Game 87 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) orfind u_71 = ri_64 <= qD suchthat defined(md_O_enc_1[u_73[ri_64]], Y_3[ri_64]) && (x_1 = Y_3[ri_64]) && (ke = pw0) then return(md_O_enc_1[u_73[u_71]]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) orfind u_69 = ri_63 <= qD suchthat defined(Y_3[ri_63], md_O_enc_1[u_73[ri_63]]) && (m = md_O_enc_1[u_73[ri_63]]) && (kd = pw0) then return(Y_3[u_69]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) else find [unique] u_73 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then Y_3 <-R G; return(Y_3) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying merge variables (X_1, Y_3) (no branch variables) yields Game 88 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else {296} find [unique] u_73 = ri_37 <= NP suchthat defined(md_O_enc_1[ri_37]) && (m = md_O_enc_1[ri_37]) && (kd = pw0) then X_1 <-R G; return(X_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying merge branches - Merge all branches of find at 296 yields Game 89 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4 <-R G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X_4 = x14[jh_1]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(X_4[ri_43], md_O_enc[ri_43]) && (x_1 = X_4[ri_43]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(X_4[ri_38], md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return(X_4[u_41]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying equivalence move_array(G) with X_4. [probability (NS + qE * NS) / |G| + 0.5 * qH1^2 / |hash1|] - Equivalence move_array(G) with variables: X_4 -> X_8. yields Game 90 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4: G <- cst_G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X'_2: G <- x14[jh_1]; find [unique] u_76 = ri_67 <= qD suchthat defined(u_41[ri_67], Y_4[ri_67]) && (u_41[ri_67] = iS) then (X'_2 = Y_4[u_76]) else false) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(md_O_enc[ri_43]) && (X'_3: G <- x_1; find [unique] u_75 = ri_66 <= qD suchthat defined(u_41[ri_66], Y_4[ri_66]) && (u_41[ri_66] = ri_43) then (X'_3 = Y_4[u_75]) else false) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then return((find [unique] u_74 = ri_65 <= qD suchthat defined(Y_4[ri_65], u_41[ri_65]) && (u_41[ri_65] = u_41) then Y_4[u_74] else Y_4 <-R G; Y_4)) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying expand - Expand if/find/let yields Game 91 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := X_4: G <- cst_G; md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && (X'_2: G <- x14[jh_1]; find [unique] u_76 = ri_67 <= qD suchthat defined(u_41[ri_67], Y_4[ri_67]) && (u_41[ri_67] = iS) then ((U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (X'_2 = Y_4[u_76]) && (auth_s = r_6[jh_1])) else false) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(md_O_enc[ri_43]) && (X'_3: G <- x_1; find [unique] u_75 = ri_66 <= qD suchthat defined(u_41[ri_66], Y_4[ri_66]) && (u_41[ri_66] = ri_43) then ((X'_3 = Y_4[u_75]) && (ke = pw0)) else false) then return(md_O_enc[u_46]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then find [unique] u_74 = ri_65 <= qD suchthat defined(Y_4[ri_65], u_41[ri_65]) && (u_41[ri_65] = u_41) then return(Y_4[u_74]) else Y_4 <-R G; return(Y_4) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on X'_3 (definition removed, all usages removed) - Remove assignments on X_4 (definition removed, all usages removed) - Remove assignments on X'_2 (definition removed, all usages removed) yields Game 92 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else {112} find jh = jh_1 <= qH1 suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1]) && {118}(find [unique] u_76 = ri_67 <= qD suchthat defined(u_41[ri_67], Y_4[ri_67]) && (u_41[ri_67] = iS) then ((U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[u_76]) && (auth_s = r_6[jh_1])) else false) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {178} find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS suchthat defined(md_O_enc[ri_43]) && {200}(find [unique] u_75 = ri_66 <= qD suchthat defined(u_41[ri_66], Y_4[ri_66]) && (u_41[ri_66] = ri_43) then ((x_1 = Y_4[u_75]) && (ke = pw0)) else false) then return(md_O_enc[u_46]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {255} find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then {287} find [unique] u_74 = ri_65 <= qD suchthat defined(Y_4[ri_65], u_41[ri_65]) && (u_41[ri_65] = u_41) then return(Y_4[u_74]) else Y_4 <-R G; return(Y_4) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Simplified find at 287 in branch of find at 255 - Simplified find at 200 in condition of find at 178 - Simplified find at 118 in condition of find at 112 yields Game 93 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_41[ri_67], Y_4[ri_67]) && (u_41[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {175} find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_46 = ri_43 <= NS, u_77 = ri_66 <= qD suchthat defined(md_O_enc[ri_43], u_41[ri_66], Y_4[ri_66]) && (u_41[ri_66] = ri_43) && (x_1 = Y_4[ri_66]) && (ke = pw0) then return(md_O_enc[u_46]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {249} find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS, u_74 = ri_65 <= qD suchthat defined(md_O_enc[ri_38], Y_4[ri_65]) && {272}((m = md_O_enc[ri_38]) && (kd = pw0) && (ri_38 = ri_38) && (ri_65 = iD)) then return(Y_4[u_74]) orfind u_41 = ri_38 <= NS, u_74 = ri_65 <= qD suchthat defined(md_O_enc[ri_38], Y_4[ri_65], u_41[ri_65]) && (m = md_O_enc[ri_38]) && (kd = pw0) && (u_41[ri_65] = ri_38) then return(Y_4[u_74]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_41 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then Y_4 <-R G; return(Y_4) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify [probability 0.5 * NS^2 / |G|] - Simplification pass - Replaced ((m = md_O_enc[ri_38]) && (kd = pw0) && (ri_38 = ri_38) && (ri_65 = iD)) with false at 272 - Remove branch 2 in find at 249 - In branch 2 of find at 175, substituting u_46 with u_41[u_77] - Replaced defined condition md_O_enc[ri_43], u_41[ri_66], Y_4[ri_66] with md_O_enc[u_41[ri_66]], Y_4[ri_66] in find at 175 yields Game 94 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_41[ri_67], Y_4[ri_67]) && (u_41[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_77 = ri_66 <= qD suchthat defined(md_O_enc[u_41[ri_66]], Y_4[ri_66]) && (u_41[ri_66] = u_41[ri_66]) && (x_1 = Y_4[ri_66]) && (ke = pw0) then u_46 <= NS <- u_41[u_77]; return(md_O_enc[u_41[u_77]]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_41 = ri_38 <= NS, u_74 = ri_65 <= qD suchthat defined(md_O_enc[ri_38], Y_4[ri_65], u_41[ri_65]) && (m = md_O_enc[ri_38]) && (kd = pw0) && (u_41[ri_65] = ri_38) then return(Y_4[u_74]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_41 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then Y_4 <-R G; return(Y_4) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying SA rename u_41 - Rename variable u_41 into u_80, u_79 yields Game 95 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], Y_4[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_77 = ri_66 <= qD suchthat defined(u_80[ri_66], md_O_enc[u_80[ri_66]], Y_4[ri_66]) && (u_80[ri_66] = u_80[ri_66]) && (x_1 = Y_4[ri_66]) && (ke = pw0) then u_46 <= NS <- u_80[u_77]; return(md_O_enc[u_80[u_77]]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_79 = ri_38 <= NS, u_74 = ri_65 <= qD suchthat defined(md_O_enc[ri_38], Y_4[ri_65], u_80[ri_65]) && (m = md_O_enc[ri_38]) && (kd = pw0) && (u_80[ri_65] = ri_38) then return(Y_4[u_74]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then Y_4 <-R G; return(Y_4) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on u_46 (definition removed, all usages removed) yields Game 96 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], Y_4[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := {175} find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_77 = ri_66 <= qD suchthat defined(u_80[ri_66], md_O_enc[u_80[ri_66]], Y_4[ri_66]) && {200}((u_80[ri_66] = u_80[ri_66]) && (x_1 = Y_4[ri_66]) && (ke = pw0)) then return(md_O_enc[u_80[u_77]]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := {252} find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_79 = ri_38 <= NS, u_74 = ri_65 <= qD suchthat defined(md_O_enc[ri_38], Y_4[ri_65], u_80[ri_65]) && (m = md_O_enc[ri_38]) && (kd = pw0) && (u_80[ri_65] = ri_38) then return(Y_4[u_74]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then Y_4 <-R G; return(Y_4) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - In branch 2 of find at 252, substituting u_79 with u_80[u_74] - Replaced defined condition md_O_enc[ri_38], Y_4[ri_65], u_80[ri_65] with Y_4[ri_65], md_O_enc[u_80[ri_65]] in find at 252 - Replaced ((u_80[ri_66] = u_80[ri_66]) && (x_1 = Y_4[ri_66]) && (ke = pw0)) with ((x_1 = Y_4[ri_66]) && (ke = pw0)) at 200 - Replaced defined condition u_80[ri_66], md_O_enc[u_80[ri_66]], Y_4[ri_66] with md_O_enc[u_80[ri_66]], Y_4[ri_66] in find at 175 yields Game 97 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], Y_4[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_77 = ri_66 <= qD suchthat defined(md_O_enc[u_80[ri_66]], Y_4[ri_66]) && (x_1 = Y_4[ri_66]) && (ke = pw0) then return(md_O_enc[u_80[u_77]]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_74 = ri_65 <= qD suchthat defined(Y_4[ri_65], md_O_enc[u_80[ri_65]]) && {269}((m = md_O_enc[u_80[ri_65]]) && (kd = pw0) && (u_80[ri_65] = u_80[ri_65])) then u_79 <= NS <- u_80[u_74]; return(Y_4[u_74]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then Y_4 <-R G; return(Y_4) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Replaced ((m = md_O_enc[u_80[ri_65]]) && (kd = pw0) && (u_80[ri_65] = u_80[ri_65])) with ((m = md_O_enc[u_80[ri_65]]) && (kd = pw0)) at 269 yields Game 98 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], Y_4[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_77 = ri_66 <= qD suchthat defined(md_O_enc[u_80[ri_66]], Y_4[ri_66]) && (x_1 = Y_4[ri_66]) && (ke = pw0) then return(md_O_enc[u_80[u_77]]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_74 = ri_65 <= qD suchthat defined(Y_4[ri_65], md_O_enc[u_80[ri_65]]) && (m = md_O_enc[u_80[ri_65]]) && (kd = pw0) then u_79 <= NS <- u_80[u_74]; return(Y_4[u_74]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then Y_4 <-R G; return(Y_4) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying remove assignments of findcond - Remove assignments on u_79 (definition removed, all usages removed) yields Game 99 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], Y_4[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = Y_4[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_77 = ri_66 <= qD suchthat defined(md_O_enc[u_80[ri_66]], Y_4[ri_66]) && (x_1 = Y_4[ri_66]) && (ke = pw0) then return(md_O_enc[u_80[u_77]]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_74 = ri_65 <= qD suchthat defined(Y_4[ri_65], md_O_enc[u_80[ri_65]]) && (m = md_O_enc[u_80[ri_65]]) && (kd = pw0) then return(Y_4[u_74]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then Y_4 <-R G; return(Y_4) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying merge variables (X_1, Y_4) (no branch variables) yields Game 100 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else {112} find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], X_1[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = X_1[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then X_1 <-R G; return(X_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying insert instruction find jh' <= qH1, jd <= qD suchthat defined(x11[jh'], x12[jh'], x13[jh'], x14[jh'], r_6[jh'], m[jd], kd[jd], X_1[jd]) && (m[jd] = md_O_enc) && (U = x11[jh']) && (S = x12[jh']) && (X_s = x13[jh']) && (x14[jh'] = X_1[jd]) && (auth_s = r_6[jh']) && (kd[jd] = pw0) then event_abort Auth2 at occurrence 112 [probability Pr[event Auth2 in game 101 with public variables sk_s, sk_u]] yields Game 101 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh' = jh'_1 <= qH1, jd = jd_1 <= qD suchthat defined(x11[jh'_1], x12[jh'_1], x13[jh'_1], x14[jh'_1], r_6[jh'_1], m[jd_1], kd[jd_1], X_1[jd_1]) && (m[jd_1] = md_O_enc) && (U = x11[jh'_1]) && (S = x12[jh'_1]) && (X_s = x13[jh'_1]) && (x14[jh'_1] = X_1[jd_1]) && (auth_s = r_6[jh'_1]) && (kd[jd_1] = pw0) then event_abort Auth2 else {160} find jh = jh_1 <= qH1, u_78 = ri_67 <= qD suchthat defined(x11[jh_1], x12[jh_1], x13[jh_1], x14[jh_1], r_6[jh_1], u_80[ri_67], X_1[ri_67]) && (u_80[ri_67] = iS) && (U = x11[jh_1]) && (S = x12[jh_1]) && (X_s = x13[jh_1]) && (x14[jh_1] = X_1[ri_67]) && (auth_s = r_6[jh_1]) then event_abort Auth ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then X_1 <-R G; return(X_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify - Simplification pass - Remove branch 1 in find at 160 - Find at 160 removed (else branch kept if any) yields Game 102 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh' = jh'_1 <= qH1, jd = jd_1 <= qD suchthat defined(x11[jh'_1], x12[jh'_1], x13[jh'_1], x14[jh'_1], r_6[jh'_1], m[jd_1], kd[jd_1], X_1[jd_1]) && (m[jd_1] = md_O_enc) && (U = x11[jh'_1]) && (S = x12[jh'_1]) && (X_s = x13[jh'_1]) && (x14[jh'_1] = X_1[jd_1]) && (auth_s = r_6[jh'_1]) && (kd[jd_1] = pw0) then event_abort Auth2 ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else {273} find [unique] u_80 = ri_38 <= NS suchthat defined(md_O_enc[ri_38]) && (m = md_O_enc[ri_38]) && (kd = pw0) then X_1 <-R G; return(X_1) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying merge branches - Merge all branches of find at 273 yields Game 103 is Ostart() := pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_59 = ri_56 <= qE suchthat defined(ke[ri_56], md_O_enc_2[ri_56]) && (Ystar_u = md_O_enc_2[ri_56]) && (pw0 = ke[ri_56]) then event_abort Encrypt orfind u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else find jh' = jh'_1 <= qH1, jd = jd_1 <= qD suchthat defined(x11[jh'_1], x12[jh'_1], x13[jh'_1], x14[jh'_1], r_6[jh'_1], m[jd_1], kd[jd_1], X_1[jd_1]) && (m[jd_1] = md_O_enc) && (U = x11[jh'_1]) && (S = x12[jh'_1]) && (X_s = x13[jh'_1]) && (x14[jh'_1] = X_1[jd_1]) && (auth_s = r_6[jh'_1]) && (kd[jd_1] = pw0) then event_abort Auth2 ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify with collision elimination at variables: pw0 [probability (0.5 * qD^2 + 0.5 * qE^2) / |G| + 0.5 * qH1^2 / |hash1| + (NS + NU) / |passwd|] - Global dependency analysis on pw0 yields Game 104 is Ostart() := {2}pw0 <-R passwd; return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then ( if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) else {99} find ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Applying simplify with collision elimination at variables: pw0 - Simplification pass - Find at 99 removed (else branch kept if any) - Remove random number generation at 2 yields Game 105 is Ostart() := return(); (( foreach iU <= NU do OC1() := X_6 <-R G; return(U, X_6); OC2(=S, Ystar_u: G) := find [unique] u_61 = ri_58 <= NS suchthat defined(md_O_enc[ri_58]) && (Ystar_u = md_O_enc[ri_58]) then r_10 <-R hash0; sk_u: hash0 <- r_10; r_4 <-R hash1; return(r_4) else r_12 <-R hash0; sk_u: hash0 <- r_12; r_4 <-R hash1; return(r_4) ) | ( foreach iS <= NS do OS1(=U, X_s: G) := md_O_enc <-R G; return(S, md_O_enc); OS2(auth_s: hash1) := find j = j_1 <= NU suchthat defined(X_6[j_1]) && (X_6[j_1] = X_s) then if defined(r_10[j], r_4[j], u_61[j]) && (iS = u_61[j]) then if auth_s = r_4[j] then sk_s: hash0 <- r_10[j]; return() ) | ( foreach iP <= NP do OP() := X_3 <-R G; md_O_enc_1 <-R G; r_5 <-R hash1; return(U, X_3, S, md_O_enc_1, r_5) ) | ( foreach iE <= qE do Oenc(x_1: G, ke: passwd) := find [unique] u_47 = ri_44 <= qD suchthat defined(m[ri_44], kd[ri_44], X_1[ri_44]) && (x_1 = X_1[ri_44]) && (ke = kd[ri_44]) then return(m[u_47]) orfind u_44 = ri_41 <= qE suchthat defined(md_O_enc_2[ri_41], ke[ri_41], x_1[ri_41]) && (x_1 = x_1[ri_41]) && (ke = ke[ri_41]) then return(md_O_enc_2[u_44]) else md_O_enc_2 <-R G; return(md_O_enc_2) ) | ( foreach iD <= qD do Odec(m: G, kd: passwd) := find [unique] u_42 = ri_39 <= qD suchthat defined(X_1[ri_39], kd[ri_39], m[ri_39]) && (m = m[ri_39]) && (kd = kd[ri_39]) then return(X_1[u_42]) orfind u_39 = ri_36 <= qE suchthat defined(x_1[ri_36], ke[ri_36], md_O_enc_2[ri_36]) && (m = md_O_enc_2[ri_36]) && (kd = ke[ri_36]) then return(x_1[u_39]) else X_1 <-R G; return(X_1) ) | ( foreach iH <= qH0 do OH(x1: bitstring) := let concat(x01: host, x02: host, x03: G, x04: G, x05: G) = x1 in find [unique] u_5 = ri_5 <= qH0 suchthat defined(r_2[ri_5], x01[ri_5], x02[ri_5], x03[ri_5], x04[ri_5], x05[ri_5]) && (x05 = x05[ri_5]) && (x04 = x04[ri_5]) && (x03 = x03[ri_5]) && (x02 = x02[ri_5]) && (x01 = x01[ri_5]) then return(r_2[u_5]) else r_2 <-R hash0; return(r_2) else find [unique] u = ri <= qH0 suchthat defined(r_3[ri], x1[ri]) && (x1 = x1[ri]) then return(r_3[u]) else r_3 <-R hash0; return(r_3) ) | ( foreach iH_1 <= qH1 do OH_1(x1_1: bitstring) := let concat(x11: host, x12: host, x13: G, x14: G, x15: G) = x1_1 in find [unique] u_21 = ri_21 <= qH1 suchthat defined(r_6[ri_21], x11[ri_21], x12[ri_21], x13[ri_21], x14[ri_21], x15[ri_21]) && (x15 = x15[ri_21]) && (x14 = x14[ri_21]) && (x13 = x13[ri_21]) && (x12 = x12[ri_21]) && (x11 = x11[ri_21]) then return(r_6[u_21]) else r_6 <-R hash1; return(r_6) else find [unique] u_16 = ri_16 <= qH1 suchthat defined(r_7[ri_16], x1_1[ri_16]) && (x1_1 = x1_1[ri_16]) then return(r_7[u_16]) else r_7 <-R hash1; return(r_7) )) Proved event(Auth2) ==> false with public variables sk_s, sk_u in game 105 Proved event(cdh_8) ==> false with public variables sk_u, sk_s in game 105 Proved event(cdh_7) ==> false with public variables sk_u, sk_s in game 105 Proved event(cdh_6) ==> false with public variables sk_u, sk_s in game 105 Proved event(cdh_5) ==> false with public variables sk_u, sk_s in game 105 Proved event(cdh_4) ==> false with public variables sk_s, sk_u in game 105 Proved event(cdh_3) ==> false with public variables sk_s, sk_u in game 105 Proved event(cdh_2) ==> false with public variables sk_s, sk_u in game 105 Proved event(cdh_1) ==> false with public variables sk_s, sk_u in game 105 Proved event(cdh) ==> false with public variables sk_s, sk_u in game 105 Proved event(Encrypt) ==> false with public variables sk_u, sk_s in game 105 Proved event(Auth) ==> false with public variables sk_s, sk_u in game 105 Adv[Game 1: event(acceptU(x, X, y, Ystar, a, k, u)) && event(acceptU(x, X, y, Ystar, a, k', u')) ==> (u = u') with public variables sk_u, sk_s] <= 0 + Adv[Game 2: event(acceptU(x, X, y, Ystar, a, k, u)) && event(acceptU(x, X, y, Ystar, a, k', u')) ==> (u = u') with public variables sk_u, sk_s] Adv[Game 2: event(acceptU(x, X, y, Ystar, a, k, u)) && event(acceptU(x, X, y, Ystar, a, k', u')) ==> (u = u') with public variables sk_u, sk_s] <= 0.5 * NU^2 / |Z| RESULT Proved event(acceptU(x, X, y, Ystar, a, k, u)) && event(acceptU(x, X, y, Ystar, a, k', u')) ==> (u = u') with public variables sk_u, sk_s up to probability 0.5 * NU^2 / |Z| Adv[Game 1: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s] <= (2 * NP * qH1 + 1.5 * NP^2 + NU * NP + NS * NP + 2.5 * NU^2 + NS^2) / |Z| + NS / |hash1| + Adv[Game 19: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s] Adv[Game 19: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s] <= 0 + Adv[Game 20: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Auth] Adv[Game 20: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Auth] <= (qE * NP + qE * NS + 4 * NP * qH1 + 2 * NS * qD + 3 * NS * NU + NP * qD + NP * NU + 2 * NS * NP + 1.5 * NS^2 + NP^2 + NU^2) / |Z| + (2 * qH0 * NU + 2 * qH1 * NU + NU^2 + 2 * NU * qD + qD^2 + 2 * NU * NS + 2 * qD * NS + NS^2 + 2 * NU * NP + 2 * qD * NP + 2 * NS * NP + NP^2 + 2 * NU * qE + 2 * qD * qE + 2 * NS * qE + 2 * NP * qE + qE^2 - NU - qD - NS - NP - qE) / |G| + Adv[Game 30: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Auth] Adv[Game 30: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Auth] <= 0 + Adv[Game 31: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Encrypt || Auth] Adv[Game 31: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Encrypt || Auth] <= (NU * qH0 + NU * qH1 + 4 * NP * qH1) / |Z| + (qH0 * NU + qH1 * NU) / |G| + Adv[Game 37: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Encrypt || Auth] Adv[Game 37: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, Encrypt || Auth] <= 0 + Adv[Game 38: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, cdh_4 || cdh_3 || cdh_2 || cdh_1 || cdh || Encrypt || Auth] Adv[Game 38: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, cdh_4 || cdh_3 || cdh_2 || cdh_1 || cdh || Encrypt || Auth] <= 0 + Adv[Game 38: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Adv[Game 38: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= 0 + Adv[Game 39: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, cdh_8 || cdh_7 || cdh_6 || cdh_5 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Adv[Game 39: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s, cdh_8 || cdh_7 || cdh_6 || cdh_5 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (NS * qH1 + 2 * NU * qH1 + NS * qH0 + 2 * NU * qH0 + NP * qH0 + 2 * NP * qH1 + qD * qH0 + qD * qH1) / |Z| + Pr[Game 41: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] + Adv[Game 41: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s] Pr[Game 41: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (qE * NS + NS + 0.5 * NP^2 + qE * NP + qE * NU + NU * NS + NP * NS + qD * NS + NS^2) / |G| + 0.5 * qH1^2 / |hash1| + (qH1 + qH0) * pCDH(time_1) + (NP^2 + NU^2 + 0.5 * qD^2 + qD * NU + NP * qD + 2 * NP * NU + 2 * NU * NS + 2 * NP * NS + 2 * NS^2 + 2 * qD * NS) / |Z| + Pr[Game 100: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Pr[Game 100: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= 0 + Pr[Game 101: Auth2 || cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Pr[Game 101: Auth2 || cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (0.5 * qE^2 + 0.5 * qD^2) / |G| + 0.5 * qH1^2 / |hash1| + (NU + NS) / |passwd| + Pr[Game 105: cdh_5] + Pr[Game 105: cdh_6] + Pr[Game 105: cdh_7] + Pr[Game 105: cdh_8] + Pr[Game 105: cdh] + Pr[Game 105: cdh_1] + Pr[Game 105: cdh_2] + Pr[Game 105: cdh_3] + Pr[Game 105: cdh_4] + Pr[Game 105: Encrypt] + Pr[Game 105: Auth2] + Pr[Game 105: Auth] Pr[Game 105: cdh_5] <= 0 Pr[Game 105: cdh_6] <= 0 Pr[Game 105: cdh_7] <= 0 Pr[Game 105: cdh_8] <= 0 Pr[Game 105: cdh] <= 0 Pr[Game 105: cdh_1] <= 0 Pr[Game 105: cdh_2] <= 0 Pr[Game 105: cdh_3] <= 0 Pr[Game 105: cdh_4] <= 0 Pr[Game 105: Encrypt] <= 0 Pr[Game 105: Auth2] <= 0 Pr[Game 105: Auth] <= 0 Adv[Game 41: inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s] <= (NU * NS + NP * NS + 0.5 * NS^2 + qD * NS) / |Z| + 0.5 * NS^2 / |G| RESULT Proved inj-event(termS(x, X, y, Ystar, a, k)) ==> inj-event(acceptU(x, X, y, Ystar, a, k, u)) with public variables sk_u, sk_s up to probability (NS + qH1^2) / |hash1| + (qE * NP + qE * NS + NS * qH1 + 3 * NU * qH1 + NS * qH0 + 3 * NU * qH0 + NP * qH0 + 12 * NP * qH1 + qD * qH0 + qD * qH1 + 3.5 * NP^2 + 4.5 * NU^2 + 0.5 * qD^2 + qD * NU + 2 * NP * qD + 4 * NP * NU + 6 * NU * NS + 6 * NP * NS + 5 * NS^2 + 5 * qD * NS) / |Z| + (NU^2 + 2 * NU * qD + 2 * NU * NP + 2 * qD * NP + 2 * qD * qE + 3 * qH0 * NU + 3 * qH1 * NU + 3 * qE * NS + 1.5 * NP^2 + 3 * qE * NP + 3 * qE * NU + 3 * NU * NS + 3 * NP * NS + 3 * qD * NS + 1.5 * qE^2 + 1.5 * qD^2 + 2.5 * NS^2 - NU - qD - NP - qE) / |G| + (qH1 + qH0) * pCDH(time_1) + (NU + NS) / |passwd| Adv[Game 1: secrecy of sk_s] <= (4 * NP * qH1 + 3 * NP^2 + 2 * NU * NP + 2 * NS * NP + 5 * NU^2 + 2 * NS^2) / |Z| + 2 * NS / |hash1| + Adv[Game 19: secrecy of sk_s] Adv[Game 19: secrecy of sk_s] <= 0 + Adv[Game 20: secrecy of sk_s, Auth] Adv[Game 20: secrecy of sk_s, Auth] <= (2 * qE * NP + 2 * qE * NS + 8 * NP * qH1 + 4 * NS * qD + 6 * NS * NU + 2 * NP * qD + 2 * NP * NU + 4 * NS * NP + 3 * NS^2 + 2 * NP^2 + 2 * NU^2) / |Z| + (4 * qH0 * NU + 4 * qH1 * NU + 2 * NU^2 + 4 * NU * qD + 2 * qD^2 + 4 * NU * NS + 4 * qD * NS + 2 * NS^2 + 4 * NU * NP + 4 * qD * NP + 4 * NS * NP + 2 * NP^2 + 4 * NU * qE + 4 * qD * qE + 4 * NS * qE + 4 * NP * qE + 2 * qE^2 - 2 * NU - 2 * qD - 2 * NS - 2 * NP - 2 * qE) / |G| + Adv[Game 30: secrecy of sk_s, Auth] Adv[Game 30: secrecy of sk_s, Auth] <= 0 + Adv[Game 31: secrecy of sk_s, Encrypt || Auth] Adv[Game 31: secrecy of sk_s, Encrypt || Auth] <= (2 * NU * qH0 + 2 * NU * qH1 + 8 * NP * qH1) / |Z| + (2 * qH0 * NU + 2 * qH1 * NU) / |G| + Adv[Game 37: secrecy of sk_s, Encrypt || Auth] Adv[Game 37: secrecy of sk_s, Encrypt || Auth] <= 0 + Adv[Game 38: secrecy of sk_s, cdh_4 || cdh_3 || cdh_2 || cdh_1 || cdh || Encrypt || Auth] Adv[Game 38: secrecy of sk_s, cdh_4 || cdh_3 || cdh_2 || cdh_1 || cdh || Encrypt || Auth] <= 0 + Adv[Game 38: secrecy of sk_s, cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Adv[Game 38: secrecy of sk_s, cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= 0 + Adv[Game 39: secrecy of sk_s, cdh_8 || cdh_7 || cdh_6 || cdh_5 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Adv[Game 39: secrecy of sk_s, cdh_8 || cdh_7 || cdh_6 || cdh_5 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (2 * NU * NS + 2 * NP * NS + NS^2 + 2 * qD * NS + 2 * NS * qH1 + 4 * NU * qH1 + 2 * NS * qH0 + 4 * NU * qH0 + 2 * NP * qH0 + 4 * NP * qH1 + 2 * qD * qH0 + 2 * qD * qH1) / |Z| + Pr[Game 44: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] + Adv[Game 44: secrecy of sk_s] Pr[Game 44: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (qE * NS + NS + 0.5 * NP^2 + qE * NP + qE * NU + NU * NS + NP * NS + qD * NS + NS^2) / |G| + 0.5 * qH1^2 / |hash1| + (qH1 + qH0) * pCDH(time_1) + (NP^2 + NU^2 + 0.5 * qD^2 + qD * NU + NS * qD + NS * NU + NS * NP + NP * qD + 2 * NP * NU + 1.5 * NS^2) / |Z| + Pr[Game 100: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Pr[Game 100: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= 0 + Pr[Game 101: Auth2 || cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Pr[Game 101: Auth2 || cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (0.5 * qE^2 + 0.5 * qD^2) / |G| + 0.5 * qH1^2 / |hash1| + (NU + NS) / |passwd| + Pr[Game 105: cdh_5] + Pr[Game 105: cdh_6] + Pr[Game 105: cdh_7] + Pr[Game 105: cdh_8] + Pr[Game 105: cdh] + Pr[Game 105: cdh_1] + Pr[Game 105: cdh_2] + Pr[Game 105: cdh_3] + Pr[Game 105: cdh_4] + Pr[Game 105: Encrypt] + Pr[Game 105: Auth2] + Pr[Game 105: Auth] Pr[Game 105: cdh_5] <= 0 Pr[Game 105: cdh_6] <= 0 Pr[Game 105: cdh_7] <= 0 Pr[Game 105: cdh_8] <= 0 Pr[Game 105: cdh] <= 0 Pr[Game 105: cdh_1] <= 0 Pr[Game 105: cdh_2] <= 0 Pr[Game 105: cdh_3] <= 0 Pr[Game 105: cdh_4] <= 0 Pr[Game 105: Encrypt] <= 0 Pr[Game 105: Auth2] <= 0 Pr[Game 105: Auth] <= 0 Adv[Game 44: secrecy of sk_s] <= 2 * NS^2 / |Z| RESULT Proved secrecy of sk_s up to probability (2 * NS + qH1^2) / |hash1| + (2 * qE * NP + 2 * qE * NS + 2 * NS * qH1 + 6 * NU * qH1 + 2 * NS * qH0 + 6 * NU * qH0 + 2 * NP * qH0 + 24 * NP * qH1 + 2 * qD * qH0 + 2 * qD * qH1 + 6 * NP^2 + 8 * NU^2 + 0.5 * qD^2 + qD * NU + 7 * NS * qD + 9 * NS * NU + 9 * NS * NP + 3 * NP * qD + 6 * NP * NU + 9.5 * NS^2) / |Z| + (2 * NU^2 + 4 * NU * qD + 4 * NU * NP + 4 * qD * NP + 4 * qD * qE + 6 * qH0 * NU + 6 * qH1 * NU + 5 * qE * NS + 2.5 * NP^2 + 5 * qE * NP + 5 * qE * NU + 5 * NU * NS + 5 * NP * NS + 5 * qD * NS + 3 * NS^2 + 2.5 * qE^2 + 2.5 * qD^2 - NS - 2 * NU - 2 * qD - 2 * NP - 2 * qE) / |G| + (qH1 + qH0) * pCDH(time_1) + (NU + NS) / |passwd| Adv[Game 1: secrecy of sk_u] <= (4 * NP * qH1 + 3 * NP^2 + 2 * NU * NP + 2 * NS * NP + 5 * NU^2 + 2 * NS^2) / |Z| + 2 * NS / |hash1| + Adv[Game 19: secrecy of sk_u] Adv[Game 19: secrecy of sk_u] <= 0 + Adv[Game 20: secrecy of sk_u, Auth] Adv[Game 20: secrecy of sk_u, Auth] <= (2 * qE * NP + 2 * qE * NS + 8 * NP * qH1 + 4 * NS * qD + 6 * NS * NU + 2 * NP * qD + 2 * NP * NU + 4 * NS * NP + 3 * NS^2 + 2 * NP^2 + 2 * NU^2) / |Z| + (4 * qH0 * NU + 4 * qH1 * NU + 2 * NU^2 + 4 * NU * qD + 2 * qD^2 + 4 * NU * NS + 4 * qD * NS + 2 * NS^2 + 4 * NU * NP + 4 * qD * NP + 4 * NS * NP + 2 * NP^2 + 4 * NU * qE + 4 * qD * qE + 4 * NS * qE + 4 * NP * qE + 2 * qE^2 - 2 * NU - 2 * qD - 2 * NS - 2 * NP - 2 * qE) / |G| + Adv[Game 30: secrecy of sk_u, Auth] Adv[Game 30: secrecy of sk_u, Auth] <= 0 + Adv[Game 31: secrecy of sk_u, Encrypt || Auth] Adv[Game 31: secrecy of sk_u, Encrypt || Auth] <= (2 * NU * qH0 + 2 * NU * qH1 + 8 * NP * qH1) / |Z| + (2 * qH0 * NU + 2 * qH1 * NU) / |G| + Adv[Game 37: secrecy of sk_u, Encrypt || Auth] Adv[Game 37: secrecy of sk_u, Encrypt || Auth] <= 0 + Adv[Game 38: secrecy of sk_u, cdh_4 || cdh_3 || cdh_2 || cdh_1 || cdh || Encrypt || Auth] Adv[Game 38: secrecy of sk_u, cdh_4 || cdh_3 || cdh_2 || cdh_1 || cdh || Encrypt || Auth] <= 0 + Adv[Game 38: secrecy of sk_u, cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Adv[Game 38: secrecy of sk_u, cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= 0 + Adv[Game 39: secrecy of sk_u, cdh_8 || cdh_7 || cdh_6 || cdh_5 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Adv[Game 39: secrecy of sk_u, cdh_8 || cdh_7 || cdh_6 || cdh_5 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (2 * NS * qH1 + 4 * NU * qH1 + 2 * NS * qH0 + 4 * NU * qH0 + 2 * NP * qH0 + 4 * NP * qH1 + 2 * qD * qH0 + 2 * qD * qH1) / |Z| + Pr[Game 41: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] + Adv[Game 41: secrecy of sk_u] Pr[Game 41: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (qE * NS + NS + 0.5 * NP^2 + qE * NP + qE * NU + NU * NS + NP * NS + qD * NS + NS^2) / |G| + 0.5 * qH1^2 / |hash1| + (qH1 + qH0) * pCDH(time_1) + (NP^2 + NU^2 + 0.5 * qD^2 + qD * NU + NP * qD + 2 * NP * NU + 2 * NU * NS + 2 * NP * NS + 2 * NS^2 + 2 * qD * NS) / |Z| + Pr[Game 100: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Pr[Game 100: cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= 0 + Pr[Game 101: Auth2 || cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] Pr[Game 101: Auth2 || cdh_5 || cdh_6 || cdh_7 || cdh_8 || cdh || cdh_1 || cdh_2 || cdh_3 || cdh_4 || Encrypt || Auth] <= (0.5 * qE^2 + 0.5 * qD^2) / |G| + 0.5 * qH1^2 / |hash1| + (NU + NS) / |passwd| + Pr[Game 105: cdh_5] + Pr[Game 105: cdh_6] + Pr[Game 105: cdh_7] + Pr[Game 105: cdh_8] + Pr[Game 105: cdh] + Pr[Game 105: cdh_1] + Pr[Game 105: cdh_2] + Pr[Game 105: cdh_3] + Pr[Game 105: cdh_4] + Pr[Game 105: Encrypt] + Pr[Game 105: Auth2] + Pr[Game 105: Auth] Pr[Game 105: cdh_5] <= 0 Pr[Game 105: cdh_6] <= 0 Pr[Game 105: cdh_7] <= 0 Pr[Game 105: cdh_8] <= 0 Pr[Game 105: cdh] <= 0 Pr[Game 105: cdh_1] <= 0 Pr[Game 105: cdh_2] <= 0 Pr[Game 105: cdh_3] <= 0 Pr[Game 105: cdh_4] <= 0 Pr[Game 105: Encrypt] <= 0 Pr[Game 105: Auth2] <= 0 Pr[Game 105: Auth] <= 0 Adv[Game 41: secrecy of sk_u] <= (4 * qH0 * NU + 4 * qD * qH0 + 4 * qH0 * NS + 4 * qH0 * NP + 2 * NS * NU + NU^2 + 2 * NS * qD + NS^2 + 2 * NS * NP) / |Z| RESULT Proved secrecy of sk_u up to probability (2 * NS + qH1^2) / |hash1| + (2 * qE * NP + 2 * qE * NS + 2 * NS * qH1 + 6 * NU * qH1 + 24 * NP * qH1 + 2 * qD * qH1 + 6 * NP^2 + 0.5 * qD^2 + qD * NU + 3 * NP * qD + 6 * NP * NU + 10 * qH0 * NU + 6 * qD * qH0 + 6 * qH0 * NS + 6 * qH0 * NP + 10 * NS * NU + 9 * NU^2 + 8 * NS * qD + 8 * NS^2 + 10 * NS * NP) / |Z| + (2 * NU^2 + 4 * NU * qD + 4 * NU * NP + 4 * qD * NP + 4 * qD * qE + 6 * qH0 * NU + 6 * qH1 * NU + 5 * qE * NS + 2.5 * NP^2 + 5 * qE * NP + 5 * qE * NU + 5 * NU * NS + 5 * NP * NS + 5 * qD * NS + 3 * NS^2 + 2.5 * qE^2 + 2.5 * qD^2 - NS - 2 * NU - 2 * qD - 2 * NP - 2 * qE) / |G| + (qH1 + qH0) * pCDH(time_1) + (NU + NS) / |passwd| RESULT time_1 = (qH0 + qH1) * time(let concat) + qH0^2 * time(= bitstring, maxlength(game 47: x1), maxlength(game 47: x1)) + qH1^2 * time(= bitstring, maxlength(game 47: x1_1), maxlength(game 47: x1_1)) + time + (1 + 2 * NU + NS + 2 * NP + qD) * time(exp) All queries proved.