(* Question 4: Encrypt-then-MAC with UF-CMA MAC is not INT-CTXT *)

param N, Nd.

type mkey [fixed].
type key [fixed].
type macs [bounded].

fun k2b(key):bitstring [data].

(* Shared-key encryption (CPA Stream cipher) *)

proba Penc.

expand IND_CPA_sym_enc(key, bitstring, bitstring, enc, dec, injbot, Z, Penc).

(* The function Z returns for each bitstring, a bitstring
   of the same length, consisting only of zeroes. *)
const Zk:bitstring.
equation forall y:key; 
	Z(k2b(y)) = Zk.

(* Mac *)

proba Pmac.

expand UF_CMA_proba_mac(mkey, bitstring, macs, mac, verify, Pmac).

(* Queries *)

event bad.

query event(bad) ==> false.

channel start, c1, lr, c_dec.

letfun enc'(k: key, mk:mkey, m: bitstring) =
      let e = enc(m,k) in
      (e, mac(e,mk)).

letfun dec'(k: key, mk: mkey, c: bitstring) =
      let (e: bitstring, m: macs) = c in
      (
         if verify(e, mk, m) then
            dec(e, k)
         else
            bottom
      )
      else
         bottom.

let Oenc(k: key, mk:mkey) =
       ! N
       in(lr, m0: bitstring);
       let ciphertext': bitstring = 
              enc'(k,mk,m0)
       in
       out(lr, ciphertext').


let Odec(k: key, mk: mkey) =
       ! Nd
       in(c_dec, ciphertext: bitstring);
       find j <= N suchthat defined(ciphertext'[j]) && ciphertext'[j] = ciphertext then
           out(c_dec, dec'(k, mk, ciphertext) <> bottom)
       else
           if dec'(k, mk, ciphertext) <> bottom then event bad else out(c_dec, true).


process 
	in(start, ());
	new k: key;
	new mk: mkey;
	out(c1, ());
	Oenc(k,mk) | Odec(k,mk)