VerifHub

VerifHub allows Verifpal® users to easily share and discuss Verifpal models of cryptographic protocols. The VerifHub service provides unique URIs for each shared model which includes a syntax-highlighted model, an automatically generated diagram and a summary of the analysis results.

Switch to Diagram View

my_protocol.vp

Submitted on 13 Aug 25 01:54 UTC.

attacker[active]

principal Ta[
]

principal Alice[
]

principal Bob[
]

principal Blockchain[
]

principal Ta[
	knows private sk_ta
	pk_ta = G^sk_ta
	generates vc_a
	signed_vc_a = SIGN(sk_ta, vc_a)
]

Ta -> Alice: [pk_ta], [vc_a], [signed_vc_a]

Ta -> Bob: [pk_ta]

principal Alice[
	knows private sk_auth_a
	_ = SIGNVERIF(pk_ta, vc_a, signed_vc_a)?
	pk_auth_a = G^sk_auth_a
	knows public dida
	knows public didb
]

principal Bob[
	knows private sk_sig_b
	pk_sig_b = G^sk_sig_b
	knows public didb
	knows public dida
]

Alice -> Blockchain: [pk_auth_a]

Bob -> Blockchain: [pk_sig_b]

phase[1]

Blockchain -> Bob: [pk_auth_a]

principal Alice[
	generates ts1
	h_a_1 = HASH(CONCAT(dida, ts1))
	sign_a_1 = SIGN(sk_auth_a, h_a_1)
]

Alice -> Bob: ts1, sign_a_1

phase[2]

principal Bob[
	h_a_1_loc = HASH(CONCAT(dida, ts1))
	_ = SIGNVERIF(pk_auth_a, h_a_1_loc, sign_a_1)?
	generates ts2
	h_b_1 = HASH(CONCAT(didb, ts2, h_a_1_loc))
	sign_b_1 = SIGN(sk_sig_b, h_b_1)
]

Bob -> Alice: ts2, sign_b_1

phase[3]

Blockchain -> Alice: [pk_sig_b]

principal Alice[
	h_b_chk = HASH(CONCAT(didb, ts2, h_a_1))
	_ = SIGNVERIF(pk_sig_b, h_b_chk, sign_b_1)?
	generates sk_auth_a_new
	pk_auth_a_new = G^sk_auth_a_new
	generates ts3
	payload = CONCAT(signed_vc_a, vc_a, pk_auth_a_new)
	m_enc = PKE_ENC(pk_sig_b, payload)
	h_a_2 = HASH(CONCAT(m_enc, ts3, h_b_chk))
	sign_a_2 = SIGN(sk_auth_a, h_a_2)
]

Alice -> Bob: ts3, m_enc, sign_a_2

phase[4]

principal Bob[
	h_a_2_chk = HASH(CONCAT(m_enc, ts3, h_b_1))
	_ = SIGNVERIF(pk_auth_a, h_a_2_chk, sign_a_2)?
	payload_dec = PKE_DEC(sk_sig_b, m_enc)
	signed_vc_a_, vc_a_, pk_auth_a_new_ = SPLIT(payload_dec)
	_ = SIGNVERIF(pk_ta, vc_a_, signed_vc_a_)?
	generates ts4
	h_b_2 = HASH(CONCAT(h_a_2_chk, ts4, didb))
	sign_b_2 = SIGN(sk_sig_b, h_b_2)
]

Bob -> Alice: ts4, sign_b_2

phase[5]

principal Alice[
	h_b_2_chk = HASH(CONCAT(h_a_2, ts4, didb))
	_ = SIGNVERIF(pk_sig_b, h_b_2_chk, sign_b_2)?
]

Alice -> Blockchain: [pk_auth_a_new]

phase[6]

principal Alice[
	generates ts5
	h_a_3 = HASH(CONCAT(ts5, dida, h_b_2_chk))
	sign_a_3 = SIGN(sk_auth_a_new, h_a_3)
]

Alice -> Bob: ts5, sign_a_3

Blockchain -> Bob: [pk_auth_a_new]

principal Bob[
	_ = SIGNVERIF(pk_auth_a_new, HASH(CONCAT(ts5, dida, HASH(CONCAT(h_a_2_chk, ts4, didb)))), sign_a_3)?
	msg_b = CONCAT(dida, didb, pk_auth_a_new)
	sign_b_3 = SIGN(sk_sig_b, msg_b)
]

Bob -> Blockchain: [msg_b], [sign_b_3]

queries[
	confidentiality? sk_auth_a
	confidentiality? sk_auth_a_new
	confidentiality? sk_sig_b
	authentication? Bob -> Alice: sign_b_1
	authentication? Bob -> Alice: sign_b_2
	authentication? Alice -> Bob: sign_a_2
	authentication? Alice -> Bob: sign_a_3
	authentication? Alice -> Bob: sign_a_1
	freshness? sign_b_1
	freshness? sign_b_2
	freshness? sign_a_1
	freshness? sign_a_2
	freshness? sign_a_3
	freshness? m_enc
]

Switch to Model View

Title:my_protocol.vp Note over Ta: Note over Alice: Note over Bob: Note over Blockchain: Note over Ta: knows private sk_ta\n pk_ta = G^sk_ta\n generates vc_a\n signed_vc_a = SIGN(sk_ta, vc_a)\n Ta -> Alice: [pk_ta], [vc_a], [signed_vc_a] Ta -> Bob: [pk_ta] Note over Alice: knows private sk_auth_a\n _ = SIGNVERIF(pk_ta, vc_a, signed_vc_a)?\n pk_auth_a = G^sk_auth_a\n knows public dida\n knows public didb\n Note over Bob: knows private sk_sig_b\n pk_sig_b = G^sk_sig_b\n knows public didb\n knows public dida\n Alice -> Blockchain: [pk_auth_a] Bob -> Blockchain: [pk_sig_b] Note left of Ta:phase 1 Blockchain -> Bob: [pk_auth_a] Note over Alice: generates ts1\n h_a_1 = HASH(CONCAT(dida, ts1))\n sign_a_1 = SIGN(sk_auth_a, h_a_1)\n Alice -> Bob: ts1, sign_a_1 Note left of Ta:phase 2 Note over Bob: h_a_1_loc = HASH(CONCAT(dida, ts1))\n _ = SIGNVERIF(pk_auth_a, h_a_1_loc, sign_a_1)?\n generates ts2\n h_b_1 = HASH(CONCAT(didb, ts2, h_a_1_loc))\n sign_b_1 = SIGN(sk_sig_b, h_b_1)\n Bob -> Alice: ts2, sign_b_1 Note left of Ta:phase 3 Blockchain -> Alice: [pk_sig_b] Note over Alice: h_b_chk = HASH(CONCAT(didb, ts2, h_a_1))\n _ = SIGNVERIF(pk_sig_b, h_b_chk, sign_b_1)?\n generates sk_auth_a_new\n pk_auth_a_new = G^sk_auth_a_new\n generates ts3\n payload = CONCAT(signed_vc_a, vc_a, pk_auth_a_new)\n m_enc = PKE_ENC(pk_sig_b, payload)\n h_a_2 = HASH(CONCAT(m_enc, ts3, h_b_chk))\n sign_a_2 = SIGN(sk_auth_a, h_a_2)\n Alice -> Bob: ts3, m_enc, sign_a_2 Note left of Ta:phase 4 Note over Bob: h_a_2_chk = HASH(CONCAT(m_enc, ts3, h_b_1))\n _ = SIGNVERIF(pk_auth_a, h_a_2_chk, sign_a_2)?\n payload_dec = PKE_DEC(sk_sig_b, m_enc)\n signed_vc_a_, vc_a_, pk_auth_a_new_ = SPLIT(payload_dec)\n _ = SIGNVERIF(pk_ta, vc_a_, signed_vc_a_)?\n generates ts4\n h_b_2 = HASH(CONCAT(h_a_2_chk, ts4, didb))\n sign_b_2 = SIGN(sk_sig_b, h_b_2)\n Bob -> Alice: ts4, sign_b_2 Note left of Ta:phase 5 Note over Alice: h_b_2_chk = HASH(CONCAT(h_a_2, ts4, didb))\n _ = SIGNVERIF(pk_sig_b, h_b_2_chk, sign_b_2)?\n Alice -> Blockchain: [pk_auth_a_new] Note left of Ta:phase 6 Note over Alice: generates ts5\n h_a_3 = HASH(CONCAT(ts5, dida, h_b_2_chk))\n sign_a_3 = SIGN(sk_auth_a_new, h_a_3)\n Alice -> Bob: ts5, sign_a_3 Blockchain -> Bob: [pk_auth_a_new] Note over Bob: _ = SIGNVERIF(pk_auth_a_new, HASH(CONCAT(ts5, dida, HASH(CONCAT(h_a_2_chk, ts4, didb)))), sign_a_3)?\n msg_b = CONCAT(dida, didb, pk_auth_a_new)\n sign_b_3 = SIGN(sk_sig_b, msg_b)\n Bob -> Blockchain: [msg_b], [sign_b_3]

Analysis Results

The model submitter provided the following analysis results:

Query 1 (Confidentiality): PASS
Query 2 (Confidentiality): PASS
Query 3 (Confidentiality): PASS
Query 4 (Authentication): PASS
Query 5 (Authentication): PASS
Query 6 (Authentication): PASS
Query 7 (Authentication): PASS
Query 8 (Authentication): PASS
Query 9 (Freshness): PASS
Query 10 (Freshness): PASS
Query 11 (Freshness): PASS
Query 12 (Freshness): PASS
Query 13 (Freshness): PASS
Query 14 (Freshness): PASS

Please note that these results are not verified to be accurate. The model submitter may choose to provide false analysis results if they so desire. It is strongly recommended that you re-run the analysis of this model locally if you wish to verify the authenticity of the analysis results above.

© Copyright 2019- Nadim Kobeissi. All Rights Reserved. “Verifpal” and the “Verifpal” logo/mascot are registered trademarks of Nadim Kobeissi. Verifpal software is provided as free and open source software, licensed under the GPLv3. Verifpal User Manual, as well as this website, are provided under the CC BY-NC-ND 4.0 license. Published by Symbolic Software.