VerifHub

VerifHub allows Verifpal® users to easily share and discuss Verifpal models of cryptographic protocols. The VerifHub service provides unique URIs for each shared model which includes a syntax-highlighted model, an automatically generated diagram and a summary of the analysis results.

Switch to Diagram View

static_pwd_shares.vp

Submitted on 05 Jul 20 09:24 UTC.

attacker[active]

principal Pwdserver1[
	knows private s1
	knows private s3
	gs1 = G^s1
	gs3 = G^s3
]

principal Pwdserver2[
	knows private s2
	gs2 = G^s2
]

Pwdserver1 -> Alice: [gs1]

Pwdserver1 -> Pwdserver2: [gs3]

Pwdserver2 -> Alice: [gs2]

principal Alice[
	generates pwd
	hpwd = HASH(pwd)
	a, b, _ = SHAMIR_SPLIT(hpwd)
	ea = PKE_ENC(gs1, a)
	eb = PKE_ENC(gs2, b)
]

Alice -> Pwdserver1: ea

Alice -> Pwdserver2: eb

phase[1]

principal Pwdserver1[
	leaks s3
]

principal Alice[
	aa, ab, _ = SHAMIR_SPLIT(hpwd)
	aea = PKE_ENC(gs2, aa)
	aeb = PKE_ENC(gs1, ab)
]

Alice -> Pwdserver2: aea

Alice -> Pwdserver1: aeb

principal Pwdserver2[
	h2 = SHAMIR_JOIN(PKE_DEC(s2, aea), PKE_DEC(s2, eb))
	eh2 = PKE_ENC(gs3, h2)
]

Pwdserver2 -> Pwdserver1: eh2

principal Pwdserver1[
	h1 = SHAMIR_JOIN(PKE_DEC(s1, ea), PKE_DEC(s1, aeb))
	_ = ASSERT(h1, PKE_DEC(s3, eh2))?
]

queries[
	confidentiality? hpwd
]

Switch to Model View

Title:static_pwd_shares.vp Note over Pwdserver1: knows private s1\n knows private s3\n gs1 = G^s1\n gs3 = G^s3\n Note over Pwdserver2: knows private s2\n gs2 = G^s2\n Pwdserver1 -> Alice: [gs1] Pwdserver1 -> Pwdserver2: [gs3] Pwdserver2 -> Alice: [gs2] Note over Alice: generates pwd\n hpwd = HASH(pwd)\n a, b, _ = SHAMIR_SPLIT(hpwd)\n ea = PKE_ENC(gs1, a)\n eb = PKE_ENC(gs2, b)\n Alice -> Pwdserver1: ea Alice -> Pwdserver2: eb Note left of Pwdserver1:phase 1 Note over Pwdserver1: leaks s3\n Note over Alice: aa, ab, _ = SHAMIR_SPLIT(hpwd)\n aea = PKE_ENC(gs2, aa)\n aeb = PKE_ENC(gs1, ab)\n Alice -> Pwdserver2: aea Alice -> Pwdserver1: aeb Note over Pwdserver2: h2 = SHAMIR_JOIN(PKE_DEC(s2, aea), PKE_DEC(s2, eb))\n eh2 = PKE_ENC(gs3, h2)\n Pwdserver2 -> Pwdserver1: eh2 Note over Pwdserver1: h1 = SHAMIR_JOIN(PKE_DEC(s1, ea), PKE_DEC(s1, aeb))\n _ = ASSERT(h1, PKE_DEC(s3, eh2))?\n

Analysis Results

The model submitter provided the following analysis results:

Query 1 (Confidentiality): FAIL

Please note that these results are not verified to be accurate. The model submitter may choose to provide false analysis results if they so desire. It is strongly recommended that you re-run the analysis of this model locally if you wish to verify the authenticity of the analysis results above.

Discuss This Model

© Copyright 2019- Nadim Kobeissi. All Rights Reserved. “Verifpal” and the “Verifpal” logo/mascot are registered trademarks of Nadim Kobeissi. Verifpal software is provided as free and open source software, licensed under the GPLv3. Verifpal User Manual, as well as this website, are provided under the CC BY-NC-ND 4.0 license. Published by Symbolic Software.