Unknown key-share resistanceHEAD master

author: Jason A. Donenfeld <Jason@zx2c4.com> 2017-07-17 18:17:38 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2017-07-17 18:17:38 +0200
commit: a61c234daa9f948062e8a1b473c6a1be05f538d0 (patch)
tree: cece2858e223cdc3cf89a932cab80d9afcacf514
parent: .io -> .com (diff)
download: wireguard-tamarin-master.tar.xz
wireguard-tamarin-master.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/wireguard.m4 b/wireguard.m4
index a286b77..8137c3c 100644
--- a/wireguard.m4
+++ b/wireguard.m4
@@ -298,6 +298,12 @@ lemma R_disagreement_implies_Si_or_SrEr_compromise_and_PSK_compromise[reuse]:
         | (Ex #j #j2. Reveal_AK(pkr) @ j & Reveal_EphK(pekr) @ j2 & #j2 < #i & #j < #i)
         )"
 
+lemma UKS_resistance:
+    "All pki1 pki2 pkr1 pkr2 peki1 peki2 pekr1 pekr2 psk1 psk2 ck #i #j.
+        IKeys(<pki1, pkr1, peki1, pekr1, psk1, ck>) @ i
+        & RKeys(<pki2, pkr2, peki2, pekr2, psk2, ck>) @ j
+    ==> pki1 = pki2 & pkr1 = pkr2 & peki1 = peki2 & pekr1 = pekr2 & psk1 = psk2"
+
 lemma session_uniqueness:
     /* For both I and R, a 'confirmed session key' will always be unique (even if all keys are compromised)
      * This follows from I and R generating random ephemeral values. Note that this could be violated if the
author	Jason A. Donenfeld <Jason@zx2c4.com>	2017-07-17 18:17:38 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2017-07-17 18:17:38 +0200
commit	a61c234daa9f948062e8a1b473c6a1be05f538d0 (patch)
tree	cece2858e223cdc3cf89a932cab80d9afcacf514
parent	.io -> .com (diff)
download	wireguard-tamarin-master.tar.xz wireguard-tamarin-master.zip