@@ -313,7 +313,7 @@ lemma identity_hiding: * same position as the public static. */ "All pki pkr peki pekr ck surrogate #i #j. /* If R received a handshake init with a particular identity surrogate */ - RKeys(<pki,pkr,peki,pekr,ck>) @ i & Identity_Surrogate(surrogate) @...
lemma I_disagreement_implies_Sr_or_SiEi_compromise_and_PSK_compromise[reuse]: "All pki pkr peki pekr psk ck #i. - //If I believes they have completed a handshake with R + /* If I believes they have completed a handshake with R */ IKeys(<pki,pkr,peki,pekr,psk,ck>) @ i ...
-/* We're not going to model the nonce in the aead, since it's always 0 in the handshake. */ +/* Normally an aead would be arity 4, but in the handshake the nonce is always + * the fixed value 0 so for legibility we do not include it */ ...