-------------------------------------------------------------------------
- Protocol transformer for bilinear pairings with products in exponents -
-------------------------------------------------------------------------

The protocol transformer is meant for Linux platform.
It is possible that the system does not find the correct program in /usr/bin/swipl.
Probably, it will be necessary to change the path in the files pt_notype and pt_withtype.

The protocol transformer requires two programs to be installed:

 - SWI Prolog version 5.8.3 or higher (http://www.swi-prolog.org/Download.html)
 - ProVerif version 1.84 or higher (http://www.proverif.ens.fr/)

The protocol transformer supports only Horn clauses.

A.Without types (pt_notype)

 1.Describing a protocol

  A protocol should be first written in Prolog.
   - Defining functions: same as in ProVerif.
        fun enc/2.
        fun a/0.
   - Query: write only the secret value, without the intruder predicate.
        query sec.
   - Rules: need a prefix 'rule ::' in front of them. They are also used without the intruder predicate.
        rule:: point.
   - Auxiliary predicates may be defined, as in common Prolog.
        participant(a).
        honest(b).
        dishonest(c).
   - A set of rules may be generated using auxiliary predicates.
        rule:: X,Y -> e_(X,Y)^n(A) :- honest(A).

  Standard functional symbols that are being transformed:
   - Multiplication: *
   - Multiplication with inverse: *~
   - Exponentiation: ^
   - Exponentiation with inverse: ^~
   - Bilinear mapping: e_

 2.Analyzing the protocol:
   - Run the protocol transformer. It takes two arguments: input and output file. The input file is the protocol description.
        ./pt_notype input_file output_file
   - If there are no errors, then a set of generated rules will be writen to the output file.
   - The output file is ready to be tested with ProVerif:
        ./proverif output_file

B.With types

 1.Describing a protocol

  The protocol transformer supports only Horn clauses.
  A protocol should be first written in Prolog:
   - Defining functions and types: same as in ProVerif.
        type g1.
        fun h(g1):h1.
   - The functions without arguments (the constants) that use empty parentheses need to be put into ''
        fun 'a()':g1 
   - Query: write only the secret value, without the intruder predicate.
        query 'sec()'.
   - Rules: need a prefix 'rule ::' in front of them. They are also used without the intruder predicate.
        rule:: 'point()'.
   - Auxiliary predicates may be defined, as in common Prolog.
        participant('a()').
        honest('b()').
        dishonest('c()').
   - A set of rules may be generated using auxiliary predicates.
        rule:: n(X) :- dishonest(X).
   - In horntype, the variables need "forall" declaration. It has to be separated by character # from the rule itself
        rule:: forall X:g1, Y:g1 # X,Y -> e_(X,Y)^n(A) :- honest(A).

  Standard functional symbols that are being transformed:
   - Multiplication: *
   - Multiplication with inverse: *~
   - Exponentiation: ^
   - Exponentiation with inverse: ^~
   - Bilinear mapping: e_

 2.Analyzing the protocol:
   - Run the protocol transformer. It takes two arguments: input and output file. The input file is the protocol description.
        ./pt_withtype input_file output_file
   - A set of generated rules will be writen to the output file. The current version does not support syntax control yet.
   - The output file is ready to be tested with ProVerif:
        ./proverif -in horntype output_file

C. pi-calculus
Some examples are written in pi-calculus. They cannot be directly transfomed, but they can be run with proverif that outputs this protocol as a set horn clauses.
        ./proverif -in pi input_file_in_pi