This is a real scenario when a sender S is, for instance, a laptop manufacturer and wishes to send the laptop R a specific update in a secure manner, but all cryptographic material that S has is a certificate (i.e., a public key) of the TPM (trusted platform module) it had placed on-board R. Below, we give a protocol to possibly cater for this scenario. In Figure 1 , the protocol is depicted. It is a protocol between a sender S (i.e., the manufacturer in the scenario above), a receiver R (i.e., the laptop in the scenario above) and a TPM T on-board R. As we said, the aim of the protocol is that S sends securely a message to R, but S does not have R 's public key nor does it share a symmetric key with R. However, S does know the public key PubTPM of the TPM T found on board R. The channel/communication between R and T is "private", i.e., inaccessible to a Dolev-Yao attacker. The channel between S and R is public (i.e., accessible to a Dolev-Yao attacker). The protocol is as follows. S tells R that it wishes to send a message: i.e., "begin" is sent. R demands T to generate a pair of public and secret keys SK,PK for R. The TPM T generates these and a ticket te stating how long they are valid for. It then sends the public key PK, the ticket te to R and a signature on these. Then, R sends the signature to S. Then, S sends R the message m concatenated with te, all encrypted with PK and signed by S. Upon verification of the signature, R sends the packet from S to T to be decrypted and verified against te. If te is correct, then R receives m back from T. All signatures are with extraction: meaning one can verify them and at the same time find 2. Check the following security goals in Scyther: - agreement on message m between S,R, and T; - synchronisation between S,R, and T; Express these 3-party goals as best you can. Explain your modelling and findings. [13\%] 3. If you find any attack in the above, modify the protocol and check the modification does indeed stop the attack. [10\%] 4. Apart from the results of the analysis you do in Scyther (i.e., beside the Dolev-Yao model), do you think the protocol is an appropriate solution for the 3-party problem presented? Could you improve on it, from any viewpoint, security or otherwise? Explain your answer. - Can you pass a general-security judgement on this protocol? E.g., do you think that "begin" message is a good idea? What if the signature of S is forgeable? (these are just some examples, but the idea is can you break this protocol, yourself, beyond what Scyther tells you? If not, can you make an argument as to why?)