Before showing the main proposition that guaranties that NSL protocol authenticates the initiator, we have to prove two lemmas stated in [2].
The first states that if A and B are honest and A does not send the required message {|N2|}aKB to
B, then no other agent could ever do it either. Lemma 5.3. Let:
• A, B ∈ Hon; • µ a NSL model;
• ξ be a global state such that µ, ξ @B[f resh(N2) ∧ Fsend({|N1; N2; B|}aKA, A)];
• IMN2 be the set of messages {N2, K −1
A }-insecure or that contain N2outside a sub-message
{|N1; N2; B|}aKA.
For every global state ξ0⊇ ξ, if
µ, ξ0 6 @A[Posend({|N2|}aKB, B)]
then, for every E ∈ P rinc with E /∈ {A, B} and every message M ∈ IMN2 the following holds:
µ, ξ0 @Ch[
^
C,D∈P rinc
Proof. In the tableaux built for this proof, as well as for the proofs of the following results, we will use boxes to avoid repeating sub-tableaux in the figures.
Also for the sake of repeating the construction of very similar tableaux, the ones that prove this lemma can also be used to prove Lemma 5.5. This implies that some of their content are, in a certain way, abstract. For this matter, we should consult Table 5.1 and substitute the generalized judgments and sub-tableaux for the ones of the corresponding lemma. Specifically, for this lemma we should substitute N∗by N2, HN∗by HN2and TBN∗by TBN2whenever they appear.
To prove this lemma, we will resort to Proposition 2.13 (Global Invariance Rule) and being so, let us start the proof by the base case.
Base: ξ = ξ0
To proof the base case, we will suppose, by contradiction, that either µ, ξ @Ch[ W C,D∈P rinc
Poin(C, M,
D)]or µ, ξ @E[knows(M )], where M is a certain message that belongs to IMN2. The tableau made
for this proof is then closed and is depicted in Figure A.1.
But before considering the tableau itself, we have to establish that (A, vA), (B, vB), (E, vE), (P, vP)
and (Ch, vCh)are compatible in the global state ξ, where P is any principal such that P /∈ {A, B, E}. As
usual, in order to use the rule (¬COMP), these compatibility assumptions are crucial.
With these conditions established, let us now make some observations regarding the not so obvious steps in the tableau.
Note that the hypothesis (A, vA) : ¬Posend({|N2|}aKB, B)was not taken into account because it was
not necessary to the development of the tableau. This will also be true in many cases of the induction step. For this lemma, the sub-tableau that followsTB1 is TB1N2, depicted in Figure A.2. In this tableau,
X and Y are considered to be any principals, consequence of applying twice the rule (W), as explained in the previous section.
The sub-tableau that follows isTB1.1, depicted in Figure A.4. In this tableau, the division into cases 1. and 2. is such that for the first one we substitute X for B (and that is why this branch continues with local states of the form (B, vB)and not (X, vx)) and for the second one we can substitute X either any
principal of the set SP , which for this lemma is {A, E, P } (and that is why the local states of the form (X, vx)are not substituted).
Note that since we are assuming that M ∈ IMN2, M is such that N2 ∈ cont(M ). In the first and
second branches of case1., we have that (B, vB− 1) does not know M because M contains N2 and
N2was only generated in (B, vB− 1).
A similar deduction was made to close the second branch in the main tableau TB1 (the case where we suppose that (E, vE)knows M ) and to close the first and second branches of case 2.. The only
difference in this cases is that we were not dealing with principal B, which is the one that executed f resh(N2). Then, and since we established that (A, vA), (B, vB), (E, vE),and(P, vP)are compatible,
we can apply the rule (RF2) to conclude that each state (X, vX), X ∈ {A, E, P }, can not know any
message that contains N2, and so can not know M .
possible superstate ξ00= ξ0∪ {e}.
From axiom(P5) we conclude that e can not be an event shared by two principals. At most, it can be shared with the channel. Therefore, we consider three distinct cases:
(i): e ∈ EvA
(ii): e ∈ EvB
(iii): e ∈ EvE
Like in the base case, the proofs will be done by contradiction, that is, we will suppose that ei- ther µ, ξ00 @Ch[ W
C,D∈P rinc
Poin(C, M0, D)] or µ, ξ00 @E[knows(M0)], where M0 is a certain mes-
sage belonging to IMN2, and the tableaux that correspond them are, naturally, closed. Since we sup-
pose that (†)µ, ξ0 6 @
Ch[ V
C,D∈P rinc
Poin(C, M, D)] and (‡)µ, ξ0 6 @E[knows(M )], for every message
M ∈ IMN2, then we also can establish without a doubt that µ, ξ 0 6 @
Ch[ V
C,D∈P rinc
Poin(C, M0, D)] and
µ, ξ0 6 @E[knows(M0)]. This way, we do not have any universal quantifier in the judgments of the
tableaux, which is consistent with the language allowed in the tableaux system.
The tableaux built to proof the different hypothesis of cases (i) and (ii) and so some of their content are, in a certain way, abstract. Specifically, to prove the different scenarios of case (i), we should substitute I by A, whereas for case (ii), we substitute I by B.
For cases (i) and (ii), note that ξE0 = ξE00, since e /∈ EvE.
• Case (i)
1. αA(e) = f resh(N )
For this case, the corresponding tableau for the proof is tableauT1 depicted in Figure 5.7. Apriori to the tableau, we have to establish the following compatibility assumptions, like we did for the base case:
– (A, vA0 ), (E, v0E)and (Ch, vCh0 )are compatible in the global state ξ0;
– (A, vA0 + 1), (E, v0E)and (Ch, v0Ch)are compatible in the global state ξ00.
T1 (Ch,v0 Ch): V C,D∈P rinc ¬Poin(C,M0,D) (E,v0 E):¬knows(M0) (I,v0I+1):f resh(N ) (Ch,v0Ch): W C,D∈P rinc
Poin(C,M0,D) (E,vE0):knows(M 0)
ABS ABS
CLOSED CLOSED
Figure 5.7: Tableau T1 for the proof of cases (i)-1 and (ii)-1 of Lemmas 5.3 and 5.5.
In this case, the action associated with the event is a fresh action and so, by axiom(P6), it can not be shared with the channel. This is why the local state (Ch, vCh0 )was considered to be also compatible with (A, vA0 + 1)in ξ00, whereas in the following actions, which are shared
with the channel, the local state (Ch, v0Ch+ 1)is the one compatible with (A, v0A+ 1)in ξ00.
And since we assume that (Ch, v0Ch) :
W
C,D∈P rinc
Poin(C, M0, D), we can immediately close
Note also that the local state (E, v0E)is compatible with both (A, v0A)and (A, vA0 + 1), because,
for cases (i) and (ii), ξ0E= ξE00, as mentioned above.
For the following scenarios 2 to 5 of case (i), we now have to assume the following compati- bility assumptions:
– (A, v0
A), (E, v0E)and (Ch, vCh0 )are compatible in the global state ξ0;
– (A, v0
A+ 1), (E, v0E)and (Ch, v0Ch+ 1)are compatible in the global state ξ00.
2. αA(e) = rec(M00)
To prove this case, the corresponding tableau T2 is presented in Figure 5.8. The (UNIQ) rule can be applied because we have both an in and an out action holding for the local state (Ch, v0Ch+ 1). T2 (Ch,vCh0 ): V C,D∈P rinc ¬Poin(C,M0,D) (E,v0E):¬knows(M0) (I,vI0+1):rec(M00) (I,0):Go(rec(m) Ch W P ∈P rinc out(P,m,I)) RS1 (Ch,vCh0 +1): W P ∈P rinc out(P,M00,I) (Ch,v0Ch+1): W C,D∈P rinc
Poin(C,M0,D) (E,v0E):knows(M 0)
RS2 ABS
(Ch,v0Ch+1):in(Y,M0,W ) CLOSED
UNIQ CLOSED
Figure 5.8: TableauT2 for the proof of cases (i)-2 and (ii)-2 of Lemmas 5.3 and 5.5. 3. αA(e) = send({|N1◦; A|}aKX, X)
For this case, the corresponding tableau for the proof is tableauT3 depicted in Figure A.5. For this lemma, the sub-tableau that follows T3 isT3.1, presented in Figure A.6. In this sub- tableau, at branch2., the (UNIQ) rule can be applied because we have two different actions that hold for the local state (Ch, v0
Ch+ 1): the message {|N1◦; A|}aKX does not belong to IMN2
and so is different from M0. The sub-tableau that follows branch 1. is T3.2A depicted in Figure A.7. Since we are considering the case N1◦ = N2, we have that both A and B freshly
generated N2and so the rule(FRESH2) can be used to close this branch.
4. αA(e) = send({|N1◦; N2◦; A|}aKX, X)
To prove this case, the corresponding tableauT4 is presented in Figure A.8.
For this lemma, the sub-tableau that follows T4 is T4N2, depicted in Figure A.10. In this
sub-tableau, branch1., is followed by T4.1A presented in Figure A.11. It is equal to T3.2A because we are considering that N2◦ = N2 and so, once again, we have that both A and B
freshly generated N2. For branch2., there is the need to subdivided it into two distinct cases:
2.1. N1◦ = N2: the sub-tableau T4.3, depicted in Figure A.13, follows this sub-branch.
{|N2; X|}aKAis {N2, K −1
A }-secure, it contains N2outside a sub-message {|N1; N2; B|}aKA
and so belongs to IMN2. This is why we can use the hypothesis (†) to assume in the be-
ginning of the tableau that (Ch, v0 Ch) :
V
C,D∈P rinc
¬Poin(C, {|N∗; X|}aKI, D)
1(for this case,
N∗ = N2and I = A), which is fundamental to close this sub-tableau.
2.2. N1◦6= N2: the message {|N1◦; N2◦; A|}aKX does not belong to IMN2 and so it is different
from M0. Hence, the(UNIQ) rule can be applied because we have two different in actions that hold for the local state (Ch, v0Ch+ 1).
5. αA(e) = send({|N2◦|}aKX, X)
For this case, the corresponding tableau for the proof is tableauT5 presented in Figure A.14. In this case, we need to consider the judgment in brackets. It has to be ignored to prove case (ii) and Lemma 5.5.
The sub-tableau that follows the main one is T5.1 depicted in Figure A.15. In this tableau, branch1. follows a similar reasoning as in T4.3. The main difference now is that we do not know if the message {|N1◦; N2; X|}aKA belongs to IMN2. We can observe immediately that
it is {N2, KA−1}-secure but we need to consider two distinct cases to come to a conclusion.
They are presented in tableauT5.2A, presented in Figure A.16:
1. N◦
1 6= N1or X 6= B : the message {|N1◦; N2; X|}aKA contains N2outside the sub-message
{|N1; N2; B|}aKAand so it belongs to IMN2. Therefore, we can use hypothesis (†) to ini-
tially acknowledge that (Ch, v0 Ch) :
V
C,D∈P rinc
¬Poin(C, {|N1◦; N∗; X|}aKI, D)(for this case,
N∗ = N2and I = A), which leads to a contradiction and to the consequence closure of
the tableauT5.2B, depicted in Figure A.16.
2. N1◦ = N1 and X = B: since we are in the case where N2◦ = N2 and now we have also
that X = B, send({|N2|}aKB, B)holds for (A, v 0
A+ 1), which is a contradiction to the initial
assumption in brackets.
Also in tableau T5.1, at branch 2. where we consider N◦
2 6= N2, the (UNIQ) rule can be
applied as in the previous tableaux because we have two different in actions that hold for the local state (Ch, v0
Ch+ 1): {|N2◦|}aKX 6∈ IMN2 and so is different from M 0.
• Case (ii)
1. αB(e) = f resh(N )
For this case, the proof is the same as for the case (i) - 1 and so the corresponding tableau is also depicted in Figure 5.7.
The equivalent compatibility assumptions that we now need to establish apriori are the fol- lowing:
– (B, v0
B), (E, vE0 )and (Ch, vCh0 )are compatible in the global state ξ0;
– (B, vB0 + 1), (E, vE0 )and (Ch, vCh0 )are compatible in the global state ξ
00.
For the following scenarios 2 to 5 of case (ii), we need to establish the same compatibility assumptions as in case (i), but now for principal B:
– (B, v0
B), (E, vE0 )and (Ch, vCh0 )are compatible in the global state ξ0;
– (B, vB0 + 1), (E, vE0 )and (Ch, vCh0 + 1)are compatible in the global state ξ
00.
2. αB(e) = rec(M0)
Likewise, the proof is the same as for the case (i) - 2 and so the corresponding tableau is presented in Figure 5.8.
3. αB(e) = send({|N1◦; B|}aKX, X)
Likewise, the proof is similar to the case (i) - 3 and so the corresponding tableau is also depicted in Figure A.5. Since we are still proving Lemma 5.5, the sub-tableau that followsT3
isT3.1 (see Figure A.6). But now, for this case, the sub-tableau that follows T3.1 is T3.2BN2,
presented in Figure A.7.
In this sub-tableau, the second branch of the trichotomy is closed because B executed f resh(N2)both in an initiator run and a responder run. Since B is an honest principal and
we are considering a NSL model, we can use the rule(RH1) to close this branch. The other branches can be closed by rule (FRESH1) because (B, vB) and (B, v∗B) are distinct local
states of agent B that both freshly generate N2.
4. αB(e) = send({|N1◦; N2◦; B|} a KX, X)
Like in the previous cases, the proof is similar to the case (i)-4 and so the corresponding tableau is also depicted in Figure A.8. The sub-tableau that followsT4 is, as expected, T4N2
(see Figure A.10) and the sub-tableau that follows its branch 1. is, for this case, T4.1BN2
presented in Figure A.12.
In this sub-tableau, the first and last branches of the trichotomy are closed for the same reason as in T3.2B. In the middle branch, we split it into two possible scenarios:
1. X = A and N◦
1 = N1: in this case, the message {|N1; N2; A|}aKAdoes not belong to IMN2
and so it can not be M0, thus two different in actions hold for the local state (Ch, v0 Ch+ 1).
2. X 6= A or N1◦ 6= N1: in this case, B freshly generates N2in two different runs, in which he
plays the responder role at both, but in one he first receives {|N1; A|}aKB , while in the other
he first receives {|N1◦; X|}aKB.
The sub-tableau that follows the sub-branch 2.1. in T4N2is alsoT4.3 (see Figure A.13). In this
case, we can immediately conclude that {|N2; X|}aKB ∈ IMN2 because it is not {N2, K −1 A }-
secure and thus the initial judgment (Ch, v0 Ch) :
V
C,D∈P rinc
¬Poin(C, {|N∗; X|}aKI, D) is also
correct for this case, where N∗= N2and I = B.
5. αB(e) = send({|N2◦|} a KX, X)
Likewise, the proof is similar to the case (i) - 5 and so the corresponding tableau is also presented in Figure A.14, but now ignoring the judgment written in brackets, since the local state (A, vA0 + 1)is not even defined in this case. The sub-tableau that follows the main one
The sub-tableau that follows T5.1 is, for this case, T5.2B (see Figure A.16). In this case, we easily conclude that the message {|N1◦; N2; X|}aKB is {N2, K
−1
A }-insecure, thus belonging
to IMN2. Hence, we can ignore the tableau T5.2A and conclude that the initial judgment
(Ch, v0Ch) : V
C,D∈P rinc
¬Poin(C, {|N1◦; N∗; X|}aKI, D)is also correct for this case, where N∗ =
N2and I = B.
• Case (iii)
Since we are assuming e ∈ EvE, the local state (E, vE0 +1)is now defined and so we can not close
the branch where we suppose that E knows M0, for M0∈ IMN2, by using the same argument as in
the previous cases. Semantically, we would resort to axiom(K). Since we wish to prove this case by using the tableaux system, we will use rule(RK) to close the mentioned branch. But for that, we need to prove that the complement of IMN2 is a closed set. Thus, let us prove the following
proposition:
Proposition 5.4. IMN2∩ close(M sg \ IMN2) = ∅.
Proof. Let us recall the definition of IMN2:
IMN2 = {M ∈ M sg | M is {N2, K −1
A }-insecure or M contains N2outside the sub-message
{|N1; N2; B|}aKA}.
Then,
M sg \ IMN2 = {M ∈ M sg | M is {N2, K −1
A }-secure and M does not contain N2outside the
sub-message {|N1; N2; B|}aKA}.
Note that:
1. Since {N2, KA−1} is a rational set, by Proposition 3.8, we can conclude that if M ∈ close(M sg\
IMN2), then M is {N2, K −1 A }-secure; 2. {|N1; N2; B|}aKA∈ M sg \ IMN2. Then {|N1; N2; B|} a KA∈ close(M sg \ IMN2);
3. By 1., KA−1 ∈ close(M sg \ IM/ N2). Thus, the message {|N1; N2; B|} a
KA can not be analysed
and so, besides {|N1; N2; B|}aKA, there is no message in close(M sg \ IMN2)that contains N2.
Let us now suppose that there exists a message M belonging to both IMN2 and close(M sg \
IMN2). By 1., we conclude that M contains N2outside the sub-message {|N1; N2; B|} a
KA. But, by
3., that is not possible, and so IMN2∩ close(M sg \ IMN2) = ∅, that is, M sg \ IMN2 = close(M sg \
IMN2).
Note that, for this case, we need to consider the original assumption (‡), in order to apply the rule (RK). This assumption should not be used in the tableaux, since it contains a universal quantifier. But, as mentioned in Chapter 4, this quantifier is essential for the soundness of the rule, and so we will undervalue this detail.
1. αE(e) = f resh(N )
For this case, the corresponding tableau for the proof is depicted in Figure 5.9. The proof is similar to the one of case (i)-1 and so we have to establish the following compatibility assumptions:
– (E, vE0 )and (Ch, vCh0 )are compatible in the global state ξ0;
– (E, v0
E+ 1)and (Ch, vCh0 )are compatible in the global state ξ00.
T6 (Ch,vCh0 ): V C,D∈P rinc ¬Poin(C,M0,D) (E,v0E):¬knows(M ) (E,v0E+1):f resh(N ) (Ch,v0Ch): W C,D∈P rinc
Poin(C,M0,D) (E,v0E+1):knows(M 0)
ABS RK
CLOSED CLOSED
Figure 5.9: TableauT6 for the proof of case (iii)-1 of Lemmas 5.3 and 5.5.
For the rightmost branch of the tableau, the rule(RK) can be applied because we have proved that the complement of IMN2 is a closed set and N /∈ IMN2, since the only nonce that
belongs to IMN2 is N2itself.
For the following scenarios 2 to 4 of case (iii), we also need to establish some compatibility assumptions, like we did for the previous cases:
– (E, vE0 )and (Ch, vCh0 )are compatible in the global state ξ0;
– (E, vE0 + 1)and (Ch, vCh0 + 1)are compatible in the global state ξ00.
2. αE(e) = send(M00, X)
For this case, the corresponding tableau for the proof is tableauT7 presented in Figure 5.10. At branch2., the rule (UNIQ) is used because since we are assuming that M06= M00, we have
that both actions in(E, M00, X)and in(Y, M0, W ), which are different, hold for the local state (Ch, v0Ch+ 1).
3. αE(e) = rec(M00)
To prove this case, the corresponding tableauT8 is depicted in Figure A.17.
The leftmost branch can be closed by rule(UNIQ) because we have both an in and an out action holding (Ch, v0Ch+ 1).
For branch1., we should substitute IMN∗by IMN2. Thus, in this branch, we are in the case
where M00∈ IM
N2and so we can also initially assume that (Ch, v 0 Ch) :
V
C,D∈P rinc
¬Poin(C, M00,
D), as a consequence of (†). As usual, where we apply the rule (W), we consider X to be any principal.
For branch2., we are in the conditions of applying rule (RK). 4. αE(e) = spy(M00)
For this case, the corresponding tableau for the proof is tableauT9 depicted in Figure A.18. The proof is practically the same as in 3. and so we will abstain from explaining the tableau.
T7 (Ch,vCh0 ): V C,D∈P rinc ¬Poin(C,M0,D) (E,v0E):¬knows(M ) (E,vE0+1):send(M00,X)
(E,0):Go(send(M00,X)⇒Y(knows(M00)∧knows(X))) (E,0):Go(send(M00,X) Chin(E,M00,X))
Go⇒
(E,v0E+1):Y(knows(M00)∧knows(X))
Y
(E,vE0):knows(M00)∧knows(X)
∧ (E,v0 E):knows(M 00) (E,v0 E):knows(X) RS1 (Ch,v0Ch+1):in(E,M00,X) (Ch,v0Ch+1): W C,D∈P rinc
Poin(C,M0,D) (E,v0E+1):knows(M 0)
RS2 RK
(Ch,v0Ch+1):in(Y,M0,W ) CLOSED
1. M0= M00 2. M06= M00 (E,vE0):knows(M0) UNIQ
ABS CLOSED
CLOSED
Figure 5.10: TableauT7 for the proof of case (iii)-2 of Lemmas 5.3 and 5.5.
N∗ N2 N∗1
HN∗ (B,vB):f resh(N2)∧Fsend({|N1;N2;B|}aKA,A)
(A,vA):f resh(N2)∧Fsend({|N1;N2;A|}aKZ,Z) (B,vB):f resh(N1∗)∧Fsend({|N ∗ 1;B|} a KA,A) TBN∗ ∧ (B,vB):f resh(N2) (B,vB):Fsend({|N1;N2;B|}aKA,A) ∧ (B,vB):f resh(N1∗) (B,vB):Fsend({|N1∗;B|}aKA,A)
Table 5.1: Table with the judgments and sub-tableaux to substitute in the main tableaux of the proofs of Lemmas 5.3 and 5.5.
The next states that if an honest agent is playing the responder role in two different protocol runs, one initiated by an honest agent and the other one by the intruder, then it will not mix the relevant data of the two runs.
Lemma 5.5. Let: • A, B ∈ Hon; • µ be a NSL model;
• ζ be a global state such that µ, ζ @A[f resh(N2) ∧ Fsend({|N1; N2; A|}aKZ, Z)];
• ξ be a global state such that µ, ξ @B[f resh(N1∗) ∧ Fsend({|N1∗; B|}aKB, A)];
• IMN∗
1 be the set of messages {N ∗ 1, K
−1 A , K
−1
B }-insecure or that contain {|N ∗ 1; N2; A|}aKB or {|N∗ 1; X|}aKY with X 6= B or Y 6= A, or {|N ; N ∗ 1; X|}aKY with any N , X, Y .
For every global state ξ0 ⊇ ξ, every E ∈ P rinc with E /∈ {A, B} and every message M ∈ IMN∗ 1 the following holds: µ, ξ06 @Ch[ ^ C,D∈P rinc
Poin(C, M, D)]and µ, ξ0 6 @E[knows(M )].
The original lemma in [2] stated that µ, ξ0 6 @Ch[ V C,D∈P rinc
in(C, M, D)]. We included the past in the formula so that we could reason by induction and prove the result using the tableau system. If we did not modify the formula, we would not know if for a global state between ξ and ξ0 there could be an in action for the channel that includes a message in IMN∗
1. By induction, we immediately conclude
that there can not be and so the simplest and equivalent solution is to include the past in the property. The only question is that we are in fact stating that even for a state ξ∗ smaller than ξ we have µ, ξ∗ 6
@Ch[ V
C,D∈P rinc
in(C, M, D)], which is redundant, in the sense that N1∗ has not yet been generated and
so no principal could ever sent a message containing N1∗.
Proof. The proof of this lemma is very similar to the proof of the Lemma 5.3. Being so, we will also prove this new lemma by induction, resorting Proposition 2.13, and, as mentioned above, we can use the tableaux built to prove the previous lemma for this proof, just by consulting Table 5.1 and substituting the generalized judgments and sub-tableaux for the ones corresponding to the this lemma. Specifically, we should now substitute N∗ by N1∗, HN∗ by HN∗1 and TBN∗ by TBN∗1, whenever they appear. We
will not repeat the arguments to justify the same steps in the tableaux. Instead, we will only clarify the differences between the proofs.
Base: ξ = ξ0
Like we did for the proof of the base case of Lemma 5.3, we will suppose, by contradiction, that either
µ, ξ @Ch[ W
C,D∈P rinc
Poin(C, M, D)]or µ, ξ @E[knows(M )], where M is a message that belongs to
IMN∗
1. The corresponding tableau is also tableauTB1 (see Figure A.1).
We also have to establish apriori the following compatibility assumption: (B, vB), (E, vE), (P, vP)and
(Ch, vCh)are compatible in a global state ξ, where P is any principal such that P /∈ {B, E}.
For this lemma, the sub-tableau that follows TB1 is TB1N∗
1, depicted in Figure A.3. The sub-tableau
that follows is also TB1.1 (see Figure A.4), but now we have that SP = {A, E, P }. The remaining arguments that justify the steps in this last tableau are the same as in the proof of Lemma 5.3, with the obvious difference that now M is such that N1∗ ∈ cont(M ) and so the arguments should be adapted to
the nonce N1∗, instead of N2.