add proverif analysis of Rosenpass, the protocol

The analysis was conducted as joint effort between @koraa and @blipp. Co-authored-by: Benjamin Lipp <blipp@mailbox.org>
2026-02-27 22:13:12 -08:00 · 2023-02-23 20:18:35 +01:00
parent 2a917de6d8
commit 137cd5e85a
21 changed files with 1242 additions and 0 deletions
--- a/analysis/crypto/kem.mpv
+++ b/analysis/crypto/kem.mpv
@@ -0,0 +1,28 @@
+#pragma once
+#include "prelude/basic.mpv"
+#include "prelude/bits.mpv"
+#include "crypto/key.mpv"
+#include "crypto/setup.mpv"
+@module kem
+
+type kem_sk.
+type kem_pk.
+
+fun kem_pub(kem_sk) : kem_pk.
+fun kem_enc(kem_pk, key) : bits.
+fun kem_dec(kem_sk, bits) : key
+  reduc forall sk:kem_sk, shk:key;
+    kem_dec(sk, kem_enc(kem_pub(sk), shk)) = shk.
+
+fun kem_pk2b(kem_pk) : bits [typeConverter].
+
+const kem_sk0:kem_sk.
+letfun kem_pk0 = kem_pub(kem_sk0).
+
+#if FULL_MODEL
+fun kem_keyeq(bits, bits) : bool
+  reduc forall k:kem_pk, pt1:key, pt2:key;
+    kem_keyeq(kem_enc(k, pt1), kem_enc(k, pt2)) = true
+  otherwise forall k1:kem_pk, pt1:key, k2:kem_pk, pt2:key;
+    kem_keyeq(kem_enc(k1, pt1), kem_enc(k2, pt2)) = false.
+#endif