CryptoVerif and Tamarin models, minor doc updates

Signed-off-by: Kamal Tufekcic <kamal@lo.sh>
2026-04-13 01:51:32 +03:00 · 2026-04-13 01:51:32 +03:00 · 3acaa0fa3f
commit 3acaa0fa3f
parent 9ba7ea2def
18 changed files with 2925 additions and 8 deletions
--- a/cryptoverif/LO_Ratchet_MsgSecrecy.cv
+++ b/cryptoverif/LO_Ratchet_MsgSecrecy.cv
@ -0,0 +1,44 @@
+(* LO-Ratchet: Message Key Secrecy (Theorem 3)
+ *
+ * Given a fresh epoch key ek (from Theorem 1 + KDF_Root), proves that
+ * message keys mk = KDF_MsgKey(ek, counter) are indistinguishable from
+ * random. Combined with AEAD security under random keys (standard
+ * composition via [BN00]), this gives full message secrecy.
+ *
+ * Reduces to: HMAC-SHA3-256 PRF.
+ *)
+
+param N_msg.
+
+(* ---------- Types ---------- *)
+
+type epoch_key [large, fixed].
+type msg_key [large, fixed].
+type counter [fixed].
+
+(* ---------- KDF_MsgKey as PRF ---------- *)
+
+proba P_prf.
+
+expand PRF_large(epoch_key, counter, msg_key, kdf_msgkey, P_prf).
+
+(* ---------- Security query ---------- *)
+
+query secret test_mk [cv_onesession].
+
+(* ---------- Channels ---------- *)
+
+channel c_start, c_ready, c_test_in, c_test_out.
+
+(* ---------- Process ---------- *)
+(* Single derivation: ek is fresh, derive mk at one counter.
+ * The PRF transformation replaces kdf_msgkey(ek, ctr) with a random value.
+ * No oracle needed — the PRF_large game handles multi-query internally. *)
+
+process
+  in(c_start, ());
+  new ek: epoch_key;
+  out(c_ready, ());
+  in(c_test_in, ctr: counter);
+  let test_mk: msg_key = kdf_msgkey(ek, ctr) in
+  out(c_test_out, ())