From 6992c4b2a01baadd9db649c47f80a292d79cee4f Mon Sep 17 00:00:00 2001 From: Kamal Tufekcic Date: Thu, 23 Apr 2026 08:03:02 +0300 Subject: [PATCH] Add paper, more minor doc updates Signed-off-by: Kamal Tufekcic --- Abstract.md | 14 +- Cargo.toml | 2 +- README.md | 1 + fuzz_overnight.sh | 1 + soliton.tex | 2223 +++++++++++++++++ soliton/fuzz/Cargo.lock | 2 +- .../fuzz/corpus/fuzz_auth_respond/valid_ct | 2 +- .../valid_first_msg | 2 +- .../0792446e9e4e302ef86828be9e266fc1b4de4407 | 3 + .../164fd078f9a0ba81f8d916617ade549e2389f89d | 3 + .../2284aab09f260f3ea2a36303e8e4b8c022faa1ff | 3 + .../22ef1d4d7b042ff205815af958bde3c619157361 | 3 + .../3d1234355041aae78f70de42de8515a921c9073d | 3 + .../8ce24fc0ea8e685eb23bf6346713ad9fef920425 | 3 + .../91ac28edf4ce92b1fe9d9f83cd5447d067a4b366 | 3 + .../b3b28f02b153220e7d1bf1b19dbb32363b926181 | 3 + .../d081c37090c6c163e1ed6b7f27c34d61f5437606 | 3 + .../df4e1459fc34e72f44fd348ae97abd055d253d52 | 3 + .../f421c2fbfd6ff080108402148f2cfa0a41715290 | 3 + .../fuzz_dm_queue_decrypt_blob/truncated | 2 +- .../valid_compressed | 2 +- .../valid_uncompressed | 2 +- .../corpus/fuzz_ed25519_verify/bad_sig_bit | 2 +- .../corpus/fuzz_ed25519_verify/valid_verify | 2 +- .../bad_ed25519_valid_mldsa | 2 +- .../valid_ed25519_bad_mldsa | 2 +- .../corpus/fuzz_hybrid_verify/valid_empty_msg | 2 +- .../corpus/fuzz_hybrid_verify/valid_hybrid | 2 +- .../corpus/fuzz_identity_from_bytes/valid_pk | 2 +- .../corpus/fuzz_identity_from_bytes/valid_sk | 2 +- .../068ac00ab22fa1a60aa534c312c8e50c4d49c293 | 3 + .../123ef33e2b797f8f691b1d38501f33fbcc7428ea | 3 + .../3a466d29221a816c5a2c7cc403caaa6058da0143 | 3 + .../622ba87343a75abf20a2b47e503c9cfc557822f7 | 3 + .../6ed2aa32781ba0300c5a8e887854897f8da5aa03 | 3 + .../78415fd588c0775cb41f15532ec2feab43a84f0b | 3 + .../7e06b1ca802a48c717192f5906d9724df8f4423f | 3 + .../933c356b95dd3aec979dbca14628d76b7f03aabc | 3 + .../9e5555573e86bab555e5879f82be85031ef53de2 | 3 + .../b9b60eb1c690d52bf2d9fadb4aa253acfd5b1849 | 3 + .../c1972705930bee9c59e74f1a367428eac8aa3ea5 | 3 + .../ef1f885b68be35ca8a8ecad0e9f3bf293f8ad612 | 3 + .../fuzz_kex_decode_receive/valid_no_opk | 2 +- .../fuzz_kex_decode_receive/valid_with_opk | 2 +- .../valid_session_init | 2 +- .../2083a2d5ca212265737c337805dc0a2a3ba38bdb | 3 + .../2a4c2ce2861863836fe11076593564c281c82a2b | 3 + .../4d87ca00dda28364820502e7ae87c5ec5703d5fd | 3 + .../54b5169e3a98f60c11086985f87b36cc9e1b529d | 3 + .../5cb54aa75193f2ede647bb831889181f91e0e7dd | 3 + .../611d79ee838e3109fcf297595cf049555678e2ed | 3 + .../83ce312925d8c34813ba41830570d90873deb7e4 | 3 + .../c399af33f77df1669d76eefc76d6abea0f5b07d6 | 3 + .../fuzz_kex_verify_bundle/valid_structure | 2 +- .../corpus/fuzz_ratchet_decrypt/no_kem_ct | 2 +- .../fuzz_ratchet_decrypt/valid_alice_msg | 2 +- .../04b583bc161eae07ab697905c95ab9fc8f1cb6cf | 3 + .../0b118fc5aa22794801b852d157f950e4b785e0cf | 3 + .../2b208bc47a3b0546ab242c9d804a5a19165e59fe | 3 + .../41f47a9762e7db3c42dee702eac270cd7a08dadf | 3 + .../44f23709d3a8d9af97993ce7e73cf968c04ed870 | 3 + .../4e4febc203227d20267fc5f6c678b14794167838 | 3 + .../5ebb3cd0d049b76db9146ec7870a8fce7b117291 | 3 + .../a2b2085fcf0bb1e3aae058d013c645cefa184477 | 3 + .../a54fcd4af3a9756925dfa779fb6d25c20bf0dacc | 3 + .../df700ef114d57ae1279256f09605805c37f137a4 | 3 + .../f14581242f48b7f0f4c51c7f2be0b24783c410e8 | 3 + .../out_of_order_late | 2 +- .../true_duplicate | 2 +- .../valid_ratchet_step | 2 +- .../valid_same_chain | 2 +- .../04689513a7bb7518164587f0b9e482c339b2ce25 | 3 + .../0917b7a375b1dc3bc199adef752ddc4af013063a | 3 + .../0be2817fe6131cafa25f9adef6a2876e4a5158d0 | 3 + .../16687b309b81f17dc64135e0ce92166f7a1bbc5a | 3 + .../17067c6ab32c699b7a6ccae3f24141f8dc804482 | 3 + .../1774072963e3ec198b496e12094ebfeb441501ba | 3 + .../269638500e7164650bb3fccf91b3fbc6cd782938 | 3 + .../32283e4d4176989edfd698324e69ba74eeb723ed | 3 + .../42def3847649bb75539696c104b001f7fc444b56 | 3 + .../4a97e82e63ec5e8323f53af62d80c7374c6c63e2 | 3 + .../655957cb10a43d01f4c89427850fa8d8e94907ca | 3 + .../665b8b9b6dcb3e14ceaca3349129a25b310f4d7a | 3 + .../743fe7b293ed0ddbdf4c33f254b61f5e278b5df0 | 3 + .../75b668a3fbb449d1fa055c151371fcd72ffae4ad | 3 + .../7febd267420a7eb45f9c3aaee9f5d3e61fe020e6 | 3 + .../80f4a02693e83cca78db8daccc4f3d4681a3569c | 3 + .../88195877b37b5bf195c9dfa20d3e5551c1a0fe4a | 3 + .../9c6bf5bcbd2f1fd583478c053635a7529f68eb9a | 3 + .../9cac935648018df895d2af285e7808e46fa07c53 | 3 + .../9d9ddfdf05cfc8a6666f68c6760cc403743c5e42 | 3 + .../a8e8183d7d651c83596f4281893c0ac11afe3c7b | 3 + .../corpus/fuzz_ratchet_encrypt/alice_init | 2 +- .../corpus/fuzz_ratchet_encrypt/alice_pending | 2 +- .../b2d4e16f69672f8ed52a5c32d0851967b9e8735b | 3 + .../corpus/fuzz_ratchet_encrypt/bob_exchanged | 2 +- .../fuzz/corpus/fuzz_ratchet_encrypt/bob_init | 2 +- .../c0f48c22ac733accf694be1cecfe539a9ba4266a | 3 + .../c7892ff4f73fd08d733d0f16abcedbaa15c35c94 | 3 + .../c7bd3243312d34a1f432b854e9f8eae8c59cde74 | 3 + .../d76b68fa3c611301f175690d476a95e8f3cc7d96 | 3 + .../dec8da52d24aa96e1acccd8993cac40fb2fb9386 | 3 + .../e1a4516b7e53a5c060d9299c8c9599c9fec21180 | 3 + .../e55e53ab95010357f6fb38968f61d494a432ee60 | 3 + .../e7183ecd97ee049b6036746067e42a34b437c5d5 | 3 + .../ee5475f37f25dc12f7513c4b2f81962829715775 | 3 + .../fuzz_ratchet_encrypt/near_exhausted | 2 +- .../17cd25351e26aa472f453714a59f507b97580f60 | 3 + .../420fcc1244c027ef31f686676cc76866b8a2c44e | 3 + .../47cea8c6dcdcb3d6a79eb106ad0e441edd97d5dc | 3 + .../605ce38a081ebee9888a5df7542b9785a465f79f | 3 + .../67d8113ef1877ad5cbd6d115e34947b4f120e69e | 3 + .../8684b01e0f5125cc689ca1738e73327ec29b0823 | 3 + .../a0756571c0412355735b5fa216b04b35b0cbc75e | 3 + .../d6732238b415a089c23ab724dc0dda09f2dec182 | 3 + .../e4510675f17d62b1a4c36d907f51d9d743a0b38f | 3 + .../e65903d764148506a2ae69d568b62b4fa72b91e3 | 3 + .../epoch_too_low | 2 +- .../fc984eb799eb4e6894d32698d885ecfed4ad6da6 | 3 + .../fuzz_ratchet_from_bytes_epoch/max_epoch | 2 +- .../valid_epoch_0 | 2 +- .../1d1fbed42b15c0df3226c37ee01efeeb52b73811 | 3 + .../21a986b47c13b1a000b87f138f8f51b474170ca2 | 3 + .../49c43ecd0f5bcadeef0f9f56ae2909d240b21d84 | 3 + .../4a30b017bf7133aaaebcaca46abb791045642773 | 3 + .../4df99d4b875ae90b210d2cf642ae73477f435076 | 3 + .../507c6bbff4c5a2142afecce5db11511e6bce72ae | 3 + .../518d4ea75f4a0b348b343f20ee152cc479da595e | 3 + .../59956e9a30dcb2c1d41aaaa679923074b16f6175 | 3 + .../81f7210342b479724af66ac5f8ff502ce32310d0 | 3 + .../84b320fb84396f0dc9139f9eb61c11cabcb35fea | 3 + .../8644d11338ba2a2cc82b87e254c2c45cd880152d | 3 + .../fuzz_ratchet_roundtrip/alice_exchanged | 2 +- .../corpus/fuzz_ratchet_roundtrip/alice_init | 2 +- .../fuzz_ratchet_roundtrip/bob_exchanged | 2 +- .../corpus/fuzz_ratchet_roundtrip/bob_init | 2 +- .../c454e0d2f4915e355e6b80bc6dd8a483a11ad39f | 3 + .../c7b53c89dc0929106ddae7e27c9d691c7671ffbe | 3 + .../dea34a9a71dbc40f4aebb6d1c8e995e39d951a6f | 3 + .../ed50787268f92d89abc67eedfaa04cf918c99f08 | 3 + .../eed29554ea909bb059a93cc73d042eb67ded9284 | 3 + .../f389401c788a63598667a84534dd73e80e85e29f | 3 + .../f9afd0c9fba141db681fbfc163fbe5c3a3800b90 | 3 + .../225ed62055a76cbf5a855d5c2cc47f203ca62f03 | 3 + .../3a30b06c52e20cdd754b86d025aaa32f2b2a0d18 | 3 + .../411d140f8bf8f4a8b5e5821b185c5c7bcc12faed | 3 + .../4337a79adf15750bebbee124c02ec505edf95924 | 3 + .../e2dfc033ab7eea543dd046382e0c1e2a59e465ed | 3 + .../ea3d54253bed94f46635e3b8903789d5a0213259 | 3 + .../fuzz_session_init_roundtrip/truncated_1 | 2 +- .../fuzz_session_init_roundtrip/valid_no_opk | 2 +- .../valid_with_opk | 2 +- .../254a55e6ac09d08eec781bf9783781b49a03fafe | 3 + .../32e131568edb7e560cac230264e090f11295fd65 | 3 + .../393ab93a18db07a5e69641cb1ac1243268529609 | 3 + .../6291ada0c4b6934bde934e25d7288aefccd7e311 | 3 + .../67fabcc6fbb37464a01f39f71e6c184c108a8a27 | 3 + .../72be2fd2ffce48d92d93241a2ee51e35a75bb580 | 3 + .../8c1e6ab4270792c51304ea06f47dc20ce51ba57b | 3 + .../fuzz_storage_decrypt_blob/bad_flags | 2 +- .../e0f12cebce606cc8e3e8a60e2377fe50ef1cc3f5 | 3 + .../e8e14349181aa32d57e39cd3af6a825c10d03222 | 3 + .../fuzz_storage_decrypt_blob/unknown_version | 2 +- .../valid_compressed | 2 +- .../valid_uncompressed | 2 +- .../fuzz_storage_decrypt_blob/valid_version2 | 2 +- .../fuzz_storage_decrypt_blob/valid_version3 | 2 +- .../fuzz_stream_decrypt/single_compressed | 2 +- .../fuzz_stream_decrypt/single_uncompressed | 2 +- .../fuzz_stream_decrypt_at/single_chunk_idx0 | 2 +- .../fuzz_verification_phrase/two_real_pks | 2 +- .../fuzz_xwing_roundtrip/mode_a_valid_ct | 2 +- soliton_capi/fuzz/Cargo.lock | 4 +- .../valid_no_opk | 2 +- .../valid_with_opk | 2 +- .../518de1210d825ad0a156f42b45a1f26e3f2f5164 | 3 + .../a8400c34a55cd824a934bc9039c0faac3ab20c4c | 3 + .../fuzz_capi_dm_queue_decrypt/invalid_fp_len | 2 +- .../valid_compressed | 2 +- .../105dfdd85cb7b557ca16c67cae63030ab39390b6 | 3 + .../13c724f130634a617fe2b48c915160f3e14db4a0 | 3 + .../1589ff28a104bbd981ac270e2eff069329986b61 | 3 + .../40363b7a8744c03c27f65c1d5816e65766719aeb | 3 + .../442a7e8d85a646ab2755f05178aafbcac5072a9b | 3 + .../68c937e9130da68b8d862ed640f224ffe546e11e | 3 + .../fuzz_capi_ratchet_from_bytes/alice_init | 2 +- .../fuzz_capi_ratchet_from_bytes/bob_init | 2 +- .../d5b3ba86052817a36e8fe5207a107869e5a1423c | 3 + .../f3de7ca01c49b11926e45d717d6a7699320218be | 3 + .../0829c17ba2f706c66001aa4462316d890a2aebe6 | 3 + .../fuzz_capi_storage_decrypt/bad_flags | 2 +- .../dde7aa5a3d9db2fc6e2bcbe681f51a78d17fcd92 | 3 + .../fuzz_capi_storage_decrypt/unknown_version | 2 +- .../valid_compressed | 2 +- .../valid_uncompressed | 2 +- .../single_uncompressed | 2 +- .../fuzz_capi_stream_decrypt_at/index_0_final | 2 +- .../index_max_minus_1 | 2 +- 198 files changed, 2685 insertions(+), 73 deletions(-) create mode 100644 soliton.tex create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/0792446e9e4e302ef86828be9e266fc1b4de4407 create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/164fd078f9a0ba81f8d916617ade549e2389f89d create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/2284aab09f260f3ea2a36303e8e4b8c022faa1ff create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/22ef1d4d7b042ff205815af958bde3c619157361 create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/3d1234355041aae78f70de42de8515a921c9073d create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/8ce24fc0ea8e685eb23bf6346713ad9fef920425 create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/91ac28edf4ce92b1fe9d9f83cd5447d067a4b366 create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/b3b28f02b153220e7d1bf1b19dbb32363b926181 create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/d081c37090c6c163e1ed6b7f27c34d61f5437606 create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/df4e1459fc34e72f44fd348ae97abd055d253d52 create mode 100644 soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/f421c2fbfd6ff080108402148f2cfa0a41715290 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/068ac00ab22fa1a60aa534c312c8e50c4d49c293 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/123ef33e2b797f8f691b1d38501f33fbcc7428ea create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/3a466d29221a816c5a2c7cc403caaa6058da0143 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/622ba87343a75abf20a2b47e503c9cfc557822f7 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/6ed2aa32781ba0300c5a8e887854897f8da5aa03 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/78415fd588c0775cb41f15532ec2feab43a84f0b create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/7e06b1ca802a48c717192f5906d9724df8f4423f create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/933c356b95dd3aec979dbca14628d76b7f03aabc create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/9e5555573e86bab555e5879f82be85031ef53de2 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/b9b60eb1c690d52bf2d9fadb4aa253acfd5b1849 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/c1972705930bee9c59e74f1a367428eac8aa3ea5 create mode 100644 soliton/fuzz/corpus/fuzz_identity_sign_verify/ef1f885b68be35ca8a8ecad0e9f3bf293f8ad612 create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/2083a2d5ca212265737c337805dc0a2a3ba38bdb create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/2a4c2ce2861863836fe11076593564c281c82a2b create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/4d87ca00dda28364820502e7ae87c5ec5703d5fd create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/54b5169e3a98f60c11086985f87b36cc9e1b529d create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/5cb54aa75193f2ede647bb831889181f91e0e7dd create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/611d79ee838e3109fcf297595cf049555678e2ed create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/83ce312925d8c34813ba41830570d90873deb7e4 create mode 100644 soliton/fuzz/corpus/fuzz_kex_verify_bundle/c399af33f77df1669d76eefc76d6abea0f5b07d6 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/04b583bc161eae07ab697905c95ab9fc8f1cb6cf create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/0b118fc5aa22794801b852d157f950e4b785e0cf create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/2b208bc47a3b0546ab242c9d804a5a19165e59fe create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/41f47a9762e7db3c42dee702eac270cd7a08dadf create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/44f23709d3a8d9af97993ce7e73cf968c04ed870 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/4e4febc203227d20267fc5f6c678b14794167838 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/5ebb3cd0d049b76db9146ec7870a8fce7b117291 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a2b2085fcf0bb1e3aae058d013c645cefa184477 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a54fcd4af3a9756925dfa779fb6d25c20bf0dacc create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/df700ef114d57ae1279256f09605805c37f137a4 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/f14581242f48b7f0f4c51c7f2be0b24783c410e8 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/04689513a7bb7518164587f0b9e482c339b2ce25 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/0917b7a375b1dc3bc199adef752ddc4af013063a create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/0be2817fe6131cafa25f9adef6a2876e4a5158d0 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/16687b309b81f17dc64135e0ce92166f7a1bbc5a create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/17067c6ab32c699b7a6ccae3f24141f8dc804482 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/1774072963e3ec198b496e12094ebfeb441501ba create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/269638500e7164650bb3fccf91b3fbc6cd782938 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/32283e4d4176989edfd698324e69ba74eeb723ed create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/42def3847649bb75539696c104b001f7fc444b56 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/4a97e82e63ec5e8323f53af62d80c7374c6c63e2 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/655957cb10a43d01f4c89427850fa8d8e94907ca create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/665b8b9b6dcb3e14ceaca3349129a25b310f4d7a create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/743fe7b293ed0ddbdf4c33f254b61f5e278b5df0 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/75b668a3fbb449d1fa055c151371fcd72ffae4ad create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/7febd267420a7eb45f9c3aaee9f5d3e61fe020e6 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/80f4a02693e83cca78db8daccc4f3d4681a3569c create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/88195877b37b5bf195c9dfa20d3e5551c1a0fe4a create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/9c6bf5bcbd2f1fd583478c053635a7529f68eb9a create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/9cac935648018df895d2af285e7808e46fa07c53 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/9d9ddfdf05cfc8a6666f68c6760cc403743c5e42 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/a8e8183d7d651c83596f4281893c0ac11afe3c7b create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/b2d4e16f69672f8ed52a5c32d0851967b9e8735b create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/c0f48c22ac733accf694be1cecfe539a9ba4266a create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7892ff4f73fd08d733d0f16abcedbaa15c35c94 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7bd3243312d34a1f432b854e9f8eae8c59cde74 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/d76b68fa3c611301f175690d476a95e8f3cc7d96 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/dec8da52d24aa96e1acccd8993cac40fb2fb9386 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/e1a4516b7e53a5c060d9299c8c9599c9fec21180 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/e55e53ab95010357f6fb38968f61d494a432ee60 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/e7183ecd97ee049b6036746067e42a34b437c5d5 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_encrypt/ee5475f37f25dc12f7513c4b2f81962829715775 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/17cd25351e26aa472f453714a59f507b97580f60 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/420fcc1244c027ef31f686676cc76866b8a2c44e create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/47cea8c6dcdcb3d6a79eb106ad0e441edd97d5dc create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/605ce38a081ebee9888a5df7542b9785a465f79f create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/67d8113ef1877ad5cbd6d115e34947b4f120e69e create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/8684b01e0f5125cc689ca1738e73327ec29b0823 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/a0756571c0412355735b5fa216b04b35b0cbc75e create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/d6732238b415a089c23ab724dc0dda09f2dec182 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e4510675f17d62b1a4c36d907f51d9d743a0b38f create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e65903d764148506a2ae69d568b62b4fa72b91e3 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/fc984eb799eb4e6894d32698d885ecfed4ad6da6 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/1d1fbed42b15c0df3226c37ee01efeeb52b73811 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/21a986b47c13b1a000b87f138f8f51b474170ca2 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/49c43ecd0f5bcadeef0f9f56ae2909d240b21d84 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4a30b017bf7133aaaebcaca46abb791045642773 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4df99d4b875ae90b210d2cf642ae73477f435076 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/507c6bbff4c5a2142afecce5db11511e6bce72ae create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/518d4ea75f4a0b348b343f20ee152cc479da595e create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/59956e9a30dcb2c1d41aaaa679923074b16f6175 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/81f7210342b479724af66ac5f8ff502ce32310d0 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/84b320fb84396f0dc9139f9eb61c11cabcb35fea create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/8644d11338ba2a2cc82b87e254c2c45cd880152d create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c454e0d2f4915e355e6b80bc6dd8a483a11ad39f create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c7b53c89dc0929106ddae7e27c9d691c7671ffbe create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/dea34a9a71dbc40f4aebb6d1c8e995e39d951a6f create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/ed50787268f92d89abc67eedfaa04cf918c99f08 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/eed29554ea909bb059a93cc73d042eb67ded9284 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f389401c788a63598667a84534dd73e80e85e29f create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f9afd0c9fba141db681fbfc163fbe5c3a3800b90 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_state_machine/225ed62055a76cbf5a855d5c2cc47f203ca62f03 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_state_machine/3a30b06c52e20cdd754b86d025aaa32f2b2a0d18 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_state_machine/411d140f8bf8f4a8b5e5821b185c5c7bcc12faed create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_state_machine/4337a79adf15750bebbee124c02ec505edf95924 create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_state_machine/e2dfc033ab7eea543dd046382e0c1e2a59e465ed create mode 100644 soliton/fuzz/corpus/fuzz_ratchet_state_machine/ea3d54253bed94f46635e3b8903789d5a0213259 create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/254a55e6ac09d08eec781bf9783781b49a03fafe create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/32e131568edb7e560cac230264e090f11295fd65 create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/393ab93a18db07a5e69641cb1ac1243268529609 create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/6291ada0c4b6934bde934e25d7288aefccd7e311 create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/67fabcc6fbb37464a01f39f71e6c184c108a8a27 create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/72be2fd2ffce48d92d93241a2ee51e35a75bb580 create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/8c1e6ab4270792c51304ea06f47dc20ce51ba57b create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e0f12cebce606cc8e3e8a60e2377fe50ef1cc3f5 create mode 100644 soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e8e14349181aa32d57e39cd3af6a825c10d03222 create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/518de1210d825ad0a156f42b45a1f26e3f2f5164 create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/a8400c34a55cd824a934bc9039c0faac3ab20c4c create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/105dfdd85cb7b557ca16c67cae63030ab39390b6 create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/13c724f130634a617fe2b48c915160f3e14db4a0 create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/1589ff28a104bbd981ac270e2eff069329986b61 create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/40363b7a8744c03c27f65c1d5816e65766719aeb create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/442a7e8d85a646ab2755f05178aafbcac5072a9b create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/68c937e9130da68b8d862ed640f224ffe546e11e create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/d5b3ba86052817a36e8fe5207a107869e5a1423c create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/f3de7ca01c49b11926e45d717d6a7699320218be create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/0829c17ba2f706c66001aa4462316d890a2aebe6 create mode 100644 soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/dde7aa5a3d9db2fc6e2bcbe681f51a78d17fcd92 diff --git a/Abstract.md b/Abstract.md index 5c7d07c11b..2af5f15b98 100644 --- a/Abstract.md +++ b/Abstract.md @@ -73,16 +73,16 @@ HybridSig combines Ed25519 (classical) and ML-DSA-65 (post-quantum). Key pairs satisfy pk = (pk_E, pk_P), sk = (sk_E, sk_P). **Sign(sk, m)** → σ = (σ_E ‖ σ_P): both components computed independently and -concatenated. ML-DSA-65 uses hedged signing via `sign_internal` (FIPS 204 §5.2 / -Algorithm 2); fresh randomness is mixed per signing operation for +concatenated. ML-DSA-65 uses hedged signing via `sign_internal` (FIPS 204 §6.2 / +Algorithm 7); fresh randomness is mixed per signing operation for fault-injection resistance. **FIPS 204 compatibility note**: The implementation calls `sign_internal` directly — the raw internal signing function with no context string or domain prefix. This is structurally incompatible with FIPS 204 -§6.2 (`ML-DSA.Sign`, which prepends a context-dependent domain separator before -calling `sign_internal`). A FIPS 204 §6.2 verifier expecting the domain-prefixed -message format will reject Soliton ML-DSA-65 signatures. A formal model or test -vector suite must use the `sign_internal` / `verify_internal` interface, not the -§6.2 external interface. For adversary models that include fault injection, +§5.2 (`ML-DSA.Sign` / Algorithm 2, which prepends a context-dependent domain +separator before calling `sign_internal`). A FIPS 204 §5.2 verifier expecting +the domain-prefixed message format will reject Soliton ML-DSA-65 signatures. A +formal model or test vector suite must use the `sign_internal` / +`verify_internal` interface, not the §5.2 external interface. For adversary models that include fault injection, hedged signing provides resistance to differential fault analysis that deterministic signing does not. **RNG implication**: Every HybridSig.Sign invocation consumes randomness (from ML-DSA-65's hedged component). In the §8.2 diff --git a/Cargo.toml b/Cargo.toml index 42e382b1b9..7db1de30c1 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,7 @@ edition = "2024" rust-version = "1.85" license = "AGPL-3.0-only" repository = "https://git.lo.sh/lo/libsoliton" -homepage = "https://lo.sh" +homepage = "https://git.lo.sh/lo/libsoliton/wiki" authors = ["LO Contributors"] description = "Cryptographic library for the LO protocol" categories = ["cryptography"] diff --git a/README.md b/README.md index 5f23c654d6..c5462cc6ec 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Pure-Rust post-quantum cryptographic library. Provides composite identity keys ( | Document | Description | |----------|-------------| +| [paper.tex](paper.tex) | Protocol paper — design, security analysis, formal verification, implementation | | [Abstract.md](Abstract.md) | Security analysis specification — adversary model, theorems, and verification targets for formal modeling | | [Specification.md](Specification.md) | Full cryptographic specification (v1) | | [CHEATSHEET.md](CHEATSHEET.md) | API quick reference with types, sizes, and signatures | diff --git a/fuzz_overnight.sh b/fuzz_overnight.sh index 643ed5f4cf..63033f4b3a 100755 --- a/fuzz_overnight.sh +++ b/fuzz_overnight.sh @@ -16,6 +16,7 @@ fi HOURS="${1:-8}" WORKERS="${2:-1}" +# Change to 3600 for overnight runs, 1 is used for quick local runs SECONDS_TOTAL=$((HOURS * 1)) CORE_DIR="soliton" diff --git a/soliton.tex b/soliton.tex new file mode 100644 index 0000000000..30affae4b5 --- /dev/null +++ b/soliton.tex @@ -0,0 +1,2223 @@ +\documentclass[11pt,a4paper]{article} + +% --- Packages --- +% inputenc unnecessary with LaTeX 2018+ (UTF-8 is default) +\usepackage[T1]{fontenc} +\usepackage{lmodern} +\usepackage[margin=1in]{geometry} +\usepackage{amsmath,amssymb,amsthm} +\usepackage{enumitem} +\usepackage{booktabs} +\usepackage{array} +\usepackage{tabularx} +\usepackage{hyperref} +\usepackage{cleveref} +\usepackage{xcolor} +\usepackage{graphicx} +\usepackage{microtype} +\usepackage{float} +\usepackage[nottoc]{tocbibind} +\usepackage{xspace} +\usepackage{tikz} +\usetikzlibrary{positioning} + +% --- Theorem environments --- +\newtheorem{theorem}{Theorem} +\newtheorem{lemma}[theorem]{Lemma} +\newtheorem{corollary}[theorem]{Corollary} +\newtheorem{definition}[theorem]{Definition} +\newtheorem{remark}{Remark} +\newtheorem*{claim}{Claim} % unnumbered — does not consume theorem counter + +\newenvironment{proofsketch} + {\noindent\textit{Proof sketch.}\space} + {\hfill$\lrcorner$\medskip} + +% --- Shorthands --- +\newcommand{\ie}{i.e.,\xspace} +\newcommand{\eg}{e.g.,\xspace} +\newcommand{\cf}{cf.\xspace} +\newcommand{\etal}{et~al.\xspace} +\newcommand{\Adv}{\mathsf{Adv}} +\newcommand{\KDF}{\mathsf{KDF}} +\newcommand{\MAC}{\mathsf{MAC}} +\newcommand{\HKDF}{\mathsf{HKDF}} +\newcommand{\AEAD}{\mathsf{AEAD}} +\newcommand{\Enc}{\mathsf{Enc}} +\newcommand{\Dec}{\mathsf{Dec}} +\newcommand{\Encaps}{\mathsf{Encaps}} +\newcommand{\Decaps}{\mathsf{Decaps}} +\newcommand{\KeyGen}{\mathsf{KeyGen}} +\newcommand{\Sign}{\mathsf{Sign}} +\newcommand{\Verify}{\mathsf{Verify}} +\newcommand{\pk}{\mathit{pk}} +\newcommand{\sk}{\mathit{sk}} +\newcommand{\rk}{\mathit{rk}} +\newcommand{\ek}{\mathit{ek}} +\newcommand{\mk}{\mathit{mk}} +% \xmark removed — was unused + +% --- Spacing fix for overfull hboxes --- +\emergencystretch=2em +\hypersetup{ + colorlinks=true, + linkcolor=blue!60!black, + citecolor=blue!60!black, + urlcolor=blue!60!black, +} + +% --- Title --- +\title{Soliton: A Formally Verified Post-Quantum Messaging Protocol\\with Hybrid Authentication} + +\author{Kamal Tufekcic\\[4pt] +\small Independent Researcher, Romania\\[2pt] +\small \texttt{kamal@lo.sh}\\[2pt] +\small \url{https://git.lo.sh/lo/libsoliton}} + +\date{} + +\begin{document} +\maketitle + +% ============================================================================ +% ABSTRACT +% ============================================================================ +\begin{abstract} +I present Soliton, a two-party end-to-end encrypted communication protocol +providing hybrid classical/post-quantum security for messaging, voice and +video calls, and file transfer. The protocol comprises five sub-protocols --- +LO-KEX (asynchronous session establishment), LO-Ratchet (ongoing message +encryption), LO-Auth (server-side key possession proof), LO-Call (call key +derivation), and LO-Stream (streaming AEAD with random-access decryption) --- +built from X-Wing (X25519 + ML-KEM-768), hybrid Ed25519 + ML-DSA-65 +signatures, HKDF-SHA3-256, and XChaCha20-Poly1305. The ratchet uses +counter-mode message key derivation ($\mk_i = \mathsf{PRF}(\ek, i)$), +enabling $O(1)$ out-of-order decryption without a skip cache. No existing +asynchronous two-party E2EE messaging protocol provides post-quantum +authentication alongside post-quantum key exchange and ratcheting --- +prior work (PQXDH, SPQR, PQ3) retains classical-only signatures. +I provide formal verification via 55~Tamarin lemmas across 8~symbolic +models and 7~CryptoVerif queries across 5~computational models, covering +13~security properties (12~theorems and 1~unverified claim) with +concrete security bounds. The reference implementation +is a pure Rust library requiring no C~toolchain, benchmarked on x86-64, +aarch64, and riscv64gc, with 574.6~billion fuzz executions across +36~targets yielding zero crashes. The full specification, formal models, +and implementation are published under AGPL-3.0 at +\url{https://git.lo.sh/lo/libsoliton} for independent review. +\end{abstract} + +\smallskip\noindent\textbf{Keywords:} +post-quantum cryptography, secure messaging, KEM-based ratchet, hybrid +signatures, formal verification, X-Wing, ML-DSA-65 + +\tableofcontents +\newpage + +% ============================================================================ +% 1. INTRODUCTION +% ============================================================================ +\section{Introduction}\label{sec:intro} + +\subsection{Motivation}\label{sec:motivation} + +The prospect of cryptographically relevant quantum computers poses an +existential threat to the confidentiality assumptions underlying every +deployed messaging protocol. The harvest-now-decrypt-later attack model --- +where an adversary records encrypted traffic today and decrypts it once +quantum hardware matures --- makes the post-quantum transition urgent for +any system handling sensitive communications, even if large-scale quantum +computers remain years away. + +The messaging ecosystem has begun to respond. Signal introduced +PQXDH~\cite{signal-pqxdh} in 2023, adding an ML-KEM encapsulation to the +X3DH handshake while retaining the classical Diffie-Hellman double ratchet +for ongoing messages. Apple deployed PQ3~\cite{apple-pq3} in 2024 with +periodic KEM rekeying alongside per-message ECDH. Signal subsequently +introduced the Sparse Post-Quantum Ratchet +(SPQR)~\cite{signal-spqr}, based on the Triple Ratchet construction of +Dodis \etal~\cite{djkps25}, running an ML-KEM-based ratchet in parallel +with the existing +double ratchet. These are significant engineering achievements, but they +share a common gap: \textbf{none provide post-quantum authentication}. In +every deployed system, the signature scheme used to authenticate session +establishment remains classical --- Ed25519 or ECDSA --- and is therefore +vulnerable to quantum forgery. Signal has explicitly acknowledged this as an +open problem~\cite{signal-spqr}. + +Soliton was not designed to fill this gap in the abstract. It was designed +because I needed it. I am building a messaging platform with stringent +privacy and security requirements, and I needed an end-to-end encryption +layer that met several practical constraints: no C~toolchain dependency +(to avoid cross-compilation complexity across target platforms), no +architectural lock-in (the library should be a ``byte pump'' --- plaintext +in, ciphertext out, with no opinions about transport, storage, or session +management), and hybrid post-quantum security at every layer, including +authentication. No existing library met all of these requirements. +\texttt{libsignal} is functionally coupled to Signal's architecture. +Academic PQ~messaging proposals exist~\cite{hks22, bfg20, acd19} but lack +production implementations. The available options were to compromise on +requirements or build something new. + +The protocol design itself is a product of a single guiding principle: +\emph{keep it simple}. Where the standard double ratchet derives message +keys via an iterated HMAC chain (requiring a skip cache for out-of-order +decryption), Soliton uses counter-mode derivation +$\mk_i = \MAC(\ek, \texttt{0x01} \| \mathsf{BE32}(i))$, +enabling $O(1)$~random-access decryption with no additional state. Where +Signal runs two independent ratchets in parallel (classical DH and +post-quantum KEM) and combines their outputs, Soliton uses X-Wing --- a +hybrid KEM that inherently combines X25519 and ML-KEM-768 in every +operation --- as a single ratchet primitive, making the classical ratchet +redundant. Where Signal defers post-quantum authentication, Soliton signs +session initiations with a composite Ed25519 + ML-DSA-65 scheme from the +start. Each of these decisions reduces the protocol's complexity at the +cost of different trade-offs, discussed in \Cref{sec:rationale}. + +\subsection{Contributions}\label{sec:contributions} + +The primary contribution of this work is not any single protocol +component in isolation --- adding post-quantum signatures to a KEM-based +handshake is a natural instantiation choice, and the individual +sub-protocols build on well-established foundations. Rather, the +contribution is the \textbf{comprehensive, verified, and implemented +package}: a complete messaging protocol with hybrid PQ security at every +layer (including authentication), formal verification covering the full +protocol lifecycle, and a production-quality implementation. No prior +work combines all three. + +Specifically: + +\begin{enumerate}[leftmargin=*, itemsep=4pt] +\item \textbf{LO-KEX with hybrid PQ authentication}: An asynchronous + KEM-based session establishment protocol using X-Wing, with hybrid + Ed25519 + ML-DSA-65 authentication. No deployed or published + asynchronous two-party E2EE messaging protocol provides post-quantum + authentication: Signal's PQXDH~\cite{signal-pqxdh} and + SPQR~\cite{signal-spqr} retain Ed25519-only signatures; Apple's + PQ3~\cite{apple-pq3} uses ECDSA. Hashimoto \etal~\cite{hks22} + provide a generic PQ~X3DH framework that could be instantiated with + PQ signatures, but do not instantiate one, and provide neither an + implementation nor formal verification of such an instantiation. + +\item \textbf{LO-Ratchet}: A KEM-based double ratchet with counter-mode + message key derivation ($\mk_i = \mathsf{PRF}(\ek, i)$), enabling + $O(1)$ out-of-order decryption without a skip cache --- providing + per-epoch forward secrecy and post-compromise security via X-Wing KEM + ratchet steps. + +\item \textbf{LO-Auth}: A KEM-based key possession proof for server-side + authentication, compositionally secure with LO-KEX under shared + identity keys. + +\item \textbf{LO-Call}: Ephemeral KEM-based call key derivation for E2EE + voice and video, with intra-call forward secrecy and independence from + ratchet state. + +\item \textbf{LO-Stream}: A streaming AEAD construction with both + sequential and random-access interfaces, providing chunked encryption + with ordering, truncation resistance, and cross-stream isolation + guarantees. + +\item \textbf{Formal verification}: 55~Tamarin lemmas across 8~symbolic + models and 7~CryptoVerif queries across 5~computational models, + covering 13~security properties with concrete security bounds. For comparison: + the PQXDH verification~\cite{bjks24} covers the handshake only + (${\sim}6$--8 properties); the PQ3 analysis~\cite{lsb25} covers + handshake and ratcheting (${\sim}15$--30 lemmas); B\'eguinet + \etal~\cite{bcrs24} cover a KEM-based Signal variant + (${\sim}8$--10~properties). No prior work combines both Tamarin + and CryptoVerif for a KEM-based messaging protocol covering + handshake, ratcheting, authentication, calls, and streaming. + +\item \textbf{Implementation}: A pure Rust library (\texttt{libsoliton}) + with C, Python, WASM, and Zig bindings, benchmarked across three + architectures, with 574.6~billion fuzz executions across 36~targets + yielding zero crashes. +\end{enumerate} + +\paragraph{AI-assisted development.} +AI assistance (Anthropic's Claude) was used extensively throughout +protocol design, specification writing, and formal model development. +All formal verification results are machine-checkable and independently +reproducible --- the Tamarin and CryptoVerif models are published +alongside the paper. Model fidelity was validated through systematic +cross-referencing against both the specification and the Rust +implementation, including 10~expected-falsification tests confirming +the models correctly represent known attack paths. The paper itself +underwent multiple rounds of automated cross-validation (checking claims +against the specification, formal analysis document, implementation +source, and verification outputs) to identify factual discrepancies +before submission. Readers are encouraged to verify rather than trust. + +\subsection{Paper organization} + +\Cref{sec:prelim} introduces notation and primitive assumptions. +\Cref{sec:protocol} describes the five sub-protocols. +\Cref{sec:security-model} defines the adversary model and freshness +predicates. \Cref{sec:security} presents the 13~security theorems with +proof sketches and concrete bounds. \Cref{sec:verification} details the +Tamarin and CryptoVerif verification results. +\Cref{sec:implementation} covers the Rust implementation, benchmarks, and +testing. \Cref{sec:rationale} discusses key design decisions and their +trade-offs. \Cref{sec:related} surveys related work. +\Cref{sec:limitations} identifies verification gaps and open problems. +\Cref{sec:conclusion} concludes. + +The full cryptographic specification (5000+ lines), formal analysis +document, and all Tamarin/CryptoVerif models are available in the project +repository~\cite{soliton-repo}. The specification targets independent +reimplementation; the formal analysis document targets formal methods +researchers. This paper presents the protocol design, security arguments, +and verification results at a level suitable for a cryptographic audience +without duplicating the companion documents. + +% ============================================================================ +% 2. PRELIMINARIES +% ============================================================================ +\section{Preliminaries}\label{sec:prelim} + +\subsection{Notation}\label{sec:notation} + +I use the following conventions throughout. $\|$ denotes byte string +concatenation. $\mathsf{BE}n(x)$ denotes the big-endian encoding of the +unsigned integer~$x$ in exactly $n/8$~bytes (\eg $\mathsf{BE32}(x)$ is a +4-byte encoding). $|x|$ denotes the byte length of byte string~$x$. +$0^n$ denotes a string of $n$~zero bytes. $\{0,1\}^n$ denotes an +$n$-bit string; superscripts on zero-strings are byte counts while +superscripts on $\{0,1\}$ sets are bit counts. PPT denotes probabilistic +polynomial-time. $\mathsf{H}$ denotes SHA3-256. + +Argument labels for $\MAC$ are always explicit: +$\MAC(\text{key}=k, \text{data}=d)$ uses $k$ as the HMAC key and $d$ as +the data, preventing transposition errors. + +\subsection{Cryptographic primitives}\label{sec:primitives} + +The protocol uses the following primitive suite, referred to as +\texttt{lo-crypto-v1}. No novel cryptographic assumptions are introduced; +the construction composes standard primitives under standard assumptions. + +\subsubsection{X-Wing (hybrid KEM)} + +X-Wing~\cite{xwing, xwing-ietf} combines X25519 and ML-KEM-768 via a +SHA3-256 combiner. Key pairs satisfy $\pk = (\pk_M, \pk_X)$, +$\sk = (\sk_M, \sk_X)$, where subscripts $M$ and $X$ denote the ML-KEM +and X25519 components respectively. (This tuple notation follows +draft-09's mathematical presentation order; the wire encoding is +X25519-first: $\pk = \pk_X \| \pk_M$.) + +$\Encaps(\pk) \to (c, \mathit{ss})$: Generate an ephemeral X25519 key +pair, compute the ML-KEM encapsulation and the X25519 shared secret, then +combine via $\mathit{ss} = \mathsf{H}_3(\mathit{ss}_M \| \mathit{ss}_X \| +\mathit{ct}_X \| \pk_X \| \Lambda)$, where +$\Lambda = \texttt{0x5c2e2f2f5e5c}$ is a fixed domain label and +$\mathsf{H}_3$ denotes SHA3-256. + +$\Decaps(\sk, c) \to \mathit{ss}$: Parse $c$, recompute both shared +secrets, and apply the identical combiner. Decapsulation uses ML-KEM's +implicit rejection (FIPS~203~\cite{fips203} \S7.3) --- a mismatched +ciphertext produces a pseudorandom shared secret rather than an error. + +X-Wing is IND-CCA2 if at least one of X25519 (under the strong +Diffie-Hellman assumption) or ML-KEM-768 is IND-CCA2~\cite{xwing}. +ML-KEM-768 provides NIST security level~3 (128-bit post-quantum +security), matching the PQ~TLS~1.3 deployment trajectory; level~5 +(ML-KEM-1024) would further increase the already-large key sizes for +marginal benefit. Key sizes: 1216-byte public key, 2432-byte secret key, +1120-byte ciphertext, 32-byte shared secret. + +For symbolic analysis, X-Wing is treated as a single IND-CCA2 KEM. For +computational models, the black-box IND-CCA2 assumption is stronger than +opening the combiner; bounds are in terms of $P_{\text{kem}}$ rather than +component advantages. + +\subsubsection{Hybrid signature scheme (HybridSig)} + +HybridSig combines Ed25519~\cite{rfc8032} and ML-DSA-65~\cite{fips204}. + +$\Sign(\sk, m) \to \sigma = (\sigma_E \| \sigma_P)$: Both components are +computed independently and concatenated. ML-DSA-65 uses hedged signing +via \texttt{sign\_internal} (FIPS~204 \S6.2) for fault-injection +resistance. This is structurally incompatible with FIPS~204 \S5.2's +external interface, which prepends a context-dependent domain separator; +a FIPS~204-compliant verifier will reject Soliton signatures. + +$\Verify(\pk, m, \sigma) \to \{0,1\}$: Returns 1 iff both +$\mathsf{Ed25519.Verify}$ and $\mathsf{ML\text{-}DSA.Verify}$ return~1. +Both components are evaluated eagerly and the conjunction is +constant-time to prevent leaking which component failed. + +HybridSig is EUF-CMA if at least one component is EUF-CMA. For symbolic +models, it is treated as a single EUF-CMA signature scheme. + +\subsubsection{Key derivation and MAC} + +$\MAC$ denotes HMAC-SHA3-256 throughout. All HKDF-based KDF functions +use a single HKDF invocation (Extract-then-Expand per RFC~5869 +\cite{rfc5869}) with the specified output length, split sequentially at +32-byte boundaries: + +\begin{itemize}[leftmargin=*, itemsep=2pt] +\item $\KDF_{\text{Root}}(\rk, \mathit{ss}) \to (\rk', \ek)$: + $\HKDF(\text{salt}=\rk, \text{ikm}=\mathit{ss}, + \text{info}=\texttt{"lo-ratchet-v1"}, \text{len}=64)$. + +\item $\KDF_{\text{MsgKey}}(\ek, \mathit{counter}) \to \mk$: + $\mk = \MAC(\text{key}=\ek, + \text{data}=\texttt{0x01} \| \mathsf{BE32}(\mathit{counter}))$. + The epoch key $\ek$ does not advance per message. + +\item $\KDF_{\text{KEX}}(\mathit{ikm}, \mathit{info}) \to (\rk, \ek)$: + $\HKDF(\text{salt}=0^{32}, \mathit{ikm}, \mathit{info}, + \text{len}=64)$. + +\item $\KDF_{\text{Call}}(\rk, \mathit{ss}_{\text{eph}}, + \mathit{call\_id}, \mathit{fp}_{\text{lo}}, + \mathit{fp}_{\text{hi}})$ + $\to (\mathit{key}_a, \mathit{key}_b, + \mathit{ck}_{\text{call}})$: HKDF with + $\text{salt}=\rk$, + $\text{ikm}=\mathit{ss}_{\text{eph}} \| \mathit{call\_id}$, + $\text{info}=\texttt{"lo-call-v1"} \| \mathit{fp}_{\text{lo}} \| + \mathit{fp}_{\text{hi}}$, output 96~bytes. +\end{itemize} + +The HMAC-SHA3-256 PRF property under arbitrary hash functions follows from +Bellare's analysis~\cite{bellare06}. The HKDF dual-PRF assumption and +extractor property follow from Krawczyk~\cite{krawczyk10}. Note: +Bellare's and Krawczyk's analyses target HMAC-SHA2 (Merkle-Damg\aa rd); +applicability to HMAC-SHA3-256 (sponge-based) follows from the generic +HMAC construction~\cite{bellare06}, whose PRF argument applies to any +hash function satisfying the underlying pseudorandomness assumptions. +SHA3-256 uses a sponge with an internal permutation (Keccak-$f$) rather +than a Merkle-Damg\aa rd compression function; the HMAC-over-sponge +construction is widely deployed and believed secure, but a +sponge-specific reduction (as opposed to the MD-specific analysis +in~\cite{bellare06}) remains an open problem. NIST's recommended +keyed MAC for SHA-3 is KMAC (SP~800-185), which operates natively on +the sponge; HMAC-SHA3-256 is used here because HKDF (RFC~5869) is +defined in terms of HMAC, and no HKDF-KMAC equivalent is standardized. + +\subsubsection{Authenticated encryption} + +$\AEAD.\Enc(k, n, m, \mathit{aad}) \to c$: XChaCha20-Poly1305 with a +128-bit tag appended to the ciphertext. Nonces for ratchet messages are +counter-derived: $n = 0^{20} \| \mathsf{BE32}(\mathit{counter})$ (24 +bytes total). The session-init first message uses a uniformly random +192-bit nonce as defense-in-depth. + +\subsection{Key hierarchy}\label{sec:key-hierarchy} + +Soliton uses a four-tier key hierarchy (\Cref{fig:key-hierarchy}), +following the structure established by the Signal +Protocol~\cite{signal-x3dh} and adapted for KEM-based operations: + +\begin{itemize}[leftmargin=*, itemsep=3pt] +\item \textbf{Identity Key (IK)}: Long-term composite key pair + (3200~bytes public key): + \[ + \pk_{\text{IK}} = \pk_{\text{IK}}[\text{XWing}] \;(1216) \;\|\; + \pk_{\text{IK}}[\text{Ed25519}] \;(32) \;\|\; + \pk_{\text{IK}}[\text{ML-DSA}] \;(1952) + \] + The X-Wing component is used for KEM operations; the Ed25519 and + ML-DSA-65 components are used for signing. A single corruption of + $\sk_{\text{IK}}$ yields both KEM decapsulation and signing + capability. + +\item \textbf{Signed Pre-Key (SPK)}: Medium-term X-Wing key pair, signed + by the identity key: + $\sigma_{\text{SPK}} = \Sign(\sk_{\text{IK}}, + \texttt{"lo-spk-sig-v1"} \| \pk_{\text{SPK}})$. Rotated + approximately weekly. + +\item \textbf{One-Time Pre-Key (OPK)}: Single-use X-Wing key pair. + Deleted immediately after one decapsulation. + +\item \textbf{Ephemeral Key (EK)}: Per-session X-Wing key pair generated + by the initiator. Serves as the initiator's initial ratchet public key. +\end{itemize} + +Session key material consists of a root key +$\rk \in \{0,1\}^{256}$, send and receive epoch keys +$\ek_s, \ek_r \in \{0,1\}^{256}$, and single-use message keys +$\mk \in \{0,1\}^{256}$. Epoch keys are replaced on each KEM ratchet +step; message keys are zeroized after use. + +\begin{figure}[t] +\centering +\begin{tikzpicture}[ + >=stealth, font=\small, + box/.style={draw, rounded corners=2pt, minimum height=1.5em, + minimum width=2.4cm, font=\small}, + kdf/.style={draw, rounded corners=2pt, minimum height=1.3em, + font=\scriptsize, fill=gray!10}, + arr/.style={->, thick}, + darr/.style={->, thick, dashed}, + lbl/.style={font=\scriptsize}, +] + +% --- Identity layer --- +\node[box] (IK) at (0, 0) {$\sk_\text{IK}$}; +\node[lbl, above=0.1cm of IK] {Identity Key}; + +% Pre-keys + ephemeral — labels below boxes to avoid overlap with arrows +\node[box] (SPK) at (-3.2, -2.0) {$\sk_\text{SPK}$}; +\node[lbl, below=0.1cm of SPK] {Signed Pre-Key}; +\node[box] (OPK) at (0, -2.0) {$\sk_\text{OPK}$}; +\node[lbl, below=0.1cm of OPK] {One-Time Pre-Key}; +\node[box] (EK) at (3.2, -2.0) {$\sk_\text{EK}$}; +\node[lbl, below=0.1cm of EK] {Ephemeral Key}; + +\draw[arr] (IK) -- node[above left, lbl] {signs} (SPK); +\draw[darr] (IK) -- (OPK); +\draw[darr] (IK) -- (EK); + +% --- KEX --- +\node[kdf] (KDFKEX) at (0, -3.8) + {$\textsf{KDF}_\text{KEX}(\mathit{ss}_\text{IK} \| \mathit{ss}_\text{SPK} [\| \mathit{ss}_\text{OPK}])$}; +\draw[arr] (SPK) -- (KDFKEX); +\draw[arr] (OPK) -- (KDFKEX); +\draw[arr] (EK) -- (KDFKEX); + +% KEX outputs +\node[box] (rk) at (-1.8, -5.2) {$\rk$}; +\node[lbl, below=0.1cm of rk] {Root Key}; +\node[box] (ek0) at (1.8, -5.2) {$\ek$}; +\node[lbl, below=0.1cm of ek0] {Epoch Key}; +\draw[arr] (KDFKEX) -- (rk); +\draw[arr] (KDFKEX) -- (ek0); + +% --- Ratchet advancement (left branch) --- +\node[kdf] (KDFRoot) at (-1.8, -7.0) + {$\textsf{KDF}_\text{Root}(\rk, \mathit{ss})$}; +\draw[arr] (rk) -- (KDFRoot); + +\node[box] (rkp) at (-3.5, -8.4) {$\rk'$}; +\node[box] (ekp) at (-0.1, -8.4) {$\ek'$}; +\draw[arr] (KDFRoot) -- (rkp); +\draw[arr] (KDFRoot) -- (ekp); + +% Feedback loop: rk' → next KDF_Root +\draw[arr, dotted] (rkp.west) -- ++(-0.6, 0) + |- node[left, lbl, pos=0.25] {next step} (KDFRoot.west); + +% --- Message key derivation (right branch) --- +\node[kdf] (KDFMsg) at (1.8, -7.0) + {$\textsf{KDF}_\text{MsgKey}(\ek, n)$}; +\draw[arr] (ek0) -- (KDFMsg); +% ek' feeds KDF_MsgKey on subsequent epochs — route around mk +\draw[darr] (ekp.north) -- ++(0, 0.4) -| (KDFMsg.south west); + +\node[box] (mk) at (1.8, -8.4) {$\mk$}; +\node[lbl, below=0.1cm of mk] {Message Key}; +\draw[arr] (KDFMsg) -- (mk); + +\node[kdf] (AEAD) at (1.8, -9.8) {$\textsf{AEAD.Enc}(\mk, n, m)$}; +\draw[arr] (mk) -- (AEAD); +\node[box] (ct) at (1.8, -10.8) {ciphertext}; +\draw[arr] (AEAD) -- (ct); + +% --- Call key derivation (left-bottom branch) --- +\node[kdf] (KDFCall) at (-3.5, -9.8) + {$\textsf{KDF}_\text{Call}(\rk, \mathit{ss}_\text{eph})$}; +\draw[darr] (rkp) -- (KDFCall); + +\node[box] (ck) at (-3.5, -10.8) {$\mathit{key}_a, \mathit{key}_b, \mathit{ck}$}; +\node[lbl, below=0.1cm of ck] {Call Keys}; +\draw[arr] (KDFCall) -- (ck); + +\end{tikzpicture} +\caption{Key derivation hierarchy. Solid arrows show derivation; +dashed arrows show KEM operations. The root key $\rk$ feeds both +$\textsf{KDF}_\text{Root}$ (ratchet advancement: $\rk' \to$ next step) +and $\textsf{KDF}_\text{Call}$ (call key derivation). Message keys are +counter-mode: $\mk_i = \textsf{MAC}(\ek, \texttt{0x01} \| +\textsf{BE32}(i))$, enabling $O(1)$ decryption without a skip cache.} +\label{fig:key-hierarchy} +\end{figure} + +% ============================================================================ +% 3. PROTOCOL DESCRIPTION +% ============================================================================ +\section{Protocol description}\label{sec:protocol} + +This section describes each sub-protocol at a level sufficient for +security analysis. The full wire formats, encoding details, and +implementation guidance are in the companion +specification~\cite{soliton-spec}. + +\subsection{LO-KEX: Session establishment}\label{sec:kex} + +LO-KEX (\Cref{fig:kex-flow}) establishes a shared session key between +an initiator~(Alice) and a responder~(Bob) via asynchronous KEM-based +key agreement. The design +follows the structure of X3DH~\cite{signal-x3dh} and +PQXDH~\cite{signal-pqxdh}, replacing Diffie-Hellman operations with +X-Wing encapsulations and adding hybrid post-quantum signatures for +initiator authentication. + +\subsubsection{Pre-key bundle} + +Bob publishes a bundle +$\mathit{Bundle}_B = (\mathit{cv}, \pk_{\text{IK}_B}, +\pk_{\text{SPK}_B}, \mathit{id}_{\text{SPK}}, \sigma_{\text{SPK}} +[, \pk_{\text{OPK}_B}, \mathit{id}_{\text{OPK}}])$, +where $\sigma_{\text{SPK}} = \Sign(\sk_{\text{IK}_B}, +\texttt{"lo-spk-sig-v1"} \| \pk_{\text{SPK}_B})$ and +$\mathit{cv} = \texttt{"lo-crypto-v1"}$. The signature binds the SPK to +Bob's identity but intentionally excludes $\mathit{id}_{\text{SPK}}$ and +$\mathit{cv}$ from the signed data --- an adversary controlling the +bundle relay can substitute these without invalidating the signature, but +this causes lookup failure rather than a security breach. + +\subsubsection{Session initiation (Alice)} + +\begin{enumerate}[leftmargin=*, itemsep=2pt] +\item \textbf{Verify bundle}: Check $\pk_{\text{IK}_B}$ matches the + known reference, verify $\sigma_{\text{SPK}}$, check version + compatibility, validate OPK co-presence. + +\item \textbf{Generate ephemeral key}: + $(\pk_{\text{EK}}, \sk_{\text{EK}}) \gets \KeyGen()$. + +\item \textbf{Encapsulate}: + \begin{align*} + (c_{\text{IK}}, \mathit{ss}_{\text{IK}}) &\gets + \Encaps(\pk_{\text{IK}_B}[\text{XWing}]) \\ + (c_{\text{SPK}}, \mathit{ss}_{\text{SPK}}) &\gets + \Encaps(\pk_{\text{SPK}_B}) \\ + (c_{\text{OPK}}, \mathit{ss}_{\text{OPK}}) &\gets + \Encaps(\pk_{\text{OPK}_B}) \quad\text{(if OPK present)} + \end{align*} + +\item \textbf{Derive session keys}: + $\mathit{ikm} = \mathit{ss}_{\text{IK}} \| + \mathit{ss}_{\text{SPK}} [\| \mathit{ss}_{\text{OPK}}]$; + $(\rk, \ek) \gets \KDF_{\text{KEX}}(\mathit{ikm}, \mathit{info})$, + where the $\mathit{info}$ string encodes a version label, both + composite identity public keys, and the ephemeral public key with + length prefixes to ensure injectivity. + +\item \textbf{Construct and sign session init}: Construct + $\mathit{SI}$ containing the crypto version, both identity + fingerprints ($\mathit{fp} = \mathsf{H}(\pk_{\text{IK}})$), + $\pk_{\text{EK}}$, all KEM ciphertexts, and key identifiers. Sign: + \[ + \sigma_{\text{SI}} \gets \Sign(\sk_{\text{IK}_A},\; + \texttt{"lo-kex-init-sig-v1"} \| \mathsf{Encode}(\mathit{SI})) + \] + +\item \textbf{Encrypt first message}: + $\mk_0 \gets \KDF_{\text{MsgKey}}(\ek, 0)$; + $n_0 \xleftarrow{\$} \{0,1\}^{192}$; + \begin{align*} + \mathit{aad}_0 &= \texttt{"lo-dm-v1"} \| \mathit{fp}_{\text{IK}_A} + \| \mathit{fp}_{\text{IK}_B} \| \mathsf{Encode}(\mathit{SI}) \\ + c_0 &= \AEAD.\Enc(\mk_0, n_0, m_0, \mathit{aad}_0) + \end{align*} + Transmit $(\mathit{SI}, \sigma_{\text{SI}}, n_0 \| c_0)$. +\end{enumerate} + +\subsubsection{Session reception (Bob)} + +Bob resolves Alice's identity from $\mathit{fp}_{\text{IK}_A}$, validates +fingerprints and version, verifies $\sigma_{\text{SI}}$ \emph{before} any +KEM operations (so a forged signature is rejected without performing +decapsulation), then decapsulates to recover the shared secrets and +derives the same $(\rk, \ek)$. Successful decryption of $c_0$ completes +session establishment and provides Bob with key confirmation of Alice +(Alice holds $\mk_0$, therefore $\ek$, therefore the correct session +key). Alice obtains key confirmation of Bob only when Bob's first +ratchet reply decrypts successfully. + +If an OPK was used, $\sk_{\text{OPK}}$ is deleted atomically --- +concurrent session inits referencing the same OPK are resolved by at +most one succeeding. + +\begin{figure}[t] +\centering +\begin{tikzpicture}[ + >=stealth, font=\small, + party/.style={font=\small\bfseries}, + msg/.style={->, thick}, + note/.style={font=\scriptsize, text width=4.2cm, align=left}, +] +% Party labels +\node[party] (A) at (0, 0) {Alice (initiator)}; +\node[party] (B) at (7, 0) {Bob (responder)}; + +% Lifelines +\draw[thick] (0, -0.3) -- (0, -10.5); +\draw[thick] (7, -0.3) -- (7, -10.5); + +% Bundle fetch +\draw[msg] (0, -0.8) -- node[above, font=\scriptsize] {fetch bundle} (7, -0.8); +\draw[msg, dashed] (7, -1.3) -- node[above, font=\scriptsize] + {$(\mathit{cv},\, \mathit{pk}_{\text{IK}_B},\, + \mathit{pk}_{\text{SPK}_B},\, \sigma_{\text{SPK}} + [,\, \mathit{pk}_{\text{OPK}_B}])$} (0, -1.3); + +% Alice processing +\node[note, anchor=east] at (-0.2, -2.1) {verify $\sigma_{\text{SPK}}$}; +\node[note, anchor=east] at (-0.2, -2.7) {$(\mathit{pk}_{\text{EK}}, \mathit{sk}_{\text{EK}}) \gets \textsf{KeyGen}()$}; +\node[note, anchor=east] at (-0.2, -3.5) + {$\textsf{Encaps} \to (c_{\text{IK}}, c_{\text{SPK}} [, c_{\text{OPK}}])$}; +\node[note, anchor=east] at (-0.2, -4.3) + {$(\mathit{rk}, \mathit{ek}) \gets \textsf{KDF}_{\text{KEX}}(\mathit{ikm}, \mathit{info})$}; +\node[note, anchor=east] at (-0.2, -4.9) + {$\sigma_{\text{SI}} \gets \textsf{Sign}(\mathit{sk}_{\text{IK}_A},\, \textsf{SI})$}; +\node[note, anchor=east] at (-0.2, -5.5) + {$c_0 \gets \textsf{AEAD.Enc}(\mathit{mk}_0,\, m_0)$}; + +% Session init message +\draw[msg] (0, -6.2) -- node[above, font=\scriptsize] + {$(\textsf{SI},\; \sigma_{\text{SI}},\; n_0 \| c_0)$} (7, -6.2); + +% Bob processing +\node[note, anchor=west] at (7.2, -6.9) {verify $\sigma_{\text{SI}}$}; +\node[note, anchor=west] at (7.2, -7.5) + {$\textsf{Decaps} \to (\mathit{ss}_{\text{IK}}, \mathit{ss}_{\text{SPK}} [, \mathit{ss}_{\text{OPK}}])$}; +\node[note, anchor=west] at (7.2, -8.1) + {delete $\mathit{sk}_{\text{OPK}}$ (if used)}; +\node[note, anchor=west] at (7.2, -8.7) + {$(\mathit{rk}, \mathit{ek}) \gets \textsf{KDF}_{\text{KEX}}(\mathit{ikm}, \mathit{info})$}; +\node[note, anchor=west] at (7.2, -9.3) + {$m_0 \gets \textsf{AEAD.Dec}(\mathit{mk}_0,\, c_0)$}; + +% Session established +\draw[dashed, thick, gray] (-0.5, -10) -- (7.5, -10); +\node[font=\scriptsize\itshape, gray] at (3.5, -10.3) {session established --- ratchet begins}; +\end{tikzpicture} +\caption{LO-KEX session establishment. Alice verifies Bob's bundle, +encapsulates to three public keys (IK, SPK, OPK), derives session keys +via $\textsf{KDF}_{\text{KEX}}$, signs the session init, and encrypts the +first message. Bob verifies Alice's signature before any KEM operation, +then decapsulates and derives the same session key. OPK fields are +optional (brackets).} +\label{fig:kex-flow} +\end{figure} + +\subsection{LO-Ratchet: Ongoing message encryption}\label{sec:ratchet} + +LO-Ratchet provides forward secrecy and post-compromise security for +ongoing message exchange. It adapts the double ratchet +algorithm~\cite{signal-doubleratchet, acd19} with two key modifications: +KEM ratchet steps replace DH ratchet steps, and counter-mode key +derivation replaces chain-mode key derivation. + +\subsubsection{Ratchet state} + +Each party maintains a ratchet state~$\Sigma$ containing: +$\rk$~(root key), $\ek_s, \ek_r$~(send/receive epoch keys), +$(\pk_s, \sk_s)$~(send ratchet keypair), $\pk_r$~(peer's ratchet +public key), $\mathit{prev\_ek_r}$~(retained prior epoch key), +$s, r$~(send/receive counters), +$\mathit{pending} \in \{\top, \bot\}$~(KEM ratchet step due on next +send), $\mathit{recv\_seen}$~(duplicate detection set), +$\mathit{local\_fp}, \mathit{remote\_fp}$~(identity fingerprints), +and $\mathit{epoch}$~(anti-rollback counter). + +\subsubsection{Counter-mode message key derivation} + +Message keys are derived as +$\mk = \KDF_{\text{MsgKey}}(\ek, \mathit{counter}) = +\MAC(\text{key}=\ek, +\text{data}=\texttt{0x01} \| \mathsf{BE32}(\mathit{counter}))$. +The epoch key is static within an epoch; all messages in the same epoch +share a single $\ek$. This provides $O(1)$~random-access decryption --- +any message counter yields its message key directly, with no iterated +hashing and no skip cache. The trade-off is that forward secrecy is +per-epoch (per KEM ratchet step), not per-message; see +\Cref{sec:rationale} for the design rationale. + +\subsubsection{KEM ratchet step} + +A KEM ratchet step occurs when a party sends a message after receiving +one (direction change), triggered by $\mathit{pending} = \top$. The +sender: + +\begin{enumerate}[leftmargin=*, itemsep=2pt] +\item Generates a fresh X-Wing keypair + $(\pk_s', \sk_s') \gets \KeyGen()$. +\item Encapsulates to the peer's ratchet public key: + $(c_{\text{ratchet}}, \mathit{ss}) \gets \Encaps(\pk_r)$. +\item Advances the root key: + $(\rk', \ek_s') \gets \KDF_{\text{Root}}(\rk, \mathit{ss})$. +\item Updates state: $\rk \gets \rk'$, $\ek_s \gets \ek_s'$, + $(\pk_s, \sk_s) \gets (\pk_s', \sk_s')$, $s \gets 0$, + $\mathit{pending} \gets \bot$. +\end{enumerate} + +The message header includes $\pk_s$ and $c_{\text{ratchet}}$, allowing +the receiver to perform the symmetric decapsulation and key derivation. + +\subsubsection{Forward secrecy and \texorpdfstring{$\mathit{prev\_ek_r}$}{prev\_ek\_r} retention} + +Forward secrecy is per-epoch with a \textbf{two-step delay on the receive +side} (\Cref{fig:ratchet-flow}). When a KEM ratchet step replaces a +party's receive epoch key, the +old $\ek_r$ moves into $\mathit{prev\_ek_r}$ to allow decryption of +delayed messages from the immediately prior epoch. A corruption of +$\Sigma$ after a single KEM ratchet step therefore reveals +$\mathit{prev\_ek_r}$ and all message keys from the prior receive epoch. +Full receive-side forward secrecy requires two KEM ratchet steps: the +first moves $\ek_r$ into $\mathit{prev\_ek_r}$, the second overwrites +$\mathit{prev\_ek_r}$ (the old value is zeroized). On the send side, +forward secrecy applies after a single step ($\ek_s$ is overwritten +directly with no retention). + +\begin{figure}[t] +\centering +\begin{tikzpicture}[ + >=stealth, font=\small, + party/.style={font=\small\bfseries}, + msg/.style={->, thick}, + note/.style={font=\scriptsize, text width=4.2cm, align=left}, + epoch/.style={font=\scriptsize\itshape, gray}, +] +% Party labels +\node[party] (A) at (0, 0) {Alice}; +\node[party] (B) at (7, 0) {Bob}; + +% Lifelines +\draw[thick] (0, -0.3) -- (0, -12.4); +\draw[thick] (7, -0.3) -- (7, -12.4); + +% Epoch 0: Alice sends (same epoch, no KEM step) +\node[epoch] at (3.5, -0.7) {Epoch 0 (from KEX)}; + +\draw[msg] (0, -1.4) -- node[above, font=\scriptsize] + {$H_1 = (\mathit{pk}_{\text{EK}},\, \bot,\, 1,\, 0),\ c_1$} (7, -1.4); +\node[note, anchor=east] at (-0.2, -1.4) {$\mk_1 = \textsf{KDF\_MsgKey}(\ek_s, 1)$}; + +\draw[msg] (0, -2.1) -- node[above, font=\scriptsize] + {$H_2 = (\mathit{pk}_{\text{EK}},\, \bot,\, 2,\, 0),\ c_2$} (7, -2.1); + +% Bob receives, sets pending = true +\node[note, anchor=west] at (7.2, -2.8) {decrypt: $\mathit{pk}_{\text{EK}} = \mathit{pk}_r$}; +\node[note, anchor=west] at (7.2, -3.3) {$\to$ CurrentEpoch, pending $\gets \top$}; + +% Direction change: Bob sends → KEM ratchet step +\node[epoch] at (3.5, -3.9) {Direction change $\to$ Epoch 1}; + +\node[note, anchor=west] at (7.2, -4.6) + {pending $= \top \to$ KEM ratchet:}; +\node[note, anchor=west] at (7.2, -5.2) + {$(\mathit{pk}_B, \mathit{sk}_B) \gets \textsf{KeyGen}()$}; +\node[note, anchor=west] at (7.2, -5.8) + {$(c_r, \mathit{ss}) \gets \textsf{Encaps}(\mathit{pk}_{\text{EK}})$}; +\node[note, anchor=west] at (7.2, -6.4) + {$(\rk', \ek_s') \gets \textsf{KDF\_Root}(\rk, \mathit{ss})$}; +\node[note, anchor=west] at (7.2, -7.0) + {$\mathit{pn}, s \gets 0$, pending $\gets \bot$}; + +\draw[msg] (7, -7.6) -- node[above, font=\scriptsize] + {$H_3 = (\mathit{pk}_B,\, c_r,\, 0,\, 0),\ c_3$} (0, -7.6); + +% Alice receives → NewEpoch +\node[note, anchor=east] at (-0.2, -8.3) + {$\mathit{pk}_B \neq \mathit{pk}_r \to$ NewEpoch}; +\node[note, anchor=east] at (-0.2, -8.9) + {$\mathit{ss} \gets \textsf{Decaps}(\mathit{sk}_{\text{EK}}, c_r)$}; +\node[note, anchor=east] at (-0.2, -9.5) + {$(\rk', \ek_r') \gets \textsf{KDF\_Root}(\rk, \mathit{ss})$}; +\node[note, anchor=east] at (-0.2, -10.1) + {$\mathit{prev\_ek_r} \gets \ek_r$, $\mathit{pk}_r \gets \mathit{pk}_B$}; +\node[note, anchor=east] at (-0.2, -10.7) + {pending $\gets \top$ (next send $\to$ KEM step)}; + +% Epoch 2 preview +\node[epoch] at (3.5, -11.4) {Alice's next send $\to$ Epoch 2 (KEM ratchet)}; +\node[note, anchor=east] at (-0.2, -11.9) + {$\textsf{Encaps}(\mathit{pk}_B) \to$ new $\rk'', \ek_s''$}; + +\end{tikzpicture} +\caption{Ratchet direction change. Alice sends two messages in Epoch~0 +(no KEM step). Bob's first reply triggers a KEM ratchet step +(pending~$= \top$): fresh keypair, encapsulate to Alice's $\mathit{pk}_s$, +derive new root and epoch keys. Alice receives the new-epoch message, +decapsulates, rotates $\mathit{prev\_ek_r}$, and sets pending~$= \top$ +for her next send. Each direction change advances the epoch and +introduces fresh KEM randomness.} +\label{fig:ratchet-flow} +\end{figure} + +\subsubsection{Anti-reflection} + +Reflected messages --- where an adversary replays a message from $A +\to B$ back to~$A$ as if it were from $B \to A$ --- are defeated by +directional AAD construction: +\[ +\mathit{aad} = \texttt{"lo-dm-v1"} \| \mathit{fp}_{\text{sender}} \| +\mathit{fp}_{\text{recipient}} \| \mathsf{Encode}(H) +\] +Since $\mathit{fp}_{\text{sender}} \neq \mathit{fp}_{\text{recipient}}$ +(enforced at construction, invariant~(h)), the reversed fingerprint +ordering produces a different AAD and AEAD verification fails. + +\subsection{LO-Auth: Key possession proof}\label{sec:auth} + +LO-Auth provides server-side authentication of a client's identity key +ownership. The server encapsulates to the client's +$\pk_{\text{IK}}[\text{XWing}]$: +$(c, \mathit{ss}) \gets \Encaps(\pk_{\text{IK}}[\text{XWing}])$. +The client decapsulates and returns +$\mathit{proof} = \MAC(\text{key}=\mathit{ss}, +\text{data}=\texttt{"lo-auth-v1"})$. +Challenge single-use is enforced server-side. Under IND-CCA2 and PRF +assumptions, a client who produces a valid proof for a fresh challenge +possesses $\sk_{\text{IK}}[\text{XWing}]$. + +In the composed setting with LO-KEX, LO-Auth sessions provide the +adversary with an interactive decapsulation oracle on the identity key +--- each challenge constitutes one additional CCA2 query. The security +loss is additive in the number of LO-Auth sessions. + +\subsection{LO-Call: Voice/video call encryption}\label{sec:call} + +LO-Call derives call-specific encryption keys with ephemeral forward +secrecy, independent of the ratchet's KEM ratchet cycle. For a call +with identifier $\mathit{call\_id}$: + +\begin{enumerate}[leftmargin=*, itemsep=2pt] +\item Generate ephemeral X-Wing keypair + $(\pk_{\text{eph}}, \sk_{\text{eph}}) \gets \KeyGen()$. + Send $(\mathit{call\_id}, \pk_{\text{eph}})$ to the peer via a + ratchet-encrypted signaling message. +\item Peer encapsulates to the ephemeral public key: + $(c_{\text{eph}}, \mathit{ss}_{\text{eph}}) \gets + \Encaps(\pk_{\text{eph}})$. + Sends $c_{\text{eph}}$ back via a ratchet-encrypted message. + Initiator decapsulates: + $\mathit{ss}_{\text{eph}} \gets \Decaps(\sk_{\text{eph}}, + c_{\text{eph}})$. +\item Both parties derive call keys: + $(\mathit{key}_a, \mathit{key}_b, \mathit{ck}_{\text{call}}) \gets + \KDF_{\text{Call}}(\rk, \mathit{ss}_{\text{eph}}, \mathit{call\_id}, + \mathit{fp}_{\text{lo}}, \mathit{fp}_{\text{hi}})$. +\end{enumerate} + +Intra-call rekeying advances the call chain via +$\KDF_{\text{CallChain}}(\mathit{ck}_{\text{call}})$, producing fresh +send/receive keys and a new chain key; the old chain key is zeroized. +Call keys are independent of ratchet state: the ephemeral keypair and +$\mathit{ss}_{\text{eph}}$ are generated within call setup and zeroized +after HKDF, so $\mathsf{Corrupt}(\text{RatchetState})$ does not reveal +$\mathit{ss}_{\text{eph}}$ (recovering it from $c_{\text{eph}}$ requires +breaking X-Wing). + +\subsection{LO-Stream: Streaming AEAD}\label{sec:stream} + +LO-Stream provides chunked authenticated encryption for bulk data (file +transfer, media) with both sequential and random-access interfaces. Each +stream uses a caller-provided 32-byte key and a random 192-bit base +nonce. + +\subsubsection{Nonce derivation} + +Per-chunk nonces are derived by XOR-ing a mask into the base nonce +(\Cref{fig:stream-nonce}): +\begin{align*} + \mathit{mask} &= \mathsf{BE64}(\mathit{chunk\_index}) \| + \mathit{tag\_byte} \| 0^{15} \\ + \mathit{chunk\_nonce} &= \mathit{base\_nonce} \oplus \mathit{mask} +\end{align*} +where $\mathit{tag\_byte} \in \{\texttt{0x00}, \texttt{0x01}\}$ +indicates non-final or final chunk. Distinct +$(\mathit{chunk\_index}, \mathit{tag\_byte})$ pairs produce distinct +masks, and XOR with a constant is a bijection, so nonce injectivity +within a single stream is unconditional. + +\begin{figure}[t] +\centering +\begin{tikzpicture}[font=\small] + % Mask row + \node[font=\scriptsize\bfseries] at (-1.5, 1.2) {mask}; + \draw (0, 0.8) rectangle (4, 1.6); + \node at (2, 1.2) {\scriptsize chunk\_index (8\,B, BE64)}; + \draw (4, 0.8) rectangle (5, 1.6); + \node at (4.5, 1.2) {\scriptsize tag}; + \draw (5, 0.8) rectangle (9.5, 1.6); + \node at (7.25, 1.2) {\scriptsize $0\!\times\!00 \times 15$ (padding)}; + + % Byte markers + \node[font=\tiny, gray] at (0, 0.6) {0}; + \node[font=\tiny, gray] at (4, 0.6) {8}; + \node[font=\tiny, gray] at (5, 0.6) {9}; + \node[font=\tiny, gray] at (9.5, 0.6) {24}; + + % XOR symbol + \node[font=\large] at (4.75, 0.2) {$\oplus$}; + + % Base nonce row + \node[font=\scriptsize\bfseries] at (-1.5, -0.4) {base\_nonce}; + \draw (0, -0.8) rectangle (9.5, 0); + \node at (4.75, -0.4) {\scriptsize random 24 bytes (public, per-stream)}; + + % Equals + \node[font=\large] at (4.75, -1.2) {$=$}; + + % Result row + \node[font=\scriptsize\bfseries] at (-1.5, -2.0) {chunk\_nonce}; + \draw[thick] (0, -2.4) rectangle (9.5, -1.6); + \node at (4.75, -2.0) {\scriptsize 24-byte XChaCha20-Poly1305 nonce}; +\end{tikzpicture} +\caption{Streaming AEAD nonce derivation (\cref{sec:stream}). The 24-byte mask +encodes the chunk index (8 bytes), finality tag (1 byte: +\texttt{0x00}~non-final, \texttt{0x01}~final), and 15 zero-padding +bytes. XOR with the per-stream random base nonce yields a unique +chunk nonce. Only 9 bytes vary within a stream; the 15 fixed bytes +are load-bearing for cross-stream isolation (birthday bound +$\sim(\sum M_i)^2 / 2^{193}$).} +\label{fig:stream-nonce} +\end{figure} + +\subsubsection{Dual interfaces} + +\textbf{Sequential} ($\mathsf{encrypt\_chunk}$ / +$\mathsf{decrypt\_chunk}$): Stateful --- advances an internal +$\mathit{next\_index}$, enforces ordering by construction (the +decryptor derives the chunk index from its own counter, not from the +wire format), and tracks finalization. + +\textbf{Random-access} ($\mathsf{encrypt\_chunk\_at}$ / +$\mathsf{decrypt\_chunk\_at}$): Stateless --- takes an explicit index, +reads only persistent state (key, base nonce), provides no ordering or +truncation guarantees. Ordering and truncation resistance are caller +obligations in this mode. + +The sequential and random-access decryption interfaces can coexist on +the same stream. The state partition --- linear state +($\mathit{next\_index}$, $\mathit{finalized}$) for sequential, +persistent state (key, base nonce) for random-access --- ensures the +random-access oracle cannot interfere with sequential ordering +properties. + +\subsubsection{AAD construction} + +Each chunk's AAD binds the chunk to its stream, position, finality, and +application context: +\begin{multline*} +\mathit{aad} = \texttt{"lo-stream-v1"} \| \mathit{version} \| +\mathit{flags} \| \mathit{base\_nonce} \| {} \\ +\mathsf{BE64}(\mathit{chunk\_index}) \| \mathit{tag\_byte} \| +\mathit{caller\_aad} +\end{multline*} +The base nonce in the AAD is load-bearing for cross-stream isolation: +different base nonces guarantee distinct AADs at every position, +making any cross-stream ciphertext an unconditional INT-CTXT forgery. + + +% ============================================================================ +% 4. SECURITY MODEL +% ============================================================================ +\section{Security model}\label{sec:security-model} + +\subsection{Adversary model}\label{sec:adversary} + +I adopt a Dolev-Yao network adversary who controls all communication +channels: the adversary can intercept, drop, delay, replay, modify, and +inject messages between any two parties. In addition, the adversary has access +to corruption oracles that model partial compromise, following the +approach of Cohn-Gordon \etal~\cite{cgcd20} and Alwen +\etal~\cite{acd19}. + +\subsubsection{Corruption oracles} + +The adversary may issue the following queries adaptively: + +\begin{itemize}[leftmargin=*, itemsep=3pt] +\item $\mathsf{Corrupt}(\text{IK}, P)$: Reveals the full composite + identity secret key of party~$P$. + +\item $\mathsf{Corrupt}(\text{SPK}, P, \mathit{id})$ / + $\mathsf{Corrupt}(\text{OPK}, P, \mathit{id})$: Reveals the + secret key for the specified pre-key. + +\item $\mathsf{Corrupt}(\text{RatchetState}, P, t)$: Reveals the full + ratchet state~$\Sigma$ at time~$t$, including $\rk$, both epoch keys, + the send ratchet secret key, $\mathit{prev\_ek_r}$, and all counters. + +\item $\mathsf{Corrupt}(\text{CallKeys}, P, \mathit{call\_id})$: + Reveals call keys for a specific call. + +\item $\mathsf{Corrupt}(\text{StreamKey}, P, \mathit{stream\_id})$: + Reveals the stream key for a specific streaming AEAD instance. + +\item $\mathsf{Corrupt}(\text{RNG}, P, t)$: Reveals all randomness + generated by party~$P$ at time~$t$. +\end{itemize} + +Corruption queries are temporally parameterized where relevant, +enabling fine-grained modeling of partial compromise. + +\subsection{Freshness predicates}\label{sec:freshness} + +Each theorem's security claim is conditional on a freshness predicate +defining the adversary class for which the claim holds. + +\subsubsection{LO-KEX freshness} + +A session key is fresh if the adversary has not obtained all of +$\{\sk_{\text{IK}_B}[\text{XWing}], \sk_{\text{SPK}_B}, +\sk_{\text{OPK}_B}\}$ (OPK-present case), has not issued +$\mathsf{Corrupt}(\text{RNG}, A, t)$ at the session establishment +epoch, and has not issued $\mathsf{Corrupt}(\text{RatchetState}, P, t)$ +at or after the establishment epoch for either party (which would +directly reveal $\rk$ and $\ek$). The OPK-absent case has a weaker +corruption threshold: $\sk_{\text{IK}_B}[\text{XWing}]$ and +$\sk_{\text{SPK}_B}$ together suffice to derive the session key. + +\subsubsection{LO-Ratchet freshness (F1--F4)} + +A message key at epoch~$e$ is fresh if all of the following hold: + +\begin{itemize}[leftmargin=*, itemsep=2pt] +\item[\textbf{F1.}] No $\mathsf{Corrupt}(\text{RatchetState}, P, t)$ + covers epoch~$e$ (epoch key not directly revealed). + +\item[\textbf{F2.}] If $\mathsf{Corrupt}(\text{RatchetState}, P, t_c)$ + was issued for any $t_c$ before the target epoch, then at least one + KEM ratchet step between $t_c$ and the target epoch --- the + \emph{recovery step}~$t_r$ --- executed with uncompromised + encapsulator randomness (no + $\mathsf{Corrupt}(\text{RNG}, \text{encapsulator}, t)$ at that step). + Absent any prior corruption, F2 is vacuously satisfied. + +\item[\textbf{F3.}] The decapsulator's ratchet state was uncompromised + at $t_r$ and all preceding steps between $t_c$ and $t_r$: no + $\mathsf{Corrupt}(\text{RatchetState},$ $\text{decapsulator}, t)$ + covers those positions. + +\item[\textbf{F4.}] The decapsulator's ratchet keypair encapsulated to + at $t_r$ was generated without + $\mathsf{Corrupt}(\text{RNG},$ $\text{decapsulator}, + t_{\text{keygen}})$ at its generation epoch --- otherwise the + adversary holds $\sk_s$ and can compute the KEM shared secret from + the public ciphertext. +\end{itemize} + +All four conditions are conjunctive. In the absence of any +$\mathsf{Corrupt}(\text{RatchetState})$ before the target epoch, F2--F4 +are vacuously satisfied and freshness reduces to F1 alone. F1--F4 are +syntactic (query-based) predicates, not semantic (knowledge-based) --- +the gap is bridged by the IND-CCA2 reduction embedding its challenge at +the recovery step~\cite{acd19}. + +\subsubsection{Other freshness conditions} + +LO-Auth requires no $\mathsf{Corrupt}(\text{IK})$ on the client and +no $\mathsf{Corrupt}(\text{RNG})$ at the challenge epoch. +LO-Call requires $\rk$ freshness, uncompromised ephemeral RNG, and no +$\mathsf{Corrupt}(\text{CallKeys})$. +LO-Stream requires no $\mathsf{Corrupt}(\text{StreamKey})$ and no +$\mathsf{Corrupt}(\text{RNG})$ at base nonce generation. Stream keys +are independent of ratchet state by construction. + +\subsection{Assumptions}\label{sec:assumptions} + +All primitive operations are total except $\Verify$ and $\AEAD.\Dec$. +$\Decaps$ is total due to ML-KEM's implicit rejection. The following +security properties are assumed: X-Wing IND-CCA2~\cite{xwing}, +HybridSig EUF-CMA, HMAC-SHA3-256 PRF~\cite{bellare06}, HKDF dual-PRF +and extractor~\cite{krawczyk10}, XChaCha20-Poly1305 IND-CPA + INT-CTXT. +No novel assumptions are introduced. + +XChaCha20-Poly1305 does \textbf{not} provide key commitment. This is +not a concern: epoch identification selects a single key before +decryption, and streaming AEAD uses a single caller-provided key. + +\subsection{Out of scope}\label{sec:out-of-scope} + +\textbf{Deniability}: Not claimed. KEM ciphertexts and signatures are +attributable~\cite{fiedler-janson24}. \textbf{Group messaging}: +Strictly two-party. \textbf{Traffic analysis}: Message sizes, timing, +and epoch structure are observable. \textbf{Endpoint security}: Not +modeled. \textbf{Side channels}: Generally out of scope, except that +constant-time signature verification is a normative requirement. + + +% ============================================================================ +% 5. SECURITY ANALYSIS +% ============================================================================ +\section{Security analysis}\label{sec:security} + +This section presents the 13 security theorems. Full game definitions +and detailed proof sketches are in the companion formal +analysis~\cite{soliton-analysis}; I present theorem statements, +reduction targets, and key proof ideas. + +\subsection{Session establishment (Theorems 1--2)} + +\begin{theorem}[LO-KEX Session Key Secrecy]\label{thm:kex-secrecy} +For sessions established between $A$ and $B$, if the session key is +fresh, no PPT adversary can distinguish it from uniform with +non-negligible advantage. Reduces to X-Wing IND-CCA2 + HKDF extractor. +In the composed setting with LO-Auth, each authentication session adds +one CCA2 oracle query; the loss is additive. +\end{theorem} + +\begin{theorem}[LO-KEX Mutual Authentication]\label{thm:kex-auth} +\leavevmode +\begin{enumerate}[label=(\alph*), leftmargin=*, itemsep=2pt] +\item \emph{Recipient authentication}: If $A$ completes LO-KEX with + $B$'s verified bundle and obtains a fresh session key, then $B$ + possesses $\sk_{\text{IK}_B}$. Binding is implicit (KEM + decapsulability) and explicit ($\mathit{fp}_{\text{IK}_B}$ in + $\sigma_{\text{SI}}$). Reduces to X-Wing IND-CCA2 + HybridSig + EUF-CMA. + +\item \emph{Initiator authentication}: Verification of + $\sigma_{\text{SI}}$ proves $A$ possesses $\sk_{\text{IK}_A}$. + Reduces to HybridSig EUF-CMA. + +\end{enumerate} +\end{theorem} + +\begin{claim}[Key Confirmation]\label{claim:key-confirm} +Key confirmation is asymmetric and deferred to the ratchet layer +(not mechanically verified; see \cref{sec:limitations}): +\begin{enumerate}[label=(\alph*), start=3, leftmargin=*, itemsep=2pt] +\item \emph{$A \to B$}: $A$ obtains key confirmation of~$B$ only when + $B$'s first ratchet reply decrypts successfully --- requiring a + round trip. Reduces to XChaCha20-Poly1305 INT-CTXT + Theorem~1. +\item \emph{$B \to A$}: $B$ obtains key confirmation of~$A$ immediately + upon decrypting the first message (successful AEAD decryption proves + $A$ holds $\mk_0$, therefore $\ek$, therefore the same session key). + Reduces to XChaCha20-Poly1305 INT-CTXT + Theorem~1. +\end{enumerate} +This asymmetry is inherent to asynchronous establishment. +\end{claim} + +\subsection{Ratchet security (Theorems 3--5)} + +\begin{theorem}[Message Secrecy]\label{thm:msg-secrecy} +If the message key is fresh (F1--F4), no PPT adversary can distinguish +the plaintext from random. +\end{theorem} + +\begin{proofsketch} +The reduction proceeds in three stages. First, the IND-CCA2 challenger +for X-Wing is embedded at the KEM ratchet step establishing the target +epoch; the resulting shared secret is replaced with a uniformly random +value (cost: $P_{\text{kem}}$). Second, the HKDF extractor property +ensures that $\KDF_{\text{Root}}(\rk, \mathit{ss})$ with random +$\mathit{ss}$ produces outputs $(\rk', \ek)$ indistinguishable from +uniform (cost: $P_{\text{prf}}$). Third, the epoch key $\ek$ is used as +a PRF key in $\KDF_{\text{MsgKey}}$; the PRF guarantee yields a message +key $\mk$ indistinguishable from random (cost: $P_{\text{prf}}$), under +which the AEAD ciphertext is IND-CPA secure. Nonce uniqueness --- +depending on fork prevention, $\mathit{min\_epoch}$ integrity, counter +exhaustion guards, and counter retirement at session init --- ensures +the AEAD reduction is sound. +\end{proofsketch} + +\begin{theorem}[Forward Secrecy]\label{thm:fs} +Per-epoch, with a two-step receive-side delay: +\begin{enumerate}[label=(\alph*), leftmargin=*, itemsep=2pt] +\item \emph{Send-side}: One KEM ratchet step suffices ($\ek_s$ + overwritten directly). +\item \emph{Receive-side}: One step is insufficient + ($\mathit{prev\_ek_r}$ retains the old key); two steps suffice + ($\mathit{prev\_ek_r}$ overwritten). +\end{enumerate} +Reduces to HKDF one-wayness + X-Wing IND-CCA2. +\end{theorem} + +\begin{theorem}[Post-Compromise Security]\label{thm:pcs} +After $\mathsf{Corrupt}(\text{RatchetState}, P, t_c)$, if F1--F4 hold +for a recovery step $t_r > t_c$, message keys after~$t_r$ are fresh. +\end{theorem} + +\begin{proofsketch} +After corruption at $t_c$, the adversary can forward-derive ratchet +state through epochs where it holds the decapsulator's secret key +$\sk_s$ (obtained from the corrupted state or from a KEM step it can +invert). This derivation chain terminates at the first step~$t_r$ where +$\sk_s$ was generated with uncompromised RNG (F4): the adversary cannot +compute $\mathit{ss}' = \Decaps(\sk_{s_{t_r}}, c_{\text{ratchet}})$ +because $\sk_{s_{t_r}}$ is unknown. The IND-CCA2 reduction embeds its +challenge at this step, replacing $\mathit{ss}'$ with a uniformly random +value. From $\KDF_{\text{Root}}(\rk, \mathit{ss}')$, the output +$(\rk', \ek)$ is indistinguishable from uniform by the HKDF extractor +property. Recovery requires two direction changes in the worst case: +the first fails because the adversary holds the compromised party's +$\sk_s$; the second succeeds because the compromised party generates a +fresh keypair and encapsulates to the peer's post-compromise public key. +F4 prevents chain-injection attacks where the adversary substitutes +controlled public keys to extend compromise indefinitely. +\end{proofsketch} + +\subsection{Authentication and domain separation (Theorems 6--7)} + +\begin{theorem}[Auth Key Possession]\label{thm:auth} +Under active attack (Dolev-Yao channel), where the adversary may modify +or replay challenges, interleave LO-Auth sessions with LO-KEX sessions +(obtaining additional $\Decaps$ oracle queries on +$\sk_{\text{IK}}[\text{XWing}]$), and relay challenges across sessions: +if $\mathsf{auth\_verify}(\mathit{expected\_token}, \mathit{proof})$ +returns true for a fresh challenge, the client possesses +$\sk_{\text{IK}}[\text{XWing}]$. Reduces to X-Wing IND-CCA2 + +HMAC-SHA3-256 PRF. +\end{theorem} + +\begin{theorem}[Domain Separation]\label{thm:domain-sep} +No output from one protocol component is valid in another. Follows from +disjoint labels and non-overlapping AAD prefixes. An Encode disjointness +sub-lemma establishes a minimum 1196-byte gap between session-init and +ratchet-message encodings. +\end{theorem} + +\subsection{Call security (Theorems 8--11)} + +\begin{theorem}[Call Key Secrecy]\label{thm:call-secrecy} +Fresh call keys are indistinguishable from random. Reduces to X-Wing +IND-CCA2 + HKDF extractor. +\end{theorem} + +\begin{theorem}[Intra-Call Forward Secrecy]\label{thm:call-fs} +Call chain advance is one-way. Reduces to HMAC-SHA3-256 PRF. +\end{theorem} + +\begin{theorem}[Call/Ratchet Independence]\label{thm:call-ratchet} +$\mathsf{Corrupt}(\text{CallKeys})$ does not violate ratchet secrecy; +$\mathsf{Corrupt}(\text{RatchetState})$ after call derivation does not +reveal call keys. +\end{theorem} + +\begin{proofsketch} +The ephemeral keypair $(\pk_{\text{eph}}, \sk_{\text{eph}})$ and shared +secret $\mathit{ss}_{\text{eph}}$ are generated within call setup and +zeroized after HKDF --- they are not part of the ratchet state~$\Sigma$. +Therefore $\mathsf{Corrupt}(\text{RatchetState})$ does not yield +$\mathit{ss}_{\text{eph}}$; recovering it from the public +$c_{\text{eph}}$ requires breaking X-Wing IND-CCA2. The dual-use of +$\rk$ as HKDF salt in both $\KDF_{\text{Root}}$ (ratchet) and +$\KDF_{\text{Call}}$ (call) is safe via a hybrid argument: under the +dual-PRF assumption, $\HKDF$-Extract produces a pseudorandom PRK, and +$\HKDF$-Expand keyed by PRK with distinct info strings +(\texttt{"lo-ratchet-v1"} vs \texttt{"lo-call-v1"}) produces +independent outputs by the PRF guarantee. Security loss is additive +(one PRF advantage term per HKDF invocation sharing the same salt). +\end{proofsketch} + +\begin{theorem}[Concurrent Call Independence]\label{thm:concurrent} +Calls with distinct $\mathit{call\_id}$ values under the same~$\rk$ +have jointly independent keys. Security loss is additive. +\end{theorem} + +\subsection{Anti-reflection and streaming (Theorems 12--13)} + +\begin{theorem}[Anti-Reflection]\label{thm:anti-reflect} +Reflected messages fail AEAD verification. Reduces to INT-CTXT under +invariant~(h). +\end{theorem} + +\begin{theorem}[Streaming AEAD Chunk Security]\label{thm:stream} +For a stream with fresh key and fresh base nonce: +\begin{enumerate}[label=\textbf{P\arabic*.}, leftmargin=*, itemsep=2pt] +\item \textbf{Confidentiality} (IND-CPA): Per-chunk indistinguishability. + Aggregate advantage $Q \times \Adv_{\text{IND-CPA}}$, giving + ${\approx}128 - \log_2(Q)$ effective bits. +\item \textbf{Integrity} (INT-CTXT): No forgery. No $Q$-factor loss. +\item \textbf{Ordering}: Mismatched sequential position causes nonce + mismatch and AEAD failure. +\item \textbf{No false finalization}: $\mathit{tag\_byte}$ in both + nonce and AAD prevents finality confusion. +\item \textbf{Cross-stream isolation}: Different $\mathit{base\_nonce}$ + guarantees different AADs unconditionally. +\end{enumerate} +\end{theorem} + +\noindent\textbf{Non-goal}: No forward secrecy claim. +$\mathsf{Corrupt}(\text{StreamKey})$ retroactively compromises all +chunks. + +\subsection{Concrete security bounds}\label{sec:bounds} + +The CryptoVerif models yield the following bounds (simplified; full +expressions in \Cref{app:cryptoverif}): + +\begin{center} +\small +\begin{tabular}{@{} l l @{}} +\toprule +\textbf{Theorem} & \textbf{Bound} \\ +\midrule +1 (KEX Secrecy) & $2P_{\text{prf}} + 2P_{\text{kem}}^{\text{ik}} + + 2P_{\text{kem}}^{\text{spk}} + 2P_{\text{kem}}^{\text{opk}} + + \text{coll.}$ \\ +2b (Initiator Auth) & $P_{\text{sig}}$ \\ +3 (Message Secrecy) & $2P_{\text{prf}}$ \\ +6 (Auth) & $N_s \cdot P_{\text{mac}} + P_{\text{kem}}$ \\ +13 P1 (IND-CPA) & $2P_{\text{ctxt}} + 2P_{\text{cpa}}(t, N_{\text{enc}})$ \\ +13 P2 (INT-CTXT) & $P_{\text{ctxt}}$ \\ +\bottomrule +\end{tabular} +\end{center} + +\noindent Theorem~3's $2P_{\text{prf}}$ assumes a fresh epoch key +(\emph{epoch key freshness assumption}): $\ek$ is indistinguishable from +uniform, which follows from Theorem~1 at session establishment and from +the KDF\_Root output independence lemma at each subsequent KEM ratchet +step (HKDF-Expand with a pseudorandom PRK produces independent 32-byte +blocks under the PRF assumption). The multi-epoch bound is additive: +each epoch contributes one $2P_{\text{prf}}$ term, and epoch keys are +pairwise independent by the cross-epoch key independence corollary. +This composition is not mechanically end-to-end verified. +Theorem~13 P2 has no $Q$-factor (direct reduction). For multi-stream +nonce uniqueness: probability $\geq 1 - (\sum M_i)^2 / 2^{193}$. + +\subsection{Composition argument}\label{sec:composition} + +A full mechanized composition theorem (showing all 13~security properties hold +simultaneously under compound corruption) remains open +(\Cref{sec:limitations}). However, composed security follows from the +individual theorems via three structural properties. + +First, \textbf{domain separation} (Theorem~\ref{thm:domain-sep}): +disjoint HKDF info strings and AAD prefixes ensure that no output from +one sub-protocol is valid in another. An adversary who obtains, for +example, a call chain key cannot use it to forge a ratchet message --- +the HMAC domain bytes are disjoint (\texttt{0x01} for ratchet, +\texttt{0x04}--\texttt{0x06} for calls), and the primary separation is +by key: $\KDF_{\text{MsgKey}}$ and $\KDF_{\text{CallChain}}$ operate on +independent HMAC keys. + +Second, \textbf{independent key material}: each sub-protocol derives its +keys from independent sources. Call keys depend on an ephemeral KEM +shared secret $\mathit{ss}_{\text{eph}}$ that is not part of~$\Sigma$ +(Theorem~\ref{thm:call-ratchet}). Stream keys are caller-provided and +independent of ratchet state by construction. The LO-Auth token depends +on a fresh KEM challenge, not on ratchet material. Cross-component +corruption therefore does not create transitive compromise paths beyond +those already captured by the individual freshness predicates. + +Third, \textbf{additive security loss}: the pairwise composition results +(KEX$\to$Ratchet via the $\KDF_{\text{Root}}$ output independence lemma; +Ratchet$\to$Call via Theorem~\ref{thm:call-ratchet}'s dual-PRF argument) +show that the combined security loss is additive across protocol layers, +not multiplicative. The remaining gap --- verifying that compound +corruption schedules spanning all three layers do not create interference +between these pairwise arguments --- is explicitly identified as an open +research direction. + + +% ============================================================================ +% 6. FORMAL VERIFICATION +% ============================================================================ +\section{Formal verification}\label{sec:verification} + +All models are machine-checkable and published in the project +repository~\cite{soliton-repo}. Independent verification is encouraged. + +\subsection{Symbolic verification (Tamarin)}\label{sec:tamarin} + +Eight Tamarin models verify 55~lemmas covering Theorems~1--2, 4--6, +8--13. All complete in under 90~seconds total with under 2~GB peak RAM, +achieved through bounded unrolling (3--4 steps) and unique fact names. + +\begin{table}[H] +\centering +\caption{Tamarin model summary. \emph{f} = falsified (expected).} +\label{tab:tamarin-summary} +\small +\begin{tabular}{@{} l c c l @{}} +\toprule +\textbf{Model} & \textbf{Lemmas} & \textbf{Theorems} & + \textbf{Key results} \\ +\midrule +LO\_KEX & 9 & 1, 2a, 2b & + Session key secrecy, authentication \\ +LO\_Ratchet & 9 & 4, 5 & + FS (structural); recv\_fs\_1step \emph{f} \\ +LO\_Ratchet\_PCS & 5 & 5 & + KEM-level PCS recovery \\ +LO\_Auth & 7 & 6 & + Key possession correspondence \\ +LO\_Call & 6 & 8--11 & + Call key secrecy, independence \\ +LO\_AntiReflection & 2 & 12 & + AAD direction binding \\ +LO\_Stream & 7 & 13 P2--P5 & + Integrity, ordering, isolation \\ +LO\_NegativeTests & 10 & --- & + 10 expected attack paths confirmed \\ +\bottomrule +\end{tabular} +\end{table} + +\paragraph{Negative tests.} +Ten lemmas confirm known attack paths (IK corruption forges auth, +zero-step corruption reveals epoch key, etc.). All produce expected +results. If any were to flip, it would indicate a modeling error. + +\paragraph{Scope.} +X-Wing is a black-box IND-CCA2 KEM. Chains bounded to 3--4 steps. KEX +models OPK-present only. Theorem~7 is vacuously true (string constants +are structurally distinct). Theorem~3 is computational (CryptoVerif). + +\subsection{Computational verification (CryptoVerif)}\label{sec:cryptoverif} + +Five models prove concrete bounds for Theorems~1, 2b, 3, 6, and +13~(P1+P2), completing in under 5~seconds total. + +\begin{table}[H] +\centering +\caption{CryptoVerif model summary.} +\label{tab:cv-summary} +\small +\begin{tabular}{@{} l l l @{}} +\toprule +\textbf{Model} & \textbf{Theorem} & \textbf{What is proved} \\ +\midrule +LO\_KEX\_Secrecy & 1 & $\rk$ indistinguishable from random \\ +LO\_KEX & 2b & $\sigma_{\text{SI}}$ authentication (EUF-CMA) \\ +LO\_Ratchet\_MsgSecrecy & 3 & $\mk$ indistinguishable from random \\ +LO\_Auth & 6 & Correspondence + injective \\ +LO\_Stream\_Secrecy & 13 P1+P2 & Bit secrecy + INT-CTXT \\ +\bottomrule +\end{tabular} +\end{table} + +\paragraph{Scope.} +No corruption oracles (Tamarin covers these). X-Wing as monolithic +IND-CCA2. Simplified KDF info binding. Single-epoch assumption for +Theorem~3. No Theorem~2c/2d. Streaming model adapted from CryptoVerif's +TLS~1.3 Record Protocol example. + +\subsection{Coverage analysis}\label{sec:coverage} + +\begin{table}[H] +\centering +\caption{Theorem coverage by verification tool.} +\label{tab:coverage} +\small +\begin{tabular}{@{} c l c c @{}} +\toprule +\textbf{Thm} & \textbf{Property} & \textbf{Tamarin} & \textbf{CV} \\ +\midrule +1 & KEX Key Secrecy & \checkmark & \checkmark \\ +2a & Recipient Auth & \checkmark & --- \\ +2b & Initiator Auth & \checkmark & \checkmark \\ +2c/d & Key Confirmation & --- & --- \\ +3 & Message Secrecy & --- & \checkmark \\ +4 & Forward Secrecy & \checkmark & --- \\ +5 & PCS & \checkmark & --- \\ +6 & Auth Key Possession & \checkmark & \checkmark \\ +7 & Domain Separation & (vacuous) & --- \\ +8 & Call Key Secrecy & \checkmark & --- \\ +9 & Intra-Call FS & \checkmark & --- \\ +10 & Call/Ratchet Indep. & \checkmark & --- \\ +11 & Concurrent Calls & \checkmark & --- \\ +12 & Anti-Reflection & \checkmark & --- \\ +13 & Streaming AEAD & \checkmark\,(P2--5) & \checkmark\,(P1+2) \\ +\bottomrule +\end{tabular} +\end{table} + +\subsection{Reproducibility}\label{sec:reproducibility} + +All models verified with Tamarin~1.12.0 (Maude~3.5.1) and +CryptoVerif~2.12: + +\begin{verbatim} +../verify.sh tamarin # all 8 Tamarin models +CV_LIB=/path/to/pq ../verify.sh cryptoverif # all 5 CV models +\end{verbatim} + + +% ============================================================================ +% 7. IMPLEMENTATION +% ============================================================================ +\section{Implementation}\label{sec:implementation} + +\subsection{Architecture} + +The reference implementation, \texttt{libsoliton}, is a pure Rust +library with no C~toolchain dependency. Binding layers are provided for +C~ABI (\texttt{cbindgen}), Python (PyO3), WASM (wasm-bindgen), and Zig +(\texttt{@cImport}). Sensitive key material is protected via +\texttt{ZeroizeOnDrop}. Fork prevention is enforced by destructive +serialization, and an anti-rollback counter prevents state replay. + +\subsection{Performance}\label{sec:performance} + +\begin{table}[H] +\centering +\caption{Representative benchmarks (\texttt{cargo +nightly bench}).} +\label{tab:bench} +\small +\begin{tabular}{@{} l r r r @{}} +\toprule +\textbf{Operation} & + \textbf{x86-64} & \textbf{aarch64} & \textbf{riscv64} \\ + & \small{Zen\,4, 5.1\,GHz} & + \small{A76, 2.4\,GHz} & + \small{U74, 1.5\,GHz} \\ +\midrule +Ratchet encrypt (same epoch) & 4.3\,$\mu$s & 7.2\,$\mu$s & 47.6\,$\mu$s \\ +Ratchet decrypt (same epoch) & 6.2\,$\mu$s & 10.1\,$\mu$s & 67.5\,$\mu$s \\ +Encrypt (direction change) & 182\,$\mu$s & 651\,$\mu$s & 2.46\,ms \\ +Decrypt (direction change) & 127\,$\mu$s & 473\,$\mu$s & 1.76\,ms \\ +Session initiate & 1.41\,ms & 3.95\,ms & 17.1\,ms \\ +Session receive & 585\,$\mu$s & 1.88\,ms & 7.70\,ms \\ +Hybrid sign & 988\,$\mu$s & 2.85\,ms & 10.6\,ms \\ +Hybrid verify & 254\,$\mu$s & 794\,$\mu$s & 3.31\,ms \\ +Stream encrypt 1\,MiB & 537\,$\mu$s & 3.96\,ms & 31.0\,ms \\ +Stream 4\,MiB (parallel, 4 cores) & 867\,$\mu$s & 5.35\,ms & 33.0\,ms \\ +\bottomrule +\end{tabular} +\end{table} + +\noindent Per-message latency is 4.3\,$\mu$s on desktop (same epoch). +Direction changes are ${\sim}40\times$ slower due to X-Wing keygen + +encapsulation. Streaming AEAD achieves 1.95\,GB/s sequential and +4.61\,GB/s parallel on desktop. ML-DSA-65 and SHA3-256 lack SIMD in +current RustCrypto crates; these numbers will improve. + +\subsection{Testing and fuzzing}\label{sec:testing} + +956~tests across all binding layers (488~core unit, 61~integration, +287~CAPI, 49~Python, 35~Zig, 36~WASM), plus 36~fuzz targets with a +165,540-entry corpus (883\,MB). A 24-hour campaign on a 32-vCPU server +executed 574.6~billion iterations with zero crashes, timeouts, or OOM +events. The 31~active targets achieve 172--12,714 libFuzzer edge +coverage features per target (median ${\sim}1{,}100$); the +state-machine fuzzer covers 12,714~features across full cryptographic +sessions with up to 200~actions per execution. 455~tests run under MIRI +for undefined-behavior detection. 27~KAT vectors +cross-validate against the specification~\cite{soliton-spec}. + +\subsection{License} + +\texttt{libsoliton} is released under AGPL-3.0-only. Applications using +the library in a network service must release their source code. Users +should evaluate this constraint before adoption. + + +% ============================================================================ +% 8. DESIGN RATIONALE +% ============================================================================ +\section{Design rationale}\label{sec:rationale} + +\subsection{Counter-mode vs.\ chain-mode key derivation} + +The standard double ratchet derives message keys by iterating a +symmetric ratchet: $\mathit{ck}_{i+1}, \mk_i = \KDF(\mathit{ck}_i)$. +Decrypting message~$n$ requires $n$~iterations or a skip cache. +Soliton uses $\mk_i = \MAC(\ek, \texttt{0x01} \| \mathsf{BE32}(i))$ +--- $O(1)$ derivation with no skip cache. The trade-off: forward +secrecy drops from per-message to per-epoch. This is acceptable because +$\ek$ and $\rk$ share the same memory and compromise granularity --- +an adversary who reads $\ek$ can also read $\rk$, which is strictly +more damaging. Per-message chain advancement provides limited practical benefit +under this deployment assumption, where the chain key shares a trust +domain with the root key. + +\subsection{Unified X-Wing vs.\ parallel ratchets} + +Signal's SPQR~\cite{signal-spqr} (based on~\cite{djkps25}) runs two independent ratchets +and combines their outputs, providing a compositional guarantee: if +either is secure, the combined output is secure. Soliton uses a single +X-Wing ratchet that inherently combines X25519 and ML-KEM-768. The +trade-off: if X-Wing's combiner had a subtle flaw causing component +interference, both would fail together. I consider this acceptable given +X-Wing's published analysis~\cite{xwing} and the simplicity benefit --- +one ratchet state, one KEM operation per direction change, one code +path. + +A consequence of KEM-based ratcheting (whether unified or parallel) is +\textbf{single-sided freshness}: only the encapsulator contributes +fresh randomness to the KEM shared secret, whereas a DH ratchet step +has both parties contributing symmetrically. This means post-compromise +recovery requires two direction changes in the worst case +(Theorem~\ref{thm:pcs}), compared to one for DH ratchets. This is an +inherent property of all KEM-based ratchet designs~\cite{acd19}, not +specific to Soliton. + +\subsection{Post-quantum authentication} + +All deployed PQ messaging retains classical-only authentication. A +quantum adversary breaking the signature scheme can forge session +initiations. Soliton's hybrid scheme ensures authentication survives if +either component is secure. + +\paragraph{Why \texttt{sign\_internal}, not the FIPS~204 public API.} +Soliton uses \texttt{sign\_internal} (FIPS~204 \S6.2) rather than the +external \texttt{ML-DSA.Sign} wrapper (\S5.2) for two reasons. +First, \texttt{sign\_internal} accepts the \texttt{rnd} parameter +directly, enabling hedged signing with 32~bytes of fresh +\texttt{getrandom} entropy per call --- providing fault-injection +resistance that deterministic signing lacks. Second, the \S5.2 +public API unconditionally prepends a \texttt{0x00} domain separator +byte and context string \emph{even when the context is empty}: +$\texttt{Sign}(\sk, \texttt{""}, m)$ signs +$\texttt{0x00} \| \texttt{0x00} \| m$, not~$m$. Passing an empty +context is therefore \emph{not} equivalent to calling +\texttt{sign\_internal} --- it changes the signed message. Since +Soliton handles domain separation at the protocol level (unique +per-context labels in every signed payload), the \S5.2 wrapper's +domain separator is redundant and would require all reimplementers +to match the exact wrapping behavior. + +\paragraph{FIPS-mode deployment.} +This choice makes Soliton ML-DSA-65 signatures incompatible with +standalone FIPS~204-conformant verifiers (and vice versa). +Deployments subject to FIPS~140 or FIPS~204 compliance requirements +cannot use Soliton signatures in their current form. If a future +NIST policy restricts access to \texttt{sign\_internal}, migrating +to the \S5.2 interface requires a protocol version bump +(\texttt{lo-crypto-v2}), updated test vectors, and adjusting the +signed payload to account for the prepended domain separator --- +but no structural redesign. + +\subsection{Deniability trade-off} + +Soliton's session-init signature $\sigma_{\text{SI}}$ is transferable +proof that Alice initiated the session --- a deliberate departure from +Signal's X3DH, which achieves deniability through DH-based key +agreement (no signatures on session initiation). KEM-based protocols +inherently struggle with deniability: the encapsulator produces a +unique ciphertext that constitutes a cryptographic receipt, and the +hybrid signature makes this explicit. Fiedler and +Janson~\cite{fiedler-janson24} characterize this as a fundamental +tension in KEM-based handshakes. + +For Soliton's target deployment (a private communications platform +where users authenticate via identity keys stored on their devices), +transferable authentication is acceptable --- and arguably desirable, +as it simplifies the trust model. Deniability would require either a +designated-verifier signature scheme (adding complexity and a new +cryptographic assumption) or ring-signature--based constructions +(substantial overhead with PQ ring signatures). Neither is pursued in +v1; the trade-off is explicit. + + +% ============================================================================ +% 9. RELATED WORK +% ============================================================================ +\section{Related work}\label{sec:related} + +\Cref{tab:comparison} compares Soliton with deployed PQ messaging +protocols across key dimensions. Per-message overhead reflects the +ratchet header transmitted with each message; session establishment +overhead reflects the initial handshake. + +\begin{table}[!htbp] +\centering +\caption{Comparison with deployed post-quantum messaging protocols.} +\label{tab:comparison} +\small +\setlength{\tabcolsep}{3.5pt} +\begin{tabular}{@{} l c c c c @{}} +\toprule +& \textbf{Soliton} & \textbf{Signal} & \textbf{Signal} & \textbf{Apple} \\ +& & \textbf{PQXDH} & \textbf{SPQR} & \textbf{PQ3} \\ +\midrule +PQ key exchange & \checkmark & \checkmark & \checkmark & \checkmark \\ +PQ ratchet & \checkmark & --- & \checkmark & Periodic \\ +PQ authentication & \checkmark & --- & --- & --- \\ +Ratchet type & KEM & DH & DH+KEM & ECDH+KEM \\ +\midrule +Header (no KEM step) & 1225\,B & 33\,B & 33\,B & 33\,B \\ +Header (KEM step) & 2347\,B & 33\,B & ${\sim}75$\,B & 1125\,B \\ +Session init & 4669\,B & ${\sim}4$\,KB & ${\sim}4$\,KB & --- \\ +\midrule +Formal verif.\ tool(s) & Tam.+CV & PV+CV & --- & Tamarin \\ +Formal verif.\ scope & Full & KEX & --- & KEX+Ratchet \\ +Theorems/lemmas & 13/55 & ${\sim}$8 & --- & ${\sim}$15--30 \\ +\midrule +Deniability & --- & ---$^{\dagger}$ & ---$^{\dagger}$ & --- \\ +Per-message FS & Per-epoch & Per-msg & Per-msg & Per-msg \\ +\bottomrule +\end{tabular} + +\smallskip +{\scriptsize $^{\dagger}$PQXDH and SPQR lose X3DH's full deniability +guarantees~\cite{fiedler-janson24} (KEM ciphertexts are attributable), +but retain weaker deniability than Soliton: they do not place explicit +signatures on session initiation. Soliton's $\sigma_{\text{SI}}$ is +transferable proof of initiation.} +\end{table} + +\noindent Soliton's per-message overhead (1225--2347~bytes) is +substantially larger than Signal's (33~bytes) due to the 1216-byte +X-Wing public key transmitted in every ratchet header. This is the +fundamental bandwidth cost of a KEM-based ratchet: unlike DH, where the +public key is 32~bytes, X-Wing public keys are 38$\times$ larger. SPQR +amortizes this via erasure-coded chunking of ML-KEM keys across +messages, achieving ${\sim}75$-byte per-message overhead at the cost of +requiring multiple messages for a complete KEM ratchet step. Soliton +does not amortize; each direction change is self-contained in a single +message. In practice, the 1225-byte overhead is modest relative to +typical network traffic --- modern web requests routinely transmit +tens of kilobytes of metadata per interaction, and mobile messaging +payloads (including media thumbnails, typing indicators, and delivery +receipts) dwarf the ratchet header. The overhead is significant +primarily for extremely constrained links or high-frequency +machine-to-machine messaging, neither of which is the target +deployment. The Auerbach \etal VulM framework~\cite{adjks25} provides +a rigorous methodology for quantifying these trade-offs under +realistic messaging patterns; applying it to Soliton is future work. + +\subsection{Post-quantum key exchange for messaging} + +Signal introduced PQXDH~\cite{signal-pqxdh} in 2023, adding ML-KEM to +X3DH while retaining classical DH. Bhargavan +\etal~\cite{bjks24} provided formal verification (USENIX Security 2024). +Fiedler and Janson~\cite{fiedler-janson24} showed PQXDH loses X3DH's +deniability guarantees. Hashimoto \etal~\cite{hks22} gave the first +efficient generic PQ~X3DH construction. Brendel \etal~\cite{bfg20} +introduced split KEMs. Apple deployed PQ3~\cite{apple-pq3} with periodic +KEM rekeying; Linker \etal~\cite{lsb25} provided a Tamarin analysis +(USENIX Security 2025). + +\subsection{KEM-based ratcheting} + +Alwen \etal~\cite{acd19} decomposed the double ratchet into CKA, +FS-AEAD, and PRF-PRNGs, showing CKA from any KEM (EUROCRYPT 2019). +Signal's SPQR~\cite{djkps25} introduced Katana, a novel RKEM with +${\sim}40\%$ size savings (EUROCRYPT 2025). Auerbach +\etal~\cite{adjks25} introduced the VulM metric for comparing PQ +ratchet protocols (USENIX Security 2025). Cremers +\etal~\cite{cmn25} proved PCS impossibility results (IEEE S\&P 2025). + +\subsection{X-Wing and hybrid KEMs} + +Barbosa \etal~\cite{xwing} proved X-Wing IND-CCA2 (IACR CiC 2024). The +IETF draft progressed to draft-10~\cite{xwing-ietf}. Follow-up work +examined broader applicability~\cite{starfighters25}, +anonymity~\cite{bp26}, and public context +requirements~\cite{kls26}. + +\subsection{Formal verification of messaging protocols} + +Cohn-Gordon \etal~\cite{cgcd20} established the foundational Signal +analysis. Blanchet and Jacomme~\cite{bj24} proved post-quantum soundness +of CryptoVerif (CSF 2024). B\'eguinet \etal~\cite{bcrs24} gave the +first symbolic proof of a KEM-based Signal variant. Soliton's +55~Tamarin lemmas and 7~CryptoVerif queries across 13~models represent +among the most extensive formal verification efforts applied to a +KEM-based messaging protocol in the published literature (\Cref{tab:comparison}). The combination of +symbolic and computational verification for a full protocol (handshake +through streaming) is new. + +\subsection{Streaming AEAD} + +STREAM~\cite{hrrv15} (CRYPTO 2015) is the theoretical foundation. Hoang +and Shen~\cite{hs20} extended to random-access decryption for Google +Tink (CCS 2020). Fabrega \etal~\cite{floe25} introduced FLOE with +formal random-access encryption and commitment security (RWC 2026). +LO-Stream's dual-interface design in a messaging context appears novel. + +\subsection{Group messaging and other protocols} + +The Messaging Layer Security (MLS) protocol~\cite{rfc9420} addresses +group messaging with tree-based key agreement. Post-quantum MLS +ciphersuites using X-Wing have been implemented in +OpenMLS. Matrix's Megolm protocol provides group +encryption for the Matrix ecosystem but has no PQ features at the E2EE +layer. Zoom added ML-KEM for initial key encapsulation in 2024 but +provides no ongoing PQ ratcheting. Soliton is strictly two-party and +does not address group messaging. + + +% ============================================================================ +% 10. LIMITATIONS AND OPEN PROBLEMS +% ============================================================================ +\section{Limitations and open problems}\label{sec:limitations} + +Transparency about what has \emph{not} been proved is as important as +stating what has. The formal models and this paper were authored by the +protocol designer, assisted by AI (\Cref{sec:contributions}), and have +not undergone independent peer review. All results are +machine-checkable; independent verification is actively invited. + +\subsection{Verification gaps} + +\textbf{No full composition theorem.} Individual theorems and pairwise +compositions are established, but simultaneous correctness under +compound corruption spanning all protocol layers remains open. + +\textbf{No Theorem~2c/2d mechanization.} Key confirmation requires a +combined KEX+Ratchet model. + +\textbf{Single-epoch assumption.} CryptoVerif's Theorem~3 assumes a +fresh epoch key (\emph{epoch key freshness assumption}). Multi-epoch +security follows from the additive composition of per-epoch bounds under +the KDF\_Root output independence lemma and cross-epoch key independence +corollary (see \cref{sec:bounds}), but this chain is not +mechanically end-to-end verified. + +\textbf{X-Wing as black box.} Opening the combiner would yield tighter +bounds. + +\textbf{Bounded chains.} Tamarin bounds steps to 3--4. Unbounded +verification is feasible~\cite{lsb25} but resource-intensive. + +\subsection{Protocol limitations} + +\textbf{No deniability} --- KEM ciphertexts and $\sigma_{\text{SI}}$ are +attributable~\cite{fiedler-janson24}. +\textbf{OPK-absent security regression} --- without OPK, session +establishment forward secrecy depends solely on SPK rotation; corruption +of $\sk_{\text{IK}_B}$ and $\sk_{\text{SPK}_B}$ together suffices to +derive the session key. Deployments without a pre-key server should +treat OPK unavailability as a materially weaker security configuration. +\textbf{No group messaging} --- strictly two-party. +\textbf{Per-epoch FS only} --- counter-mode trades per-message FS for +$O(1)$ access. An epoch lasts until a direction change; in one-sided +conversations, a single epoch may span many messages over an extended +period, all derivable from the same~$\ek$. +\textbf{X-Wing not standardized} --- still an IETF draft. +\textbf{Metadata exposure} --- headers reveal epoch transitions and +message counts. + +\subsection{Open research directions} + +The formal analysis document~\cite{soliton-analysis} identifies specific +targets: full composition under compound corruption, OPK atomicity, +SPK rotation lifecycle, counter-mode vs.\ chain-mode formal comparison, +and bandwidth analysis via the VulM framework~\cite{adjks25}. +Applicability of Katana-style amortization~\cite{djkps25} to X-Wing is +open: Katana requires a Randomizable KEM (RKEM) interface that allows +ciphertext splitting across messages, and X-Wing's combiner structure +(X25519~+~ML-KEM-768 fed into SHA3-256) is not obviously compatible +with the RKEM abstraction. + + +% ============================================================================ +% 11. CONCLUSION +% ============================================================================ +\section{Conclusion}\label{sec:conclusion} + +I have presented Soliton, an end-to-end encrypted messaging protocol +providing hybrid classical/post-quantum security across key exchange, +ratcheting, authentication, call encryption, and streaming AEAD. No +existing asynchronous two-party E2EE messaging protocol provides +post-quantum authentication --- PQXDH, SPQR, and PQ3 all retain +classical-only signatures. Soliton's 55~Tamarin lemmas and +7~CryptoVerif queries across 13~models represent the most extensive +published formal verification of a KEM-based messaging protocol, +and the first to combine both symbolic and computational verification +for a full protocol lifecycle. + +The protocol makes deliberate trade-offs --- per-epoch forward secrecy, +unified X-Wing ratcheting, no deniability --- each motivated by +simplicity and practical deployability. These trade-offs and their +security implications are documented, and the open problems they create +are explicitly identified. + +The full specification, formal analysis, Tamarin and CryptoVerif models, +and Rust implementation are published at +\url{https://git.lo.sh/lo/libsoliton} under AGPL-3.0. Everything +claimed in this paper is machine-checkable. I invite independent +verification, critique, and analysis. + + +% ============================================================================ +% APPENDICES +% ============================================================================ +\clearpage +\appendix + +\section{Tamarin lemma results}\label{app:tamarin} + +\begin{table}[!htbp] +\centering +\caption{Complete Tamarin results (Tamarin 1.12.0, Maude 3.5.1). + \textbf{Bold} = falsified (expected).} +\label{tab:tamarin-full} +\small +\setlength{\tabcolsep}{4pt} +\begin{tabular}{@{} l l c r @{}} +\toprule +\textbf{Model} & \textbf{Lemma} & \textbf{Result} & \textbf{Steps} \\ +\midrule +LO\_KEX & KEX\_Exists & verified & 27 \\ + & Thm1\_Session\_Key\_Secrecy\_A & verified & 70 \\ + & Thm1\_Session\_Key\_Secrecy\_B & verified & 136 \\ + & Thm1\_EK\_Secrecy\_A & verified & 70 \\ + & Thm1\_EK\_Secrecy\_B & verified & 136 \\ + & Thm2a\_Recipient\_Binding & verified & 2 \\ + & Thm2b\_Initiator\_Auth & verified & 10 \\ + & OPK\_Single\_Use & verified & 24 \\ + & Key\_Uniqueness & verified & 2 \\ +\midrule +LO\_Ratchet & send\_sanity & verified & 7 \\ + & send\_fs & verified & 2818 \\ + & send\_corrupt\_terminates & verified & 193 \\ + & send\_pcs & verified & 2 \\ + & recv\_sanity & verified & 6 \\ + & recv\_fs\_1step & \textbf{falsified} & 11 \\ + & recv\_fs\_2step & verified & 9132 \\ + & recv\_corrupt\_terminates & verified & 273 \\ + & recv\_pcs & verified & 107 \\ +\midrule +LO\_Ratchet\_PCS & pcs\_sanity & verified & 3 \\ + & pcs\_no\_recovery\_after\_recv & \textbf{falsified} & 9 \\ + & pcs\_recovery\_after\_send & verified & 7 \\ + & pcs\_recovery\_sustained & verified & 15 \\ + & pcs\_f4\_violated & verified & 7 \\ +\midrule +LO\_Auth & Auth\_Exists & verified & 5 \\ + & Auth\_Ordering & verified & 2 \\ + & Auth\_Single\_Use & verified & 8 \\ + & Auth\_No\_Accept\_After\_Timeout & verified & 3 \\ + & Auth\_Unique\_Challenge & verified & 2 \\ + & Thm6\_Key\_Possession & verified & 11 \\ + & Thm6\_No\_Oracle & verified & 11 \\ +\midrule +LO\_Call & Call\_Exists & verified & 6 \\ + & Call\_Key\_Agreement & verified & 56 \\ + & Thm8\_Call\_Key\_Secrecy & verified & 24 \\ + & Thm9\_Intra\_Call\_FS & verified & 193 \\ + & Thm10\_Call\_Ratchet\_Ind & verified & 3 \\ + & Thm11\_Concurrent\_Ind & verified & 52 \\ +\midrule +LO\_AntiRefl. & Reflection\_Sanity & verified & 8 \\ + & Thm12\_Anti\_Reflection & verified & 5 \\ +\midrule +LO\_Stream & Stream\_Sanity & verified & 11 \\ + & Stream\_Sanity\_Finalize & verified & 7 \\ + & Thm13\_P2\_Integrity & verified & 28 \\ + & Thm13\_P3\_Ordering & verified & 18 \\ + & Thm13\_P4\_No\_False\_Final & verified & 17 \\ + & Thm13\_P5\_Cross\_Stream & verified & 55 \\ + & Thm13\_Key\_Secrecy & verified & 3 \\ +\midrule +LO\_NegativeTests & neg\_auth\_ik\_corrupt & \textbf{falsified} & 8 \\ + & neg\_auth\_rng\_corrupt & \textbf{falsified} & 10 \\ + & neg\_ratchet\_no\_fs\_0step & \textbf{falsified} & 8 \\ + & neg\_ratchet\_recv\_1step & \textbf{falsified} & 10 \\ + & neg\_call\_rk\_plus\_rng & \textbf{falsified} & 9 \\ + & neg\_stream\_key\_corrupt & \textbf{falsified} & 5 \\ + & neg\_reflect\_self\_session & \textbf{falsified} & 7 \\ + & neg\_kex\_no\_opk & \textbf{falsified} & 11 \\ + & neg\_ratchet\_duplicate & \textbf{falsified} & 7 \\ + & neg\_call\_self\_session & verified\textsuperscript{*} & 3 \\ +\bottomrule +\end{tabular} + +\smallskip +{\scriptsize $^*$\texttt{neg\_call\_self\_session} is an +\texttt{exists-trace} lemma (not all-traces): it confirms that +self-sessions are \emph{reachable} when the $\mathit{local\_fp} \neq +\mathit{remote\_fp}$ guard is absent, demonstrating the guard is +necessary. ``Verified'' is the expected outcome.} +\end{table} + + +\section{CryptoVerif query results}\label{app:cryptoverif} + +\begin{table}[!htbp] +\centering +\caption{CryptoVerif results (CryptoVerif 2.12).} +\label{tab:cv-full} +\small +\begin{tabular}{@{} l l l @{}} +\toprule +\textbf{Model} & \textbf{Query} & \textbf{Bound} \\ +\midrule +LO\_KEX\_Secrecy + & $\mathsf{secret}\ \rk_A$ \texttt{[cv\_onesession]} + & $2P_{\text{prf}} {+} 2P_{\text{kem}}^{\text{ik}} {+} + 2P_{\text{kem}}^{\text{spk}} {+} 2P_{\text{kem}}^{\text{opk}} {+} + \text{coll.}$ \\ +LO\_KEX + & $\mathsf{event}(\text{Bob\_Accept}) {\Rightarrow} + \mathsf{event}(\text{Alice\_Init})$ + & $P_{\text{sig}}$ \\ +LO\_Ratchet\_MsgSecrecy + & $\mathsf{secret}\ \mathit{test\_mk}$ + \texttt{[cv\_onesession]} + & $2P_{\text{prf}}$ \\ +LO\_Auth + & $\mathsf{event}(\text{ServerAccepts}) {\Rightarrow} + \mathsf{event}(\text{ClientResponds})$ + & $N_s {\cdot} P_{\text{mac}} {+} P_{\text{kem}}$ \\ +LO\_Auth + & $\mathsf{inj\text{-}event}(\text{ServerAccepts}) {\Rightarrow} + \mathsf{inj\text{-}event}(\text{ClientResponds})$ + & $N_s {\cdot} P_{\text{mac}} {+} P_{\text{kem}}$ \\ +LO\_Stream\_Secrecy + & $\mathsf{secret}\ b_0$ \texttt{[cv\_bit]} + & $2P_{\text{ctxt}} {+} 2P_{\text{cpa}}(t, N_{\text{enc}})$ \\ + & $\mathsf{inj\text{-}event} {\Rightarrow} + \mathsf{inj\text{-}event}$ + & $P_{\text{ctxt}}$ \\ +\bottomrule +\end{tabular} +\end{table} + + +\section{Wire sizes}\label{app:sizes} + +\begin{table}[!htbp] +\centering +\caption{Key and ciphertext sizes (bytes).} +\label{tab:sizes} +\small +\begin{tabular}{@{} l r l @{}} +\toprule +\textbf{Object} & \textbf{Size} & \textbf{Components} \\ +\midrule +Identity public key & 3200 & X-Wing (1216) + Ed25519 (32) + ML-DSA (1952) \\ +Identity secret key & 2496 & X-Wing (2432) + Ed25519 (32) + ML-DSA seed (32) \\ +Identity fingerprint & 32 & SHA3-256 of public key \\ +X-Wing public key & 1216 & ML-KEM-768 (1184) + X25519 (32) \\ +X-Wing ciphertext & 1120 & ML-KEM-768 (1088) + X25519 (32) \\ +Hybrid signature & 3373 & Ed25519 (64) + ML-DSA-65 (3309) \\ +\midrule +Ratchet header (no KEM step) & 1225 & $\pk_s$ + flag + counters \\ +Ratchet header (with KEM step) & 2347 & + length prefix + $c_{\text{ratchet}}$ \\ +Session init (no OPK) & 3543 & version + fps + $\pk_{\text{EK}}$ + 2 ciphertexts \\ +Session init (with OPK) & 4669 & + 1 ciphertext \\ +\midrule +Stream header & 26 & version (1) + flags (1) + base\_nonce (24) \\ +Stream chunk overhead & 17 & tag\_byte (1) + Poly1305 tag (16) \\ +\bottomrule +\end{tabular} +\end{table} + + +% ============================================================================ +% REFERENCES (placeholder for BibTeX) +% ============================================================================ +\begingroup +\raggedright +\begin{thebibliography}{99} + +\bibitem{acd19} J.~Alwen, S.~Coretti, Y.~Dodis. ``The Double Ratchet: +Security Notions, Proofs, and Modularization for the Signal Protocol.'' +EUROCRYPT~2019. + +\bibitem{apple-pq3} Apple Security Research. ``iMessage with PQ3.'' +\url{https://security.apple.com/blog/imessage-pq3/}, 2024. + +\bibitem{bellare06} M.~Bellare. ``New Proofs for NMAC and HMAC: Security +without Collision-Resistance.'' CRYPTO~2006. + + +\bibitem{bfg20} J.~Brendel, M.~Fischlin, F.~G\"unther, C.~Janson, +D.~Stebila. ``Towards Post-Quantum Security for Signal's X3DH +Handshake.'' SAC~2020. + +\bibitem{bjks24} K.~Bhargavan, C.~Jacomme, F.~Kiefer, R.~Schmidt. +``Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol.'' +USENIX Security~2024. + +\bibitem{bj24} B.~Blanchet, C.~Jacomme. ``Post-Quantum Sound CryptoVerif +and Verification of Hybrid TLS and SSH Key-Exchanges.'' CSF~2024. + +\bibitem{cgcd20} K.~Cohn-Gordon, C.~Cremers, B.~Dowling, L.~Garratt, +D.~Stebila. ``A Formal Security Analysis of the Signal Messaging +Protocol.'' J.~Cryptology, 2020. + +\bibitem{djkps25} Y.~Dodis, D.~Jost, S.~Katsumata, T.~Prest, +R.~Schmidt. ``Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal +Protocol.'' EUROCRYPT~2025. IACR ePrint 2025/078. + +\bibitem{adjks25} B.~Auerbach, Y.~Dodis, D.~Jost, S.~Katsumata, +R.~Schmidt. ``How to Compare Bandwidth Constrained Two-Party Secure +Messaging Protocols.'' USENIX Security~2025. + +\bibitem{fips203} NIST. ``Module-Lattice-Based Key-Encapsulation +Mechanism Standard.'' FIPS~203, 2024. + +\bibitem{fips204} NIST. ``Module-Lattice-Based Digital Signature +Standard.'' FIPS~204, 2024. + +\bibitem{hks22} K.~Hashimoto, S.~Katsumata, K.~Kwiatkowski, T.~Prest. +``An Efficient and Generic Construction for Signal's Handshake (X3DH): +Post-Quantum, State Leakage Secure, and Deniable.'' J.~Cryptology, 2022. + +\bibitem{hrrv15} V.T.~Hoang, R.~Reyhanitabar, P.~Rogaway, D.~Viz\'ar. +``Online Authenticated-Encryption and its Nonce-Reuse +Misuse-Resistance.'' CRYPTO~2015. + +\bibitem{krawczyk10} H.~Krawczyk. ``Cryptographic Extraction and Key +Derivation: The HKDF Scheme.'' CRYPTO~2010. + +\bibitem{lsb25} F.~Linker, R.~Sasse, D.~Basin. ``A Formal Analysis of +Apple's iMessage PQ3 Protocol.'' USENIX Security~2025. + +\bibitem{rfc5869} H.~Krawczyk, P.~Eronen. ``HMAC-based +Extract-and-Expand Key Derivation Function (HKDF).'' RFC~5869, 2010. + + +\bibitem{rfc8032} S.~Josefsson, I.~Liusvaara. ``Edwards-Curve Digital +Signature Algorithm (EdDSA).'' RFC~8032, 2017. + +\bibitem{signal-doubleratchet} Signal Foundation. ``The Double Ratchet +Algorithm.'' \url{https://signal.org/docs/specifications/doubleratchet/}. + +\bibitem{signal-pqxdh} E.~Kret. ``Quantum Resistance and the Signal +Protocol.'' Signal Blog, 2023. +\url{https://signal.org/blog/pqxdh/}. + +\bibitem{signal-spqr} Signal Foundation. ``Signal Protocol and +Post-Quantum Ratchets.'' Signal Blog, 2025. +\url{https://signal.org/blog/spqr/}. + +\bibitem{signal-x3dh} Signal Foundation. ``The X3DH Key Agreement +Protocol.'' \url{https://signal.org/docs/specifications/x3dh/}. + +\bibitem{soliton-repo} K.~Tufekcic. ``libsoliton.'' +\url{https://git.lo.sh/lo/libsoliton}. + +\bibitem{soliton-spec} K.~Tufekcic. ``Soliton Cryptographic +Specification.'' +\url{https://git.lo.sh/lo/libsoliton/wiki/Specification}. + +\bibitem{soliton-analysis} K.~Tufekcic. ``Soliton Formal Analysis.'' +\url{https://git.lo.sh/lo/libsoliton/wiki/Formal-Analysis}. + +\bibitem{xwing} M.~Barbosa \etal ``X-Wing: The Hybrid KEM You've Been +Looking For.'' IACR Commun.\ Cryptol., 2024. + +\bibitem{xwing-ietf} D.~Connolly \etal +``draft-connolly-cfrg-xwing-kem-10.'' IETF CFRG, 2026. + +\bibitem{fiedler-janson24} R.~Fiedler, C.~Janson. ``A Deniability +Analysis of Signal's Initial Handshake PQXDH.'' PoPETs, 2024. IACR +ePrint 2024/741. + + +\bibitem{cmn25} C.~Cremers, N.~Medinger, A.~Naska. ``Impossibility +Results for Post-Compromise Security in Real-World Communication +Systems.'' IEEE S\&P, 2025. IACR ePrint 2024/1886. + +\bibitem{starfighters25} D.~Connolly, A.~H\"ovelmanns, A.~H\"ulsing, +S.~Kousidis, J.~Meijers. ``Starfighters --- On the General +Applicability of X-Wing.'' IACR ePrint 2025/1397. + +\bibitem{bp26} S.~Bao, Y.~Pan. ``Anonymity of X-Wing and its +Variants.'' IACR ePrint 2026/396. + +\bibitem{kls26} M.~Kang, J.~Lee, K.~Son. ``On the Necessity of Public +Contexts in Hybrid KEMs: A Case Study of X-Wing.'' IACR ePrint +2026/140. + +\bibitem{bcrs24} L.~B\'eguinet, C.~Chevalier, T.~Ricosset, E.~Senet. +``Formal Verification of a Post-quantum Signal Protocol with Tamarin.'' +VECoS~2023, LNCS~14368, 2024. + +\bibitem{hs20} V.T.~Hoang, Y.~Shen. ``Security of Streaming Encryption +in Google's Tink Library.'' CCS, 2020. IACR ePrint 2020/1019. + +\bibitem{floe25} T.~Fabrega, J.~Len, T.~Ristenpart, A.~Rubin. +``Random-Access AEAD for Fast Lightweight Online Encryption.'' IACR +ePrint 2025/2275. + +\bibitem{rfc9420} R.~Barnes, B.~Beurdouche, R.~Robert, J.~Millican, +E.~Omara, K.~Cohn-Gordon. ``The Messaging Layer Security (MLS) +Protocol.'' RFC~9420, 2023. + +\end{thebibliography} +\endgroup + +\end{document} \ No newline at end of file diff --git a/soliton/fuzz/Cargo.lock b/soliton/fuzz/Cargo.lock index 632618d2df..631446269f 100644 --- a/soliton/fuzz/Cargo.lock +++ b/soliton/fuzz/Cargo.lock @@ -435,7 +435,7 @@ dependencies = [ [[package]] name = "libsoliton" -version = "0.1.0" +version = "0.1.1" dependencies = [ "argon2", "chacha20poly1305", diff --git a/soliton/fuzz/corpus/fuzz_auth_respond/valid_ct b/soliton/fuzz/corpus/fuzz_auth_respond/valid_ct index d845781929..964bba0661 100644 --- a/soliton/fuzz/corpus/fuzz_auth_respond/valid_ct +++ b/soliton/fuzz/corpus/fuzz_auth_respond/valid_ct @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:77b67ab2131bd3347e5b6f6d1dc1f8c52340795cf8c897b0a6c6ff976b8622b0 +oid sha256:68d7cd19b1d487d0848a4ad6251e35da627f6d61fde9d670817ec483495f3766 size 1120 diff --git a/soliton/fuzz/corpus/fuzz_decrypt_first_message/valid_first_msg b/soliton/fuzz/corpus/fuzz_decrypt_first_message/valid_first_msg index 0f4a3efda1..3dac25f6fe 100644 --- a/soliton/fuzz/corpus/fuzz_decrypt_first_message/valid_first_msg +++ b/soliton/fuzz/corpus/fuzz_decrypt_first_message/valid_first_msg @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:30e0a3cc018601c7bdfdcc2595547f2ff9db0b2a11bed216c2c9b2112b66e7ea +oid sha256:166c98794d1954b807bbf7fd195bda59f230546d70dbb071c472740d9a049749 size 51 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/0792446e9e4e302ef86828be9e266fc1b4de4407 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/0792446e9e4e302ef86828be9e266fc1b4de4407 new file mode 100644 index 0000000000..0642d92de8 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/0792446e9e4e302ef86828be9e266fc1b4de4407 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86b3214816b44748fe3e18022e66410c8a286942b446839270640399622aafa0 +size 4 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/164fd078f9a0ba81f8d916617ade549e2389f89d b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/164fd078f9a0ba81f8d916617ade549e2389f89d new file mode 100644 index 0000000000..0aeffd99b7 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/164fd078f9a0ba81f8d916617ade549e2389f89d @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a246d20181f7cac7d18d5ef4ef82cc82bfc0f51361830e187aeac44474795c77 +size 42 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/2284aab09f260f3ea2a36303e8e4b8c022faa1ff b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/2284aab09f260f3ea2a36303e8e4b8c022faa1ff new file mode 100644 index 0000000000..0cade4dc4b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/2284aab09f260f3ea2a36303e8e4b8c022faa1ff @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a93a6a8a9d0cb0978c73cf6f2ed08b589a9e4b706a1916383a3a57bea9efed8 +size 42 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/22ef1d4d7b042ff205815af958bde3c619157361 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/22ef1d4d7b042ff205815af958bde3c619157361 new file mode 100644 index 0000000000..51999862a5 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/22ef1d4d7b042ff205815af958bde3c619157361 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e3181aea22c7aca5774f5775a9ab9da6541f49fdb4caa0ae68dabc57eacde74b +size 42 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/3d1234355041aae78f70de42de8515a921c9073d b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/3d1234355041aae78f70de42de8515a921c9073d new file mode 100644 index 0000000000..6ebb24822a --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/3d1234355041aae78f70de42de8515a921c9073d @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bab6ce9ede0398b4982dfda05e807f8ab184a66e1ee9e939b436ee1d4949e670 +size 331 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/8ce24fc0ea8e685eb23bf6346713ad9fef920425 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/8ce24fc0ea8e685eb23bf6346713ad9fef920425 new file mode 100644 index 0000000000..e1722591bc --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/8ce24fc0ea8e685eb23bf6346713ad9fef920425 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3340883aad3038dd993b3c94d2d32c3b20e07859969aca411f7f93ab8847c746 +size 1 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/91ac28edf4ce92b1fe9d9f83cd5447d067a4b366 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/91ac28edf4ce92b1fe9d9f83cd5447d067a4b366 new file mode 100644 index 0000000000..a2e98725fb --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/91ac28edf4ce92b1fe9d9f83cd5447d067a4b366 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d91490091bbe730b06d7f0ede1fb777c147949639de46fe0a189edb50eeb0892 +size 42 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/b3b28f02b153220e7d1bf1b19dbb32363b926181 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/b3b28f02b153220e7d1bf1b19dbb32363b926181 new file mode 100644 index 0000000000..12e3d3ec25 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/b3b28f02b153220e7d1bf1b19dbb32363b926181 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:33c9cc4f4954bd7508f3da90b0fbe3757df0961b79deb25e9a1472afeba1fa82 +size 42 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/d081c37090c6c163e1ed6b7f27c34d61f5437606 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/d081c37090c6c163e1ed6b7f27c34d61f5437606 new file mode 100644 index 0000000000..9fe6c9f04b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/d081c37090c6c163e1ed6b7f27c34d61f5437606 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:66c9c5dfdab606c5e48705316848e3938fe8ad35b7108087d8e831392d4b2113 +size 2 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/df4e1459fc34e72f44fd348ae97abd055d253d52 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/df4e1459fc34e72f44fd348ae97abd055d253d52 new file mode 100644 index 0000000000..0f68c21469 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/df4e1459fc34e72f44fd348ae97abd055d253d52 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d93ff76f7b107e254f9964a5d8595f2f404ddf1aad78a903740e1dfeeb1f0a6 +size 42 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/f421c2fbfd6ff080108402148f2cfa0a41715290 b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/f421c2fbfd6ff080108402148f2cfa0a41715290 new file mode 100644 index 0000000000..48a1661fbf --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/f421c2fbfd6ff080108402148f2cfa0a41715290 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:adf7aae433b74fb5dc55335e279790a9a81cb5dae9606075a59ce3321749f055 +size 139 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/truncated b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/truncated index 743de218f3..ded7feee27 100644 --- a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/truncated +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/truncated @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:4ff0f94b542776c6cfed857ba7deb8c71e72fcd42534bf3a0fe3ce03ff2525cd +oid sha256:7f9ffb7107c07d64727a2fed4a5147b50051a0d70f4f942305000d3c27db6895 size 16 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_compressed b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_compressed index 5bd2d9362c..b5638e0fd5 100644 --- a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_compressed +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_compressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:a260de34dc6e65c0a957f35e972fea69daba02ba4fed084b335ccc86a916a480 +oid sha256:239936ae5ea05165bf6bf4b59741fa321c4a2d25e9434cdd393e6e44ae1e9cea size 73 diff --git a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_uncompressed b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_uncompressed index d584d424d1..5221b648e9 100644 --- a/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_uncompressed +++ b/soliton/fuzz/corpus/fuzz_dm_queue_decrypt_blob/valid_uncompressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:664b87edd1aad0889aa6a12bfc6168e2c4a70453642c9fade461c39fd56f888d +oid sha256:813a7bd1ecb523a19bc4d7a3c65f2be03eebe1a49dfb0527a76b2de3dc023626 size 59 diff --git a/soliton/fuzz/corpus/fuzz_ed25519_verify/bad_sig_bit b/soliton/fuzz/corpus/fuzz_ed25519_verify/bad_sig_bit index 5516ffcc5b..6f28f0cdd5 100644 --- a/soliton/fuzz/corpus/fuzz_ed25519_verify/bad_sig_bit +++ b/soliton/fuzz/corpus/fuzz_ed25519_verify/bad_sig_bit @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0ff2dfc139ac141d4deae67ca2baf874ae765033fc471682888ff465b7dcfad3 +oid sha256:014c9986e42c8a9c11ded1389db01425edf86fa54fdd3e7d30cbad529bafd57a size 111 diff --git a/soliton/fuzz/corpus/fuzz_ed25519_verify/valid_verify b/soliton/fuzz/corpus/fuzz_ed25519_verify/valid_verify index fead21a35f..59a1cfc3c0 100644 --- a/soliton/fuzz/corpus/fuzz_ed25519_verify/valid_verify +++ b/soliton/fuzz/corpus/fuzz_ed25519_verify/valid_verify @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:302bc30b374599f6e7b63e684ff4ed9efc6cb320d78a2db8c767fb7f4cf3bdcc +oid sha256:6a5105aa8505cffd85e618e28bf428ff553cb012635a8f97cb04cf62f983fb35 size 111 diff --git a/soliton/fuzz/corpus/fuzz_hybrid_verify/bad_ed25519_valid_mldsa b/soliton/fuzz/corpus/fuzz_hybrid_verify/bad_ed25519_valid_mldsa index de7c67bb68..e7d3dc17eb 100644 --- a/soliton/fuzz/corpus/fuzz_hybrid_verify/bad_ed25519_valid_mldsa +++ b/soliton/fuzz/corpus/fuzz_hybrid_verify/bad_ed25519_valid_mldsa @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:82f43595efbb69e92797b1c7cab5f0214e9653e79a8bb536983ae22a8ee9c925 +oid sha256:795a9d9d3d978d5c96a7a2c60434d389d35337671d31c1b108037442cbcd3e62 size 6598 diff --git a/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_ed25519_bad_mldsa b/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_ed25519_bad_mldsa index 30ebff4927..ade0fa349c 100644 --- a/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_ed25519_bad_mldsa +++ b/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_ed25519_bad_mldsa @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:838bfeaa7d87c39bd07e099a98fda98bed1decd0833ad568068ec77e643061f6 +oid sha256:62c0f8a27b5805a6a96a947260b0688a9c3239c3d3c3410934bf7e481fa0fd92 size 6598 diff --git a/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_empty_msg b/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_empty_msg index dd8b6a4c9f..a6e12f753c 100644 --- a/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_empty_msg +++ b/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_empty_msg @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f61b2b672dd2f902bfddf22ee7dffe6fa6148711531aab83f2e25a74ff3cfe07 +oid sha256:fe3aab3fbdb20a60e166f844e1ef72ee2328a8551d839ebf9b12ca145bd2a201 size 6573 diff --git a/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_hybrid b/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_hybrid index 46ced535d3..d97b5b17a5 100644 --- a/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_hybrid +++ b/soliton/fuzz/corpus/fuzz_hybrid_verify/valid_hybrid @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:87585bcf305d8f51c4f167653287203608f80548f698255b2b43500dde72776e +oid sha256:bb310c77a9c9ca74773ec6a2ff9f26479405d333d57ed97f2397067f8ceba4ce size 6598 diff --git a/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_pk b/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_pk index 048f91059f..1a5c61e0eb 100644 --- a/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_pk +++ b/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_pk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:59b307074dc4da9dfc6d0ebeced0ca8552928568bb3a205513bb28ac20138f3c +oid sha256:df1667f0fa2e35caa2c463eed0b3565064cf5033e5d4498836e1e74a9b5d282d size 3200 diff --git a/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_sk b/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_sk index cde93ba2ca..ebe89de802 100644 --- a/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_sk +++ b/soliton/fuzz/corpus/fuzz_identity_from_bytes/valid_sk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:114b6d09400dca815297d44bc555138713efcd117c37aa9c5c51160ad6ed1e95 +oid sha256:7a827953a462951cb2b5d6a896e214c5ed04cf3b090fbf90f0b819c49f13b5d7 size 2496 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/068ac00ab22fa1a60aa534c312c8e50c4d49c293 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/068ac00ab22fa1a60aa534c312c8e50c4d49c293 new file mode 100644 index 0000000000..b721e300ac --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/068ac00ab22fa1a60aa534c312c8e50c4d49c293 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f2b5c3abe49732a79ec86d5c19d5ff3181a8063956c915b00e2c594862e5999c +size 323 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/123ef33e2b797f8f691b1d38501f33fbcc7428ea b/soliton/fuzz/corpus/fuzz_identity_sign_verify/123ef33e2b797f8f691b1d38501f33fbcc7428ea new file mode 100644 index 0000000000..66de058c2b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/123ef33e2b797f8f691b1d38501f33fbcc7428ea @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d45b078e895c96ffb6b69117165cf95ecb75f9462ab1bdc2fec3aa906b7bd2ef +size 179 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/3a466d29221a816c5a2c7cc403caaa6058da0143 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/3a466d29221a816c5a2c7cc403caaa6058da0143 new file mode 100644 index 0000000000..e8158702b7 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/3a466d29221a816c5a2c7cc403caaa6058da0143 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d14ce067f51dce11a5899fb6167032a9f201b257596376c378f23e3b56fe10c +size 17 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/622ba87343a75abf20a2b47e503c9cfc557822f7 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/622ba87343a75abf20a2b47e503c9cfc557822f7 new file mode 100644 index 0000000000..aba6594312 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/622ba87343a75abf20a2b47e503c9cfc557822f7 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d5cb290b693c5d1931828e866726d89cae991e4890384e9df1431f87a3e3140d +size 77 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/6ed2aa32781ba0300c5a8e887854897f8da5aa03 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/6ed2aa32781ba0300c5a8e887854897f8da5aa03 new file mode 100644 index 0000000000..fd2dade26e --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/6ed2aa32781ba0300c5a8e887854897f8da5aa03 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:15383186dd03b3b9bb8efb0630804bc23e6a251097c50df59af449685c666e1f +size 73 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/78415fd588c0775cb41f15532ec2feab43a84f0b b/soliton/fuzz/corpus/fuzz_identity_sign_verify/78415fd588c0775cb41f15532ec2feab43a84f0b new file mode 100644 index 0000000000..e2243240c2 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/78415fd588c0775cb41f15532ec2feab43a84f0b @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4e845da81729621894da7be05e5b1bb028c2c456b8fae98a9018ac1af1bae435 +size 286 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/7e06b1ca802a48c717192f5906d9724df8f4423f b/soliton/fuzz/corpus/fuzz_identity_sign_verify/7e06b1ca802a48c717192f5906d9724df8f4423f new file mode 100644 index 0000000000..827349e29c --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/7e06b1ca802a48c717192f5906d9724df8f4423f @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a00968b723ca3596b14b40c57503205118eca820ec11a288f9c9165e225ca5b9 +size 1377 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/933c356b95dd3aec979dbca14628d76b7f03aabc b/soliton/fuzz/corpus/fuzz_identity_sign_verify/933c356b95dd3aec979dbca14628d76b7f03aabc new file mode 100644 index 0000000000..3b07ffb7ef --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/933c356b95dd3aec979dbca14628d76b7f03aabc @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9564e6ed12b041bfe7eb862d266322243541211795cc0e8cd6bbef2b83f258b2 +size 107 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/9e5555573e86bab555e5879f82be85031ef53de2 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/9e5555573e86bab555e5879f82be85031ef53de2 new file mode 100644 index 0000000000..5f9c86a8e5 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/9e5555573e86bab555e5879f82be85031ef53de2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3db25023138dc4e30ede152207f4e093aaf2949f705ee6eb712548e35463930b +size 408 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/b9b60eb1c690d52bf2d9fadb4aa253acfd5b1849 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/b9b60eb1c690d52bf2d9fadb4aa253acfd5b1849 new file mode 100644 index 0000000000..978fa277a6 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/b9b60eb1c690d52bf2d9fadb4aa253acfd5b1849 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0f58102a06d66a6b2dd5523bf44314c7d8b0cfb43da5e14273cf23a73d0ff29c +size 11438 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/c1972705930bee9c59e74f1a367428eac8aa3ea5 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/c1972705930bee9c59e74f1a367428eac8aa3ea5 new file mode 100644 index 0000000000..c3dfe98f8e --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/c1972705930bee9c59e74f1a367428eac8aa3ea5 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6476902ade74d607640caa32c51ce79f36f3cd593a78789c6e95d03822eb23e8 +size 12794 diff --git a/soliton/fuzz/corpus/fuzz_identity_sign_verify/ef1f885b68be35ca8a8ecad0e9f3bf293f8ad612 b/soliton/fuzz/corpus/fuzz_identity_sign_verify/ef1f885b68be35ca8a8ecad0e9f3bf293f8ad612 new file mode 100644 index 0000000000..e2d88cdedc --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_identity_sign_verify/ef1f885b68be35ca8a8ecad0e9f3bf293f8ad612 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ac9caf150ab975c2f2b040572b326874310e9aaa03155cedfdefd54e76bef39 +size 6056 diff --git a/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_no_opk b/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_no_opk index 135a9a464f..b62aead54a 100644 --- a/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_no_opk +++ b/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_no_opk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c7c796031a5016d9b2bc51df97a936c4d3403d06b1a9eff78d15c580bc01b00b +oid sha256:9c9dfcdc6cff579f02a253af38330bd2b99b66a4b2cbaec24094379e7e0a5fad size 6916 diff --git a/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_with_opk b/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_with_opk index d8c00f13fa..3565a4936f 100644 --- a/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_with_opk +++ b/soliton/fuzz/corpus/fuzz_kex_decode_receive/valid_with_opk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6bb72586baf1161eccc3940b24955d43a9f5db241c3c550c4105a3b3ee60f210 +oid sha256:08519c754f2b92926394352d7bee46215c9c6b8857681fbcdb54bb82361e9e56 size 8042 diff --git a/soliton/fuzz/corpus/fuzz_kex_receive_session/valid_session_init b/soliton/fuzz/corpus/fuzz_kex_receive_session/valid_session_init index cb9bf1197b..6641d63278 100644 --- a/soliton/fuzz/corpus/fuzz_kex_receive_session/valid_session_init +++ b/soliton/fuzz/corpus/fuzz_kex_receive_session/valid_session_init @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:15bfe89a9ead7254524d9ef65f175b0e1f0276225d3862b09e3619a526703392 +oid sha256:82a397f982988e6cbacf83a4e518817c5e63c697391bb41651428f78b5d92228 size 6910 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/2083a2d5ca212265737c337805dc0a2a3ba38bdb b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/2083a2d5ca212265737c337805dc0a2a3ba38bdb new file mode 100644 index 0000000000..20c73d910a --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/2083a2d5ca212265737c337805dc0a2a3ba38bdb @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5f3cb45204ab04a1eb21d4b3ea46584b8a80d970f11586728633f1f1440a1817 +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/2a4c2ce2861863836fe11076593564c281c82a2b b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/2a4c2ce2861863836fe11076593564c281c82a2b new file mode 100644 index 0000000000..9f5e260b3f --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/2a4c2ce2861863836fe11076593564c281c82a2b @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdc28933c76cd60f8c8a23c13423e2dbc884536fd8b2e8bc2cc85035684ef4a2 +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/4d87ca00dda28364820502e7ae87c5ec5703d5fd b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/4d87ca00dda28364820502e7ae87c5ec5703d5fd new file mode 100644 index 0000000000..c0bc5aa87b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/4d87ca00dda28364820502e7ae87c5ec5703d5fd @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:643ac2b1f7780475089cabf71890b221f3bb5274e4ba4bb876fa06afd385ae5e +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/54b5169e3a98f60c11086985f87b36cc9e1b529d b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/54b5169e3a98f60c11086985f87b36cc9e1b529d new file mode 100644 index 0000000000..eba61f4595 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/54b5169e3a98f60c11086985f87b36cc9e1b529d @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:276aedad429c4554da6a8bc5455a6ccff21ca3971af21274866d2efc107ff8a4 +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/5cb54aa75193f2ede647bb831889181f91e0e7dd b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/5cb54aa75193f2ede647bb831889181f91e0e7dd new file mode 100644 index 0000000000..0d1a93a363 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/5cb54aa75193f2ede647bb831889181f91e0e7dd @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b795ac4e5f65083f8e4387193561fb8d5ec846d1b9ac087c86ae54ec289470a8 +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/611d79ee838e3109fcf297595cf049555678e2ed b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/611d79ee838e3109fcf297595cf049555678e2ed new file mode 100644 index 0000000000..d43b3762c9 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/611d79ee838e3109fcf297595cf049555678e2ed @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e261b1e937dd0dc2afd1d419483ee1890ef4fe749473a5634daf9a76a6c75d68 +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/83ce312925d8c34813ba41830570d90873deb7e4 b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/83ce312925d8c34813ba41830570d90873deb7e4 new file mode 100644 index 0000000000..80dae42494 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/83ce312925d8c34813ba41830570d90873deb7e4 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c155227ab7b82cd7785d20ed0786be98f95dd9415c1f64f5725594c9b33164fc +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/c399af33f77df1669d76eefc76d6abea0f5b07d6 b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/c399af33f77df1669d76eefc76d6abea0f5b07d6 new file mode 100644 index 0000000000..745e0becf5 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/c399af33f77df1669d76eefc76d6abea0f5b07d6 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:171118629b1ad6ab70f53bc03acc63ec91153fa5d3d599efb84695053a30bb26 +size 4606 diff --git a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/valid_structure b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/valid_structure index 2a07634629..c202fac82c 100644 --- a/soliton/fuzz/corpus/fuzz_kex_verify_bundle/valid_structure +++ b/soliton/fuzz/corpus/fuzz_kex_verify_bundle/valid_structure @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:29cea1740bcd6ac0bb9bf7d3c0f4e0e13c303fd002f3f50f4296562c52eb465c +oid sha256:ea5edc29fb05bb05b16d95298387a62f3c6b67ccb976e741f5f576cbc27a8806 size 4606 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt/no_kem_ct b/soliton/fuzz/corpus/fuzz_ratchet_decrypt/no_kem_ct index 638de49f01..e7741cc32f 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_decrypt/no_kem_ct +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt/no_kem_ct @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b24d9cb735423a5574964aa188e5e2f9aa1b259bd916f0de7e609258f2e09ca7 +oid sha256:5ed6c724d07aef763f7cf382d3e9798b20443ade9a084bb3e9aed2a1aab673c1 size 2472 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt/valid_alice_msg b/soliton/fuzz/corpus/fuzz_ratchet_decrypt/valid_alice_msg index 638de49f01..e7741cc32f 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_decrypt/valid_alice_msg +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt/valid_alice_msg @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b24d9cb735423a5574964aa188e5e2f9aa1b259bd916f0de7e609258f2e09ca7 +oid sha256:5ed6c724d07aef763f7cf382d3e9798b20443ade9a084bb3e9aed2a1aab673c1 size 2472 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/04b583bc161eae07ab697905c95ab9fc8f1cb6cf b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/04b583bc161eae07ab697905c95ab9fc8f1cb6cf new file mode 100644 index 0000000000..84acf5274f --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/04b583bc161eae07ab697905c95ab9fc8f1cb6cf @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ada3c01397411750cf1e3dae01f2bdce4b20d7b00736ca9e67c8c63df6fbbd9e +size 3684 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/0b118fc5aa22794801b852d157f950e4b785e0cf b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/0b118fc5aa22794801b852d157f950e4b785e0cf new file mode 100644 index 0000000000..9eaf0c3d5e --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/0b118fc5aa22794801b852d157f950e4b785e0cf @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0cc46c1f68cc989a612741d74af367088575135cd86688ed98c7a2a8b57bea3b +size 2686 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/2b208bc47a3b0546ab242c9d804a5a19165e59fe b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/2b208bc47a3b0546ab242c9d804a5a19165e59fe new file mode 100644 index 0000000000..f9beba115b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/2b208bc47a3b0546ab242c9d804a5a19165e59fe @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b376cf7bb1afe06fde3157b81ac4da8a5fec164b706aa346b46dd0a59e70bd0 +size 1803 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/41f47a9762e7db3c42dee702eac270cd7a08dadf b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/41f47a9762e7db3c42dee702eac270cd7a08dadf new file mode 100644 index 0000000000..742e17840f --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/41f47a9762e7db3c42dee702eac270cd7a08dadf @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d2860c01088eb0264e4eac3822af9a0d576793a15552243d102d15878974d92 +size 18064 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/44f23709d3a8d9af97993ce7e73cf968c04ed870 b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/44f23709d3a8d9af97993ce7e73cf968c04ed870 new file mode 100644 index 0000000000..9eb94009c9 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/44f23709d3a8d9af97993ce7e73cf968c04ed870 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf7ea06c3e1c0c800ea599bec41febfd80ac54e8a007f66dde45deed831da3c2 +size 1796 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/4e4febc203227d20267fc5f6c678b14794167838 b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/4e4febc203227d20267fc5f6c678b14794167838 new file mode 100644 index 0000000000..3b7fc2dd42 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/4e4febc203227d20267fc5f6c678b14794167838 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a22012eb5d6574339e3ce2dab57760c15f638abd40729c1a3f37f8aa8ae32f56 +size 1796 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/5ebb3cd0d049b76db9146ec7870a8fce7b117291 b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/5ebb3cd0d049b76db9146ec7870a8fce7b117291 new file mode 100644 index 0000000000..402449de24 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/5ebb3cd0d049b76db9146ec7870a8fce7b117291 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4187b6ebcfd832c7da4f6b4b668da5c70c96c08d40328b79bc8e63b979fac6c2 +size 1803 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a2b2085fcf0bb1e3aae058d013c645cefa184477 b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a2b2085fcf0bb1e3aae058d013c645cefa184477 new file mode 100644 index 0000000000..9bd9397788 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a2b2085fcf0bb1e3aae058d013c645cefa184477 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:813936b6f32e81c2eb162f9a793a0e21cab7eafd2a523860556db7dc6b3cbefb +size 1809 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a54fcd4af3a9756925dfa779fb6d25c20bf0dacc b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a54fcd4af3a9756925dfa779fb6d25c20bf0dacc new file mode 100644 index 0000000000..847589735f --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/a54fcd4af3a9756925dfa779fb6d25c20bf0dacc @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:709d090e57af0a1d690ec4d21652df22f7f174337043a5c938eb5cc01c21655a +size 1796 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/df700ef114d57ae1279256f09605805c37f137a4 b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/df700ef114d57ae1279256f09605805c37f137a4 new file mode 100644 index 0000000000..65411b8798 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/df700ef114d57ae1279256f09605805c37f137a4 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9724a33daa1d6166591eae48b1241d065089c03d75f2a81f45ad72d20c87ddec +size 2674 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/f14581242f48b7f0f4c51c7f2be0b24783c410e8 b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/f14581242f48b7f0f4c51c7f2be0b24783c410e8 new file mode 100644 index 0000000000..e9d67f1f9e --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/f14581242f48b7f0f4c51c7f2be0b24783c410e8 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3cabf58be0dcfafd8aebae42c3dfe1296c66ec32ff43dcf1e8875d738d2e88e0 +size 1809 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/out_of_order_late b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/out_of_order_late index 2a130ec2f5..6473b66a7d 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/out_of_order_late +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/out_of_order_late @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:96eca437dac7e933f59cd0b73ac8ec8092fb32046020f5f371f15f2ea9076e18 +oid sha256:c8dbac48629471a769363fee87829dc83a27f63daa817617d5c39c5ed360fdd0 size 2674 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/true_duplicate b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/true_duplicate index d107f6c85a..386bc8d227 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/true_duplicate +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/true_duplicate @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5a9195fd721a11dcda6c14ee8b9ffc33b609c3d64ca5d79ede838a093d38adea +oid sha256:89025b0f58f490d1020b5cdeffd64ad76ceaa8cd7bebfa72317a68a76ecd8809 size 2686 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_ratchet_step b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_ratchet_step index d87d6a33f0..da1b135519 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_ratchet_step +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_ratchet_step @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0becc759367e1d3b6155267442314c64a0e0846ac6728d8bbcdf7afa1ebb8b6a +oid sha256:765d705d64ba11b482acc02c442259dfcd9ee111a4779e454f26580f10d28ec6 size 7447 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_same_chain b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_same_chain index fb6d83a37c..b27f07626f 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_same_chain +++ b/soliton/fuzz/corpus/fuzz_ratchet_decrypt_stateful/valid_same_chain @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:809fec334440924c26f1af0e7dc1cee4fcb8085fed0b43d8d2947177a663e426 +oid sha256:0b2d3443ec51584362b303ecf0fae56b48e1f2bc1741815fda57b8a1e7abfb65 size 2672 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/04689513a7bb7518164587f0b9e482c339b2ce25 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/04689513a7bb7518164587f0b9e482c339b2ce25 new file mode 100644 index 0000000000..a39cc66feb --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/04689513a7bb7518164587f0b9e482c339b2ce25 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fbcf8454ef257e143efac7c95c492ae4f74243cea9aefd7bbe0f2132ac68515e +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/0917b7a375b1dc3bc199adef752ddc4af013063a b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/0917b7a375b1dc3bc199adef752ddc4af013063a new file mode 100644 index 0000000000..c9739ceed5 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/0917b7a375b1dc3bc199adef752ddc4af013063a @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d33040ef1073b15d27212a5c496cdf32f014823d46e8cd047474d93b85b5a273 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/0be2817fe6131cafa25f9adef6a2876e4a5158d0 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/0be2817fe6131cafa25f9adef6a2876e4a5158d0 new file mode 100644 index 0000000000..8310481ba0 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/0be2817fe6131cafa25f9adef6a2876e4a5158d0 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bab501e42c469edbfb45653121e01f77fc531ac3ce75825cdac050d15d958472 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/16687b309b81f17dc64135e0ce92166f7a1bbc5a b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/16687b309b81f17dc64135e0ce92166f7a1bbc5a new file mode 100644 index 0000000000..30a1412cd5 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/16687b309b81f17dc64135e0ce92166f7a1bbc5a @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bb75ee484113139087109fb097c50e0b820779618ae956bffc50138101a6450d +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/17067c6ab32c699b7a6ccae3f24141f8dc804482 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/17067c6ab32c699b7a6ccae3f24141f8dc804482 new file mode 100644 index 0000000000..76c8b4584c --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/17067c6ab32c699b7a6ccae3f24141f8dc804482 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b699450584f2122e9a70ca668d9894e55a24b6f9c3d5606c6dd4e68275320f30 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/1774072963e3ec198b496e12094ebfeb441501ba b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/1774072963e3ec198b496e12094ebfeb441501ba new file mode 100644 index 0000000000..daf01a1320 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/1774072963e3ec198b496e12094ebfeb441501ba @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:809cb0084b0189deccf17f53ebef954144ea29a4a150d3dac2e3572a6026b2fa +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/269638500e7164650bb3fccf91b3fbc6cd782938 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/269638500e7164650bb3fccf91b3fbc6cd782938 new file mode 100644 index 0000000000..8ea81913ff --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/269638500e7164650bb3fccf91b3fbc6cd782938 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:edeed0dbeaa7985f09961ad829cb9257d0754f77be1aad5ebc962b6b0595b8da +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/32283e4d4176989edfd698324e69ba74eeb723ed b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/32283e4d4176989edfd698324e69ba74eeb723ed new file mode 100644 index 0000000000..1d65ab185b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/32283e4d4176989edfd698324e69ba74eeb723ed @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:852e8399374a6de3d8479441c9f1906dfcd54c9460c3789b7865c6e861c3a216 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/42def3847649bb75539696c104b001f7fc444b56 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/42def3847649bb75539696c104b001f7fc444b56 new file mode 100644 index 0000000000..19c03caec3 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/42def3847649bb75539696c104b001f7fc444b56 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93c5c8f8b0e20595cfa0157c40ccfba27d57b6dd5f87f18b1c9f25cb28cabdda +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/4a97e82e63ec5e8323f53af62d80c7374c6c63e2 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/4a97e82e63ec5e8323f53af62d80c7374c6c63e2 new file mode 100644 index 0000000000..34d9c2f00c --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/4a97e82e63ec5e8323f53af62d80c7374c6c63e2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1f8f9780b40d460a329e75543ccfd8b4a85daaaac1518e9257fcf2fdd7ec2069 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/655957cb10a43d01f4c89427850fa8d8e94907ca b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/655957cb10a43d01f4c89427850fa8d8e94907ca new file mode 100644 index 0000000000..3200c4901b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/655957cb10a43d01f4c89427850fa8d8e94907ca @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:303ba66a1149747afed7c0433196394d89ad3c53464c4a2ee45d867d336d3cbb +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/665b8b9b6dcb3e14ceaca3349129a25b310f4d7a b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/665b8b9b6dcb3e14ceaca3349129a25b310f4d7a new file mode 100644 index 0000000000..ff3cc8238c --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/665b8b9b6dcb3e14ceaca3349129a25b310f4d7a @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:91efa42f92a58bfe51ceff1786be9e91557061d1d76cc2a6788adfe086ffa0f0 +size 176 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/743fe7b293ed0ddbdf4c33f254b61f5e278b5df0 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/743fe7b293ed0ddbdf4c33f254b61f5e278b5df0 new file mode 100644 index 0000000000..42bfe15fee --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/743fe7b293ed0ddbdf4c33f254b61f5e278b5df0 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1eecf9610c175bfe3f7c08d1e2fa29a82764e08fa7ecdb0d9ec064111a8130 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/75b668a3fbb449d1fa055c151371fcd72ffae4ad b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/75b668a3fbb449d1fa055c151371fcd72ffae4ad new file mode 100644 index 0000000000..f31c1e947f --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/75b668a3fbb449d1fa055c151371fcd72ffae4ad @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:64117676aeed670ad25250471066d1b07157ebc2f8dde40aaeec162eb4ad1127 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/7febd267420a7eb45f9c3aaee9f5d3e61fe020e6 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/7febd267420a7eb45f9c3aaee9f5d3e61fe020e6 new file mode 100644 index 0000000000..aed5681106 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/7febd267420a7eb45f9c3aaee9f5d3e61fe020e6 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e3ba57c6311bb02fa87a8e62ea067f09fa857bb149201ebc77f082c4b328d2db +size 1450 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/80f4a02693e83cca78db8daccc4f3d4681a3569c b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/80f4a02693e83cca78db8daccc4f3d4681a3569c new file mode 100644 index 0000000000..1b5a414a47 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/80f4a02693e83cca78db8daccc4f3d4681a3569c @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ab4a68a558f2c09976e222ec460483f6269b2ee04b89061a175553a8a2c5ed89 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/88195877b37b5bf195c9dfa20d3e5551c1a0fe4a b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/88195877b37b5bf195c9dfa20d3e5551c1a0fe4a new file mode 100644 index 0000000000..e90bce8667 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/88195877b37b5bf195c9dfa20d3e5551c1a0fe4a @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5be719501c49353b68423e8a158c08ea299bfd7b901a05941d9bd8f3db353961 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9c6bf5bcbd2f1fd583478c053635a7529f68eb9a b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9c6bf5bcbd2f1fd583478c053635a7529f68eb9a new file mode 100644 index 0000000000..d4cffe874e --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9c6bf5bcbd2f1fd583478c053635a7529f68eb9a @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7ba51c1334038743e8f102f809aed6c2127fc04303b4c7d0612122fc506b3b89 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9cac935648018df895d2af285e7808e46fa07c53 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9cac935648018df895d2af285e7808e46fa07c53 new file mode 100644 index 0000000000..0d392ad669 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9cac935648018df895d2af285e7808e46fa07c53 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9c7cd09d66f89b7d9bf35a33de3775bec03f9c269d4ae9e9cd90759fdc2f62ba +size 5073 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9d9ddfdf05cfc8a6666f68c6760cc403743c5e42 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9d9ddfdf05cfc8a6666f68c6760cc403743c5e42 new file mode 100644 index 0000000000..a3d4caf3e7 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/9d9ddfdf05cfc8a6666f68c6760cc403743c5e42 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46cbc299be0852a7fe2f9516815003da5bc51a385ab095c7c5c4bd6a96a64364 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/a8e8183d7d651c83596f4281893c0ac11afe3c7b b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/a8e8183d7d651c83596f4281893c0ac11afe3c7b new file mode 100644 index 0000000000..d29cf40717 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/a8e8183d7d651c83596f4281893c0ac11afe3c7b @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:775ffc56c8eef943553db56cfdf4763e42dbd0c0dcc25725e6b670bee8432e5a +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_init b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_init index fd1720ac22..bfd3654442 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_init +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_init @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ae7e68494fb094fa4bfe0a956be65f5092ee6a8d71d840f0a144060305612a0e +oid sha256:58c030facf4897ea66adfbe32d5fe2cd4d06b48def7fd10170d9d9677d7cf06a size 3847 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_pending b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_pending index fb3bb06136..c4170a8934 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_pending +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/alice_pending @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:73f044d87c847dc27143fe31989d07577d5405c224564aab20fe018250811827 +oid sha256:3ab523215fdbe6fffd042bda2d92cce84bf75089c3dce6c974993a42c8375fd5 size 5073 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/b2d4e16f69672f8ed52a5c32d0851967b9e8735b b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/b2d4e16f69672f8ed52a5c32d0851967b9e8735b new file mode 100644 index 0000000000..e480bf4cba --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/b2d4e16f69672f8ed52a5c32d0851967b9e8735b @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55c95b24c7963884c6b4cf29d873e6a8ff2e6148200bc1bce3253b3b8f637b21 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_exchanged b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_exchanged index 0e0f60ccbe..4de5a08b48 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_exchanged +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_exchanged @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e23fead437dcdff4c4afd8a5885ed139219ec0e703caec0711b49d25dbc4af2a +oid sha256:346d109ae6d38b9cf173054520422ce537f5ac1e55e0b8388ffa48aa5c36136d size 5069 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_init b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_init index 169d6f1dd5..e71d227347 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_init +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/bob_init @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:bef9dfa538fc138382de9acae5c89a6ad2d81c2ddce24303de74d9ce7c25e439 +oid sha256:a32cbddf55d2f81b822c9ad31c230efb8b2e99d28be669ad15a88da003c1c98d size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c0f48c22ac733accf694be1cecfe539a9ba4266a b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c0f48c22ac733accf694be1cecfe539a9ba4266a new file mode 100644 index 0000000000..bee6fd3f13 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c0f48c22ac733accf694be1cecfe539a9ba4266a @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a686f0414f8d91c5323852e31e6573d9cb65199d0240994706b59448c55fecad +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7892ff4f73fd08d733d0f16abcedbaa15c35c94 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7892ff4f73fd08d733d0f16abcedbaa15c35c94 new file mode 100644 index 0000000000..4e2f3f72fd --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7892ff4f73fd08d733d0f16abcedbaa15c35c94 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b419c14dfc08681cb038e73e2f6e236d960054e6c6d857349337a11bc9c26a4a +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7bd3243312d34a1f432b854e9f8eae8c59cde74 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7bd3243312d34a1f432b854e9f8eae8c59cde74 new file mode 100644 index 0000000000..11a0ab8d24 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/c7bd3243312d34a1f432b854e9f8eae8c59cde74 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:abf3c502c623810ed9a7c5339353ae70bb5b6d429308a3e4e0bd19654888fa77 +size 1447 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/d76b68fa3c611301f175690d476a95e8f3cc7d96 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/d76b68fa3c611301f175690d476a95e8f3cc7d96 new file mode 100644 index 0000000000..4bf9925902 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/d76b68fa3c611301f175690d476a95e8f3cc7d96 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:69df05df8e843edc715fa3cffc5b28fa535b740bf3fcd799b90627b6e1024c72 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/dec8da52d24aa96e1acccd8993cac40fb2fb9386 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/dec8da52d24aa96e1acccd8993cac40fb2fb9386 new file mode 100644 index 0000000000..7fc1f64181 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/dec8da52d24aa96e1acccd8993cac40fb2fb9386 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a12bead2ec2d708c8010b3b6b34bde4bf9155c2276a2701ff5e1bc8cf06b7aad +size 1447 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e1a4516b7e53a5c060d9299c8c9599c9fec21180 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e1a4516b7e53a5c060d9299c8c9599c9fec21180 new file mode 100644 index 0000000000..8c451ee143 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e1a4516b7e53a5c060d9299c8c9599c9fec21180 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf833f1fa9e43ce8bc0860559149ff257a002e29526ef80dfa35da1674f8af50 +size 5073 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e55e53ab95010357f6fb38968f61d494a432ee60 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e55e53ab95010357f6fb38968f61d494a432ee60 new file mode 100644 index 0000000000..6c3213498c --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e55e53ab95010357f6fb38968f61d494a432ee60 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:154fa3b56ba0561669cd20a89a92fc710e506c2a089c1c13900ea957f885291d +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e7183ecd97ee049b6036746067e42a34b437c5d5 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e7183ecd97ee049b6036746067e42a34b437c5d5 new file mode 100644 index 0000000000..92e1ceceaf --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/e7183ecd97ee049b6036746067e42a34b437c5d5 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:228f6a8d85610e647d40b42de3ca2f012108d8d087d83a5a73c533974576d641 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/ee5475f37f25dc12f7513c4b2f81962829715775 b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/ee5475f37f25dc12f7513c4b2f81962829715775 new file mode 100644 index 0000000000..1865d89858 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/ee5475f37f25dc12f7513c4b2f81962829715775 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2cb2aaed186f5f2fd19a1f8329f35826038fde3623f978740ee41530802d125 +size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/near_exhausted b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/near_exhausted index 68c8514662..855d97dd28 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_encrypt/near_exhausted +++ b/soliton/fuzz/corpus/fuzz_ratchet_encrypt/near_exhausted @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:17806c2e200dd0c72f8eef32f7d97a48cd43fef2ed71ecb9e48415ff04884d35 +oid sha256:27b427d1ce6fd7cf014d995b8edc1153242c00e0ba922027238fb75ac3d40bd2 size 3847 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/17cd25351e26aa472f453714a59f507b97580f60 b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/17cd25351e26aa472f453714a59f507b97580f60 new file mode 100644 index 0000000000..076cee7ea7 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/17cd25351e26aa472f453714a59f507b97580f60 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b7a47bd11741c65f34af90590237452229067954eb41c53e3c1fb39e7fe329f +size 3888 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/420fcc1244c027ef31f686676cc76866b8a2c44e b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/420fcc1244c027ef31f686676cc76866b8a2c44e new file mode 100644 index 0000000000..11f9554ada --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/420fcc1244c027ef31f686676cc76866b8a2c44e @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cbca3771122dc4ae0fe8f30bf04a9d30907dc149b353874e3a8e9923367bdf9b +size 4204 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/47cea8c6dcdcb3d6a79eb106ad0e441edd97d5dc b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/47cea8c6dcdcb3d6a79eb106ad0e441edd97d5dc new file mode 100644 index 0000000000..af52cb78f3 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/47cea8c6dcdcb3d6a79eb106ad0e441edd97d5dc @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7392d5bb58936a8ed0d0c8591914ee9cbb9a3d72476b70a33e472388f895aca5 +size 3888 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/605ce38a081ebee9888a5df7542b9785a465f79f b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/605ce38a081ebee9888a5df7542b9785a465f79f new file mode 100644 index 0000000000..89e531e605 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/605ce38a081ebee9888a5df7542b9785a465f79f @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:732c643cb078a2d146d218a38646f8cffdcaa09983ebb99372557b779747da94 +size 1455 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/67d8113ef1877ad5cbd6d115e34947b4f120e69e b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/67d8113ef1877ad5cbd6d115e34947b4f120e69e new file mode 100644 index 0000000000..ca132a379a --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/67d8113ef1877ad5cbd6d115e34947b4f120e69e @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56800fd0b259e3dd09b6452023d0a115c54ba559370a64828eb385b474515571 +size 1469 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/8684b01e0f5125cc689ca1738e73327ec29b0823 b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/8684b01e0f5125cc689ca1738e73327ec29b0823 new file mode 100644 index 0000000000..6b10eb8528 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/8684b01e0f5125cc689ca1738e73327ec29b0823 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5d164c979ee556b7389bea72c90d9592080a45013be5d170955947b863e75d4e +size 3888 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/a0756571c0412355735b5fa216b04b35b0cbc75e b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/a0756571c0412355735b5fa216b04b35b0cbc75e new file mode 100644 index 0000000000..7c194f76fd --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/a0756571c0412355735b5fa216b04b35b0cbc75e @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0e3e866b5cc4646d7cac0419f2d46807193071a52e0826c309af405527cbd817 +size 1493 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/d6732238b415a089c23ab724dc0dda09f2dec182 b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/d6732238b415a089c23ab724dc0dda09f2dec182 new file mode 100644 index 0000000000..0b5ca0a9e2 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/d6732238b415a089c23ab724dc0dda09f2dec182 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6439cfa9fb93a086a999d437bf1e803df98234c20fd8a59a04f170a81b18384c +size 3888 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e4510675f17d62b1a4c36d907f51d9d743a0b38f b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e4510675f17d62b1a4c36d907f51d9d743a0b38f new file mode 100644 index 0000000000..7b944087cf --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e4510675f17d62b1a4c36d907f51d9d743a0b38f @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72e975950ac609c8c6b1c8b82c19c68480fb3562b58eff5c430291300a9f6063 +size 1445 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e65903d764148506a2ae69d568b62b4fa72b91e3 b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e65903d764148506a2ae69d568b62b4fa72b91e3 new file mode 100644 index 0000000000..b3de9ce4ed --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/e65903d764148506a2ae69d568b62b4fa72b91e3 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e998ff6be6fc1f6e9062c33e811c3847426d1c0ba37a98478d1ebf2d1b01a4a9 +size 3875 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/epoch_too_low b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/epoch_too_low index 1dafc8fef0..de3e363b01 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/epoch_too_low +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/epoch_too_low @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2d87af033da44a2d247094e9ba4445ce99432f6bcd49607ab2408774091fa1c4 +oid sha256:ea6b76ad8fe3f048e4dae2cc052d6ec6da0dad13e989e1f488c4438380009135 size 3855 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/fc984eb799eb4e6894d32698d885ecfed4ad6da6 b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/fc984eb799eb4e6894d32698d885ecfed4ad6da6 new file mode 100644 index 0000000000..e0638af172 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/fc984eb799eb4e6894d32698d885ecfed4ad6da6 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62156501f93e89ff5499458067c42f5baed0b6d4c106e1048bde5d183f2d989c +size 3930 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/max_epoch b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/max_epoch index 4c1fed342b..e771f7b6c1 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/max_epoch +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/max_epoch @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:50738361ecc1dbbbc2143b4146651e4df023c019cf9f004007f6380f26d5b5f8 +oid sha256:0bc2e6763cf86e85503c998f3f64520dc68f58b7d438fcd7c8b4c8a631edec18 size 3855 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/valid_epoch_0 b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/valid_epoch_0 index 70a5410fcd..ea60f6d43e 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/valid_epoch_0 +++ b/soliton/fuzz/corpus/fuzz_ratchet_from_bytes_epoch/valid_epoch_0 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ce58e79c8ef7e3a23a7bb3404bdda70cd6d775b5c1d59f30483c04c99565560f +oid sha256:a7bafd94649f7f491dc202ce89db3ebbd4954c4329ef706e6038d2e90ff7e977 size 3855 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/1d1fbed42b15c0df3226c37ee01efeeb52b73811 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/1d1fbed42b15c0df3226c37ee01efeeb52b73811 new file mode 100644 index 0000000000..faf7f19916 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/1d1fbed42b15c0df3226c37ee01efeeb52b73811 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:59a8e61d3eb273ab60c9b51233ab5f1657fb6b3a6830944bf2fc4b635053d9e5 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/21a986b47c13b1a000b87f138f8f51b474170ca2 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/21a986b47c13b1a000b87f138f8f51b474170ca2 new file mode 100644 index 0000000000..83eacc1a82 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/21a986b47c13b1a000b87f138f8f51b474170ca2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bb467bb1c745642b169a6a8052660975a793abfcf5f7a525408626e909f58a9f +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/49c43ecd0f5bcadeef0f9f56ae2909d240b21d84 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/49c43ecd0f5bcadeef0f9f56ae2909d240b21d84 new file mode 100644 index 0000000000..aca4983132 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/49c43ecd0f5bcadeef0f9f56ae2909d240b21d84 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:74c9e078f2b73a800c3995a8ca1a2da25080860bc5ee65857374aa35bc81e2f9 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4a30b017bf7133aaaebcaca46abb791045642773 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4a30b017bf7133aaaebcaca46abb791045642773 new file mode 100644 index 0000000000..f1845415cc --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4a30b017bf7133aaaebcaca46abb791045642773 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3a7025faf862075e6c2eb7939fa78f12e34c3d3b167f8eab941f43ee8380d276 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4df99d4b875ae90b210d2cf642ae73477f435076 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4df99d4b875ae90b210d2cf642ae73477f435076 new file mode 100644 index 0000000000..6218aec0b2 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/4df99d4b875ae90b210d2cf642ae73477f435076 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d630446de430abdc80791e17632ca352fb48d5c6394d04dc83828e355add3fcf +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/507c6bbff4c5a2142afecce5db11511e6bce72ae b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/507c6bbff4c5a2142afecce5db11511e6bce72ae new file mode 100644 index 0000000000..8f4e7ef256 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/507c6bbff4c5a2142afecce5db11511e6bce72ae @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76677134d1d97351a49245c9295f405000da34806809e4b9dc9ddca0add3d0ec +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/518d4ea75f4a0b348b343f20ee152cc479da595e b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/518d4ea75f4a0b348b343f20ee152cc479da595e new file mode 100644 index 0000000000..9e37ede659 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/518d4ea75f4a0b348b343f20ee152cc479da595e @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdf277b9af236cc5080ba2db9c66ddb63ce632c045a6d1e169865535c8669f95 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/59956e9a30dcb2c1d41aaaa679923074b16f6175 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/59956e9a30dcb2c1d41aaaa679923074b16f6175 new file mode 100644 index 0000000000..ab771885e6 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/59956e9a30dcb2c1d41aaaa679923074b16f6175 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7bd77db97093da8c0c5e3114afd331d61e2e3d52401d242c9c4a8b154f4ff549 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/81f7210342b479724af66ac5f8ff502ce32310d0 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/81f7210342b479724af66ac5f8ff502ce32310d0 new file mode 100644 index 0000000000..b0fc0f5000 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/81f7210342b479724af66ac5f8ff502ce32310d0 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9848bbe592090d9cbb383c628e3c259fc3cd71b89007d281135ffe17eec36e87 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/84b320fb84396f0dc9139f9eb61c11cabcb35fea b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/84b320fb84396f0dc9139f9eb61c11cabcb35fea new file mode 100644 index 0000000000..90e5987967 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/84b320fb84396f0dc9139f9eb61c11cabcb35fea @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc104c9c42794eff2904a1b34053fc36c576756b06ed66530ebdc166e19e41fb +size 2679 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/8644d11338ba2a2cc82b87e254c2c45cd880152d b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/8644d11338ba2a2cc82b87e254c2c45cd880152d new file mode 100644 index 0000000000..e22787fcdf --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/8644d11338ba2a2cc82b87e254c2c45cd880152d @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8614b29168597ad37e218c9c7d9a3a3e92d4cdf8ac30c20e2308ca02582de72 +size 2679 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_exchanged b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_exchanged index 94842c7e9a..fd18a47b4a 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_exchanged +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_exchanged @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:a07f475502a2fb59fa3a7f1dbcd932fc371b05eb21dca30616e8f22281b79aff +oid sha256:fe0c6f94fdda9013a70b83b200bfb2fc98eff04ff780e9d4c40e3b19ee732b5c size 3847 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_init b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_init index 9cdab430a7..6207485830 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_init +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/alice_init @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:706e0df524d1eaf51fd360abbe87abc910e2fff66a581969a73374257e0e9bd2 +oid sha256:1b225d5528cef8974c824bee583169cc5ca69d4282e4e55c950df9429f32e446 size 3847 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_exchanged b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_exchanged index bb752ead66..af50cdd345 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_exchanged +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_exchanged @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:01c2e3e14c6d0c2937b95c85dc5b773bcf964c383d1533f4b7c8c9ad4e5023f3 +oid sha256:d496367ba17f6faffd5f0a8004a9e80f754e7eecc7366dc950886cbad4513381 size 1417 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_init b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_init index 13727a84ba..b8850700d6 100644 --- a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_init +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/bob_init @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:212b665a06a24899788bf5a96b80bf391971e066e94d8ab3d9e9845191fadc75 +oid sha256:1a66630a5262c4d20a2c290441f52229e8fa152efda4216543539d520ea9a8ca size 1413 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c454e0d2f4915e355e6b80bc6dd8a483a11ad39f b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c454e0d2f4915e355e6b80bc6dd8a483a11ad39f new file mode 100644 index 0000000000..2da7222e87 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c454e0d2f4915e355e6b80bc6dd8a483a11ad39f @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b8dab1f54637fdc1bcf32b2e17f5fef6f1a2a8302c06fcb99e01d601957a97f4 +size 6323 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c7b53c89dc0929106ddae7e27c9d691c7671ffbe b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c7b53c89dc0929106ddae7e27c9d691c7671ffbe new file mode 100644 index 0000000000..48e00b8e4e --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/c7b53c89dc0929106ddae7e27c9d691c7671ffbe @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:adde1bf2d1abf4187c37107e222e1941d7c861fbcab5463953987dc8e48f732b +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/dea34a9a71dbc40f4aebb6d1c8e995e39d951a6f b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/dea34a9a71dbc40f4aebb6d1c8e995e39d951a6f new file mode 100644 index 0000000000..bb850dbfec --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/dea34a9a71dbc40f4aebb6d1c8e995e39d951a6f @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b36e62acc9dca26e24f9da811fc191c83c0a39fba760468d7fc22600fd4e2b1a +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/ed50787268f92d89abc67eedfaa04cf918c99f08 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/ed50787268f92d89abc67eedfaa04cf918c99f08 new file mode 100644 index 0000000000..f6ed5abdbc --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/ed50787268f92d89abc67eedfaa04cf918c99f08 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2ada9a51255a05cf294cc57e4babf601695bdcba336e01765613a3585543e10c +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/eed29554ea909bb059a93cc73d042eb67ded9284 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/eed29554ea909bb059a93cc73d042eb67ded9284 new file mode 100644 index 0000000000..bb3d9b1d81 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/eed29554ea909bb059a93cc73d042eb67ded9284 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb45895560b00bb5d214ef1c57db536970e0cdd6207ca1e1400058a47090ca54 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f389401c788a63598667a84534dd73e80e85e29f b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f389401c788a63598667a84534dd73e80e85e29f new file mode 100644 index 0000000000..9f3396440c --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f389401c788a63598667a84534dd73e80e85e29f @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d82b14f2f80c5bd18efd43015a4d80c070a42256eee2562e07a76c868344a417 +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f9afd0c9fba141db681fbfc163fbe5c3a3800b90 b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f9afd0c9fba141db681fbfc163fbe5c3a3800b90 new file mode 100644 index 0000000000..4918c5262a --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_roundtrip/f9afd0c9fba141db681fbfc163fbe5c3a3800b90 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:588c2d1c7cd77faa269b350a40ee6d94de72a4de3ac64a2c452121d757a1624a +size 1437 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_state_machine/225ed62055a76cbf5a855d5c2cc47f203ca62f03 b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/225ed62055a76cbf5a855d5c2cc47f203ca62f03 new file mode 100644 index 0000000000..b6ac41b3fb --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/225ed62055a76cbf5a855d5c2cc47f203ca62f03 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df97ae8c33563a8f86c7db30cbe930500f6a55acd01174b7d74f0198b2b8922d +size 70 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_state_machine/3a30b06c52e20cdd754b86d025aaa32f2b2a0d18 b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/3a30b06c52e20cdd754b86d025aaa32f2b2a0d18 new file mode 100644 index 0000000000..4c2c27854b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/3a30b06c52e20cdd754b86d025aaa32f2b2a0d18 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72f7225f5ac152443232184c5985af58225b4bfe8abbddd2c6bd81827079ce36 +size 49 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_state_machine/411d140f8bf8f4a8b5e5821b185c5c7bcc12faed b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/411d140f8bf8f4a8b5e5821b185c5c7bcc12faed new file mode 100644 index 0000000000..5f4f0ef67d --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/411d140f8bf8f4a8b5e5821b185c5c7bcc12faed @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:269c6323616032c26a2cb6b4dcd158363ff49edc094125667cc68b33570e0e2f +size 6 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_state_machine/4337a79adf15750bebbee124c02ec505edf95924 b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/4337a79adf15750bebbee124c02ec505edf95924 new file mode 100644 index 0000000000..d173e9c1e1 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/4337a79adf15750bebbee124c02ec505edf95924 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:341dad0040967bb77b820c75a92f65670257bc2f47828059314b6031db59f008 +size 182 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_state_machine/e2dfc033ab7eea543dd046382e0c1e2a59e465ed b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/e2dfc033ab7eea543dd046382e0c1e2a59e465ed new file mode 100644 index 0000000000..3cc8e9f884 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/e2dfc033ab7eea543dd046382e0c1e2a59e465ed @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:16cd667513f0b36f572802ea2ca21b72fc87a768fb42fe4408fbc0bcd9aebb16 +size 147 diff --git a/soliton/fuzz/corpus/fuzz_ratchet_state_machine/ea3d54253bed94f46635e3b8903789d5a0213259 b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/ea3d54253bed94f46635e3b8903789d5a0213259 new file mode 100644 index 0000000000..412f83a86b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_ratchet_state_machine/ea3d54253bed94f46635e3b8903789d5a0213259 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6df39f9cf12bd25b35e4af8ee0c2a202d4e32f74e211c23d892b1f205301010e +size 184 diff --git a/soliton/fuzz/corpus/fuzz_session_init_roundtrip/truncated_1 b/soliton/fuzz/corpus/fuzz_session_init_roundtrip/truncated_1 index 2f08d3e934..4bebabaadc 100644 --- a/soliton/fuzz/corpus/fuzz_session_init_roundtrip/truncated_1 +++ b/soliton/fuzz/corpus/fuzz_session_init_roundtrip/truncated_1 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:182a156f449d92eea5d2ce694120c8b6e3f4dc67c30250c241725194b687b3eb +oid sha256:0bba844da4197261420d2c4ad6763f21efc5160665d3e5ac8d7197366a82aac2 size 3542 diff --git a/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_no_opk b/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_no_opk index 737986a54b..0c446849d9 100644 --- a/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_no_opk +++ b/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_no_opk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:49343e8330cad92f9dd91b16d27c0f857d240064834594e2cc4adb76cc1bce5f +oid sha256:15bcef4aa06eb2f0161e1b3a8538328b8d47336b5f6578debe5ab9083a44bce8 size 3543 diff --git a/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_with_opk b/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_with_opk index 3e41bbcb6c..f2cf0b2ec0 100644 --- a/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_with_opk +++ b/soliton/fuzz/corpus/fuzz_session_init_roundtrip/valid_with_opk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e94cf7fcfb130fdbe17040d77badfa6be4cf08241a8c742d27c180309830aa4a +oid sha256:aeeabbdeeda56a52d9b3b38d14a5467ea17a3a1be25270cc47cf7a9fff8d4c94 size 4669 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/254a55e6ac09d08eec781bf9783781b49a03fafe b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/254a55e6ac09d08eec781bf9783781b49a03fafe new file mode 100644 index 0000000000..d1d9165f0f --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/254a55e6ac09d08eec781bf9783781b49a03fafe @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6be215de7198b2d933261ff296de2f0f2e296d14c0f8c584e5d90b6ac23859b6 +size 45 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/32e131568edb7e560cac230264e090f11295fd65 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/32e131568edb7e560cac230264e090f11295fd65 new file mode 100644 index 0000000000..850dd2d42b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/32e131568edb7e560cac230264e090f11295fd65 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:048e75914a94293c30915edbe3e256dd60c913acd118c1a1f31ba02c1b30275c +size 43 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/393ab93a18db07a5e69641cb1ac1243268529609 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/393ab93a18db07a5e69641cb1ac1243268529609 new file mode 100644 index 0000000000..2a2612ccbc --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/393ab93a18db07a5e69641cb1ac1243268529609 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c94f8a7d5e75180f6cb7d01ec992fcf7c957be7ecaeb0a22807ab99c16f7823e +size 42 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/6291ada0c4b6934bde934e25d7288aefccd7e311 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/6291ada0c4b6934bde934e25d7288aefccd7e311 new file mode 100644 index 0000000000..117fe21943 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/6291ada0c4b6934bde934e25d7288aefccd7e311 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e1374ca693fcf9cb36b22bec01217e1ecfedd369c3fba1463db08d43def80bfd +size 347 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/67fabcc6fbb37464a01f39f71e6c184c108a8a27 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/67fabcc6fbb37464a01f39f71e6c184c108a8a27 new file mode 100644 index 0000000000..2a983b213b --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/67fabcc6fbb37464a01f39f71e6c184c108a8a27 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9fe641fac35c9262479bf7051928e5c5a81af56c23218e76df1860ee703e2bee +size 158 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/72be2fd2ffce48d92d93241a2ee51e35a75bb580 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/72be2fd2ffce48d92d93241a2ee51e35a75bb580 new file mode 100644 index 0000000000..d7515e85c7 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/72be2fd2ffce48d92d93241a2ee51e35a75bb580 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e5e6b2eae4dbefbcf045a092ac846b2b7b97f60b029b8289b3d03931a8ef83c6 +size 42 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/8c1e6ab4270792c51304ea06f47dc20ce51ba57b b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/8c1e6ab4270792c51304ea06f47dc20ce51ba57b new file mode 100644 index 0000000000..74288cd5da --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/8c1e6ab4270792c51304ea06f47dc20ce51ba57b @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7c5bd2d144fdde498406edcb9fe60ce65b0dfa5f2dd7a7617f505e3d46d68bdb +size 1 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/bad_flags b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/bad_flags index da20804f81..c53e3b11e6 100644 --- a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/bad_flags +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/bad_flags @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:41507110570e5c8ba69e528cc9ee0462c8d6b8fa373cdd2b36ece2bca183d6b4 +oid sha256:89ab6e85f7c85a4a2a1470092815902602226441de9a8cf33edda2506799673d size 52 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e0f12cebce606cc8e3e8a60e2377fe50ef1cc3f5 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e0f12cebce606cc8e3e8a60e2377fe50ef1cc3f5 new file mode 100644 index 0000000000..8b638a06c2 --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e0f12cebce606cc8e3e8a60e2377fe50ef1cc3f5 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9dfd5aa99195ac54b51502456da815e09dde51c7607259b286262bd3ca0098d6 +size 199 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e8e14349181aa32d57e39cd3af6a825c10d03222 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e8e14349181aa32d57e39cd3af6a825c10d03222 new file mode 100644 index 0000000000..228452407a --- /dev/null +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/e8e14349181aa32d57e39cd3af6a825c10d03222 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:10567d6e44931c3f8984d6eec1ce6a77aa3faf41963f49da11504be35a87d6a3 +size 171 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/unknown_version b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/unknown_version index 28c01975b5..82b4234b86 100644 --- a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/unknown_version +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/unknown_version @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:651d3d062891f6281e8a92ee7e29e102a1a6ba9b63dea487bd126d9fe1af6983 +oid sha256:61bc40586ea8fbf6647ab9fda9ce285696d758280fbfc9f95d6593df2b1024ab size 52 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_compressed b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_compressed index 4be8052b1c..53a4ac9748 100644 --- a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_compressed +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_compressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:a91fa69cd3cc1906f546302bcdd0e7a1adc5118afedd9a14ae56050eec9c461b +oid sha256:6954af6f5405041223e4a7db5b28fd5d4f9d69f9e93271690718ce6ebcbf2f3b size 85 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_uncompressed b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_uncompressed index 53e4d282c9..b983e0c7c5 100644 --- a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_uncompressed +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_uncompressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d4293e82a33f94d490dbfb71d666250aadef35f5c82af5c516e59341f5bb28a7 +oid sha256:5ae325bc327d432eb8e6d342e0b435e8271b9f7e583bf15be6207b66d1cccfb2 size 52 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version2 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version2 index 159b49ea8b..da03ca618b 100644 --- a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version2 +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ee8ad5fb31be506c95ffba94bab60ef65fcdc3282e7ff49a1c360b9baa391abf +oid sha256:368cf5f58cb343f56488618b24fefa693a7394ab0fb2ace20497207520e4b4b2 size 51 diff --git a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version3 b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version3 index 45ea0d0d9a..4b938a4e92 100644 --- a/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version3 +++ b/soliton/fuzz/corpus/fuzz_storage_decrypt_blob/valid_version3 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:16e764cd182728cba1ed234e13fa4e9f076a4ec6291ad097f94853aa430e6982 +oid sha256:170fc59b26633ece5dd155244b21a2a64cc662efb53b03dffae84d40afedf8be size 51 diff --git a/soliton/fuzz/corpus/fuzz_stream_decrypt/single_compressed b/soliton/fuzz/corpus/fuzz_stream_decrypt/single_compressed index d6efe4abd2..03c7b9309f 100644 --- a/soliton/fuzz/corpus/fuzz_stream_decrypt/single_compressed +++ b/soliton/fuzz/corpus/fuzz_stream_decrypt/single_compressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5ad9df783b94a5f63e3307bf1a7d4cca5b49be8047512be2aa74006cfa98bb06 +oid sha256:f0fbb4d368c8807ff8eb5ce7801994cfc9beb82cba7acbfe63d45890c3edaa94 size 59 diff --git a/soliton/fuzz/corpus/fuzz_stream_decrypt/single_uncompressed b/soliton/fuzz/corpus/fuzz_stream_decrypt/single_uncompressed index 23b28f1449..7712cc8d18 100644 --- a/soliton/fuzz/corpus/fuzz_stream_decrypt/single_uncompressed +++ b/soliton/fuzz/corpus/fuzz_stream_decrypt/single_uncompressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:3fe2e17d21329fb62045c736e884e1a166c67ec38fbf4ee2897cb75db564a5b1 +oid sha256:54561d5144a1e4bc40721dff12077ec4a574a9b04994198f053564e63384f9e0 size 55 diff --git a/soliton/fuzz/corpus/fuzz_stream_decrypt_at/single_chunk_idx0 b/soliton/fuzz/corpus/fuzz_stream_decrypt_at/single_chunk_idx0 index 8f2b3bc8a2..c7a68199d5 100644 --- a/soliton/fuzz/corpus/fuzz_stream_decrypt_at/single_chunk_idx0 +++ b/soliton/fuzz/corpus/fuzz_stream_decrypt_at/single_chunk_idx0 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6b1aa2ad6dfb04d8138d6aec8bf99c14d9cdf02f061f12c71804b89670385a99 +oid sha256:08863696b1cedfefdeb1147af7faefb833fc4c40ab80fcb51d72e36ce253cbe8 size 66 diff --git a/soliton/fuzz/corpus/fuzz_verification_phrase/two_real_pks b/soliton/fuzz/corpus/fuzz_verification_phrase/two_real_pks index bad9cd75f7..7b8c71ae41 100644 --- a/soliton/fuzz/corpus/fuzz_verification_phrase/two_real_pks +++ b/soliton/fuzz/corpus/fuzz_verification_phrase/two_real_pks @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d3c21fb3b221f6dc495152badf93f358be739d0330312df4dc528d3baeb70ae9 +oid sha256:4b7401b6b07af3191e514be98202c372592b078cc64f8c06387799801d109239 size 6400 diff --git a/soliton/fuzz/corpus/fuzz_xwing_roundtrip/mode_a_valid_ct b/soliton/fuzz/corpus/fuzz_xwing_roundtrip/mode_a_valid_ct index 06101143bf..b4402d0565 100644 --- a/soliton/fuzz/corpus/fuzz_xwing_roundtrip/mode_a_valid_ct +++ b/soliton/fuzz/corpus/fuzz_xwing_roundtrip/mode_a_valid_ct @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0bbde19c69fc71c815b6dfda1c3a404493cf0cad7f6bc20a1ac93b41cf4d24a5 +oid sha256:eac4445c48fe3d66200993273e59a7e0fc0cdf9d82381b86dbdee8227c098baf size 1121 diff --git a/soliton_capi/fuzz/Cargo.lock b/soliton_capi/fuzz/Cargo.lock index 85ccde02e6..a82affaae7 100644 --- a/soliton_capi/fuzz/Cargo.lock +++ b/soliton_capi/fuzz/Cargo.lock @@ -435,7 +435,7 @@ dependencies = [ [[package]] name = "libsoliton" -version = "0.1.0" +version = "0.1.1" dependencies = [ "argon2", "chacha20poly1305", @@ -473,7 +473,7 @@ dependencies = [ [[package]] name = "libsoliton_capi" -version = "0.1.0" +version = "0.1.1" dependencies = [ "libsoliton", "zeroize", diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_no_opk b/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_no_opk index 50bc5946e7..0fb529ce47 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_no_opk +++ b/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_no_opk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:671ae9c4ad517ba33b6f87f32c71fb14b43a8418ed11eb9b0dcfe7490d3e5323 +oid sha256:3428a5c6fb7e95f16da1a2afef2720e24ad8887697667d2a7092a1b20132b722 size 3543 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_with_opk b/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_with_opk index 401a30eed6..e29f8afeff 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_with_opk +++ b/soliton_capi/fuzz/corpus/fuzz_capi_decode_session_init/valid_with_opk @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:fee0012e2035c9485e054466f915ae05f10b4391bafb4c9f6a11c662883b32c0 +oid sha256:667ab6fa0f3c48d83b4af54f2401a3edbda16b6c24330f47c844802f70cd25db size 4669 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/518de1210d825ad0a156f42b45a1f26e3f2f5164 b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/518de1210d825ad0a156f42b45a1f26e3f2f5164 new file mode 100644 index 0000000000..6916756c80 --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/518de1210d825ad0a156f42b45a1f26e3f2f5164 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5cde039b30f792b4274463acad47d6e35d300e600daee1a2d0951da9dee5ea7f +size 43 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/a8400c34a55cd824a934bc9039c0faac3ab20c4c b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/a8400c34a55cd824a934bc9039c0faac3ab20c4c new file mode 100644 index 0000000000..c346ea42b0 --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/a8400c34a55cd824a934bc9039c0faac3ab20c4c @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73b6b0196988a31f8695ffcf7123d241ed94b911a2b942435506bbfb128b9346 +size 43 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/invalid_fp_len b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/invalid_fp_len index 8a8c297815..872f38a0ff 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/invalid_fp_len +++ b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/invalid_fp_len @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:96d7a5133f4bffe9292d3a4bb018cc946fb1788bf5f7d23a7d99ca875b702129 +oid sha256:0026c675c99df7084c7f4351aedf76278ff04f6a283dbbfab32985219ce3ba26 size 72 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/valid_compressed b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/valid_compressed index cbd591ea5e..e899e18246 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/valid_compressed +++ b/soliton_capi/fuzz/corpus/fuzz_capi_dm_queue_decrypt/valid_compressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:56212c75960f439d3e3215b399e8386e28706eb1415b04ed72ec77cf746168aa +oid sha256:2685927cced3c0a21acae2f1c2db1518fed35725526fcc3618bb7835ee7f2af8 size 72 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/105dfdd85cb7b557ca16c67cae63030ab39390b6 b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/105dfdd85cb7b557ca16c67cae63030ab39390b6 new file mode 100644 index 0000000000..0779729dcf --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/105dfdd85cb7b557ca16c67cae63030ab39390b6 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c894f1d321d3ce94d8de9bfa79a18b1c9609931900f76f4433395c898a195351 +size 1441 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/13c724f130634a617fe2b48c915160f3e14db4a0 b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/13c724f130634a617fe2b48c915160f3e14db4a0 new file mode 100644 index 0000000000..0d931f1abb --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/13c724f130634a617fe2b48c915160f3e14db4a0 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb32c15af595a4b1a61af391305e4c122516a4c247abbc0fdd5094b68a6f04ae +size 1441 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/1589ff28a104bbd981ac270e2eff069329986b61 b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/1589ff28a104bbd981ac270e2eff069329986b61 new file mode 100644 index 0000000000..565164054a --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/1589ff28a104bbd981ac270e2eff069329986b61 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7bb2fcc4f6f0ba9b8dba7d66bd07a8ebcce235deedf52511050645d1bd67b3da +size 1456 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/40363b7a8744c03c27f65c1d5816e65766719aeb b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/40363b7a8744c03c27f65c1d5816e65766719aeb new file mode 100644 index 0000000000..3db9db3647 --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/40363b7a8744c03c27f65c1d5816e65766719aeb @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:95f6e3e82c3600ce034b1c8d7b3bbc17b5dd486c9f61523ea882a6627f89e791 +size 1441 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/442a7e8d85a646ab2755f05178aafbcac5072a9b b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/442a7e8d85a646ab2755f05178aafbcac5072a9b new file mode 100644 index 0000000000..cd23e83360 --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/442a7e8d85a646ab2755f05178aafbcac5072a9b @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0abc72457994f3dc3832e3aa5bb7a43fb915a5b652a5941200b41f7c2e747461 +size 1441 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/68c937e9130da68b8d862ed640f224ffe546e11e b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/68c937e9130da68b8d862ed640f224ffe546e11e new file mode 100644 index 0000000000..b73250e174 --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/68c937e9130da68b8d862ed640f224ffe546e11e @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c4e5fe4b07419b30f6528ae3f88142e1d1a532c9ac01d35fa1949571c1960c0 +size 1456 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/alice_init b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/alice_init index f259fc2e08..d4594967fb 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/alice_init +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/alice_init @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2f55bc02c60ca47525bb8a4f58096d4e1efdb98f1359e5a9195f381cd4a49e57 +oid sha256:c42aece50d53695b473dcd56fe8728e4eb700f0ab2233519378330dd2b81cec7 size 3847 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/bob_init b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/bob_init index a984b5e286..058fee7857 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/bob_init +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/bob_init @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1d69dbce314e277ee0d4b638676e305d6a5db254e2bb4b99f4a752db11c12536 +oid sha256:746b132fca162d0380d078afc468126e4c383a03ebe2fa8c76e543e6e982b4d6 size 1413 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/d5b3ba86052817a36e8fe5207a107869e5a1423c b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/d5b3ba86052817a36e8fe5207a107869e5a1423c new file mode 100644 index 0000000000..b4d8bdc78d --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/d5b3ba86052817a36e8fe5207a107869e5a1423c @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e9921b39da7b3465c12c3cb3996ebc3d2d434db0369a6e8466bf3c44eccb263c +size 1441 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/f3de7ca01c49b11926e45d717d6a7699320218be b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/f3de7ca01c49b11926e45d717d6a7699320218be new file mode 100644 index 0000000000..3898e74462 --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_ratchet_from_bytes/f3de7ca01c49b11926e45d717d6a7699320218be @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0ea8d630fdc855f18fdee238897645e2567b65665fe921dc29e1fb962be33c5c +size 1441 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/0829c17ba2f706c66001aa4462316d890a2aebe6 b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/0829c17ba2f706c66001aa4462316d890a2aebe6 new file mode 100644 index 0000000000..cbfc1a3c74 --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/0829c17ba2f706c66001aa4462316d890a2aebe6 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3d2af95bf19bc4ccd3a391d228c0a836bf5692e6c245ce9415393cb23c58caae +size 42 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/bad_flags b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/bad_flags index 7c5d9dd6ee..3a2c45da97 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/bad_flags +++ b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/bad_flags @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:de76a587799ca61bac639f388288f401041d97b767bae475df184834b36a890d +oid sha256:623dd57b8bf0da296630cdad85c4e1e1ce0c1b4d27feff216c34965951773d18 size 57 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/dde7aa5a3d9db2fc6e2bcbe681f51a78d17fcd92 b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/dde7aa5a3d9db2fc6e2bcbe681f51a78d17fcd92 new file mode 100644 index 0000000000..6db8beb87b --- /dev/null +++ b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/dde7aa5a3d9db2fc6e2bcbe681f51a78d17fcd92 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:978644390ab4896de99502989272f7a762671d595235b95c47083c277e6ef752 +size 42 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/unknown_version b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/unknown_version index 076f739766..9652903af6 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/unknown_version +++ b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/unknown_version @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:eb34a4c18d495fbe93e7bedd3e8f894868874b0c3797d61f9ef3615f918510ab +oid sha256:ebdfba3b9783d66a6368e8cf27c0c3c45b7918f0a41d9b5f32d53be43a5ba483 size 57 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_compressed b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_compressed index 085e9927b1..a5270fdeb9 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_compressed +++ b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_compressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c6dba626d6c2eacfcfdb29f358d48142efa4f144bc81b74749a1021a2160f961 +oid sha256:b26aa8fbff7f267556444848ddde786ceb19f3fe2341ce69d888aa11acdce678 size 81 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_uncompressed b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_uncompressed index 39d7c28ef0..4b8c7acea1 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_uncompressed +++ b/soliton_capi/fuzz/corpus/fuzz_capi_storage_decrypt/valid_uncompressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ab60ebad336b3b1d5fb70eb798f3528b730b16be4996cf7bc06379bf59097063 +oid sha256:7aa4e4d3258433a26c05b9c4642b56b4642691b99c4fb7762cf9a296357207dc size 57 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt/single_uncompressed b/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt/single_uncompressed index 8bfb55269c..a67e75e4b6 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt/single_uncompressed +++ b/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt/single_uncompressed @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:306fc3fb745d4c8874cfa7ee991478eb5a44df9eba60d8cb17a7d6fbaa728220 +oid sha256:bae87108455bed3306552caa5f8a668b23c2f9564f0b442ad4387166927b3fec size 57 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_0_final b/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_0_final index 3d94864272..3cc83ed43d 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_0_final +++ b/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_0_final @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6a89c473344585561a076bce3930d799ed15dcf80708e00f6da88329f7ad0135 +oid sha256:492c5279b2756ef0baa80f2314225448daf421275bbab48200ff2b0f258a8a01 size 63 diff --git a/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_max_minus_1 b/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_max_minus_1 index a496f5a482..076aa44114 100644 --- a/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_max_minus_1 +++ b/soliton_capi/fuzz/corpus/fuzz_capi_stream_decrypt_at/index_max_minus_1 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:48ad9be363835f3e83ee51f6eb4c8d5bcd1fbb9d300416abdf0646a005072b4f +oid sha256:3309d0f327ef1bf7d72d823aff75e99e5f11b4a5d8e7c7fe42eceafa6b8f1082 size 58