libsoliton/tamarin

Tamarin Models

Symbolic formal verification of the Soliton cryptographic protocol using Tamarin Prover. 8 models, 55 lemmas.

These models were authored by the protocol designers and have not undergone independent peer review. They are published for transparency and to facilitate third-party verification. All results are machine-checkable and reproducible.

Requirements

• tamarin-prover 1.12.0+
• maude 3.5.1+

Usage

# All models
../verify.sh tamarin

# Single model
tamarin-prover LO_Auth.spthy --prove

Resource Usage

All 8 models complete in under 90 seconds total with under 2 GB peak RAM. No special hardware or overnight runs required — a laptop is sufficient.

This is achieved through bounded unrolling (3–4 steps for ratchet and chain models) and unique fact names per state (eliminating branching during source analysis).

Results

Verified with Tamarin 1.12.0, Maude 3.5.1.

LO_Auth.spthy — Theorem 6 (Key Possession)

Lemma	Result	Steps
Auth_Exists	verified	5
Auth_Ordering	verified	2
Auth_Single_Use	verified	8
Auth_No_Accept_After_Timeout	verified	3
Auth_Unique_Challenge	verified	2
Theorem6_Key_Possession	verified	11
Theorem6_No_Oracle	verified	11

LO_KEX.spthy — Theorems 1, 2a, 2b (Session Key Secrecy, Authentication)

OPK-present case only. See header comment for OPK-absent scope note.

Lemma	Result	Steps
KEX_Exists	verified	27
Theorem1_Session_Key_Secrecy_A	verified	70
Theorem1_Session_Key_Secrecy_B	verified	136
Theorem1_EK_Secrecy_A	verified	70
Theorem1_EK_Secrecy_B	verified	136
Theorem2a_Recipient_Binding	verified	2
Theorem2b_Initiator_Authentication	verified	10
OPK_Single_Use	verified	24
Key_Uniqueness	verified	2

LO_Ratchet.spthy — Theorems 4, 5 (Forward Secrecy, PCS — structural)

Abstract model using Fr() epoch keys. Proves FS and PCS are structural properties of the state machine, independent of KDF/KEM security.

Lemma	Result	Steps	Notes
send_sanity	verified	7
send_fs	verified	2818	Theorem 4a
send_corrupt_terminates	verified	193
send_pcs	verified	2	Abstract model only
recv_sanity	verified	6
recv_fs_1step	falsified	11	Expected — prev_ek_r retains old key
recv_fs_2step	verified	9132	Theorem 4b
recv_corrupt_terminates	verified	273
recv_pcs	verified	107	Abstract model only (see comment)

LO_Ratchet_PCS.spthy — Theorem 5 (PCS — KEM-level)

KEM-level model proving the 1-step non-recovery / 1-direction-change recovery that the abstract Fr() model cannot distinguish.

Lemma	Result	Steps	Notes
pcs_sanity	verified	3
pcs_no_recovery_after_recv	falsified	9	Expected — adversary holds sk_own
pcs_recovery_after_send	verified	7
pcs_recovery_sustained	verified	15
pcs_f4_violated	verified	7	F4 defeats next recv, not this send

LO_Call.spthy — Theorems 8–11 (Call Key Security)

Lemma	Result	Steps
Call_Exists	verified	6
Call_Key_Agreement	verified	56
Theorem8_Call_Key_Secrecy	verified	24
Theorem9_Intra_Call_FS	verified	193
Theorem10_Call_Ratchet_Ind	verified	3
Theorem11_Concurrent_Ind	verified	52

LO_AntiReflection.spthy — Theorem 12 (Anti-Reflection)

Lemma	Result	Steps
Reflection_Sanity	verified	8
Theorem12_Anti_Reflection	verified	5

LO_Stream.spthy — Theorem 13, Properties 2–5 (Streaming AEAD)

Lemma	Result	Steps
Stream_Sanity	verified	11
Stream_Sanity_Finalize	verified	7
Theorem13_P2_Integrity	verified	28
Theorem13_P3_Ordering	verified	18
Theorem13_P4_No_False_Final	verified	17
Theorem13_P5_Cross_Stream	verified	55
Theorem13_Key_Secrecy	verified	3

LO_NegativeTests.spthy — Expected Falsifications

Each lemma confirms a known attack path works in the model. All should be falsified (or verified for exists-trace). If any result flips, the model has a bug.

Lemma	Result	Steps	Attack path
neg_auth_ik_corrupt	falsified	8	IK corruption forges auth
neg_auth_rng_corrupt	falsified	10	RNG corruption forges auth
neg_ratchet_no_fs_0step	falsified	8	Corrupt immediately reveals ek
neg_ratchet_recv_1step	falsified	10	1-step recv, prev retains ek
neg_call_rk_plus_rng	falsified	9	rk + RNG derives call key
neg_stream_key_corrupt	falsified	5	Key corruption enables forgery
neg_reflect_self_session	falsified	7	Self-session enables reflection
neg_kex_no_opk	falsified	11	IK+SPK alone breaks OPK-absent
neg_ratchet_duplicate	falsified	7	No recv_seen → duplicate accepted
neg_call_self_session	verified	3	Self-call reachable without guard

Scope and Limitations

• OPK-absent KEX: LO_KEX.spthy models the 3-key (OPK-present) case only. The 2-key OPK-absent case has a weaker secrecy threshold (IK+SPK), validated by neg_kex_no_opk in the negative tests.
• X-Wing as black box: All models treat X-Wing as a single IND-CCA2 KEM without opening the combiner (draft-09 hybrid argument).
• Abstract ratchet: LO_Ratchet.spthy uses Fr() epoch keys (not KDF-derived). KEM-level properties are in LO_Ratchet_PCS.spthy.
• No Theorem 7: Domain separation is vacuously true in Tamarin (string constants are structurally distinct).
• No Theorem 3/13-P1: Message confidentiality (IND-CPA) is computational, covered by the CryptoVerif models.
• Bounded chains: Ratchet and call chain steps are bounded (3–4 steps) to prevent Tamarin non-termination.

Theorem Coverage

Theorem	Model	Type
1 (KEX Key Secrecy)	LO_KEX	Symbolic secrecy
2a (Recipient Auth)	LO_KEX	Structural binding
2b (Initiator Auth)	LO_KEX	Correspondence
4 (Forward Secrecy)	LO_Ratchet	Structural FS
5 (PCS)	LO_Ratchet + LO_Ratchet_PCS	Structural + KEM-level
6 (Auth Key Possession)	LO_Auth	Correspondence
8 (Call Key Secrecy)	LO_Call	Symbolic secrecy
9 (Intra-Call FS)	LO_Call	Chain one-wayness
10 (Call/Ratchet Ind.)	LO_Call	Independence
11 (Concurrent Calls)	LO_Call	Independence
12 (Anti-Reflection)	LO_AntiReflection	AAD direction binding
13 P2–P5	LO_Stream	Integrity, ordering, truncation, isolation