{"id":13803658,"url":"https://github.com/SSProve/ssprove","last_synced_at":"2025-05-13T16:32:21.637Z","repository":{"id":38239771,"uuid":"345937744","full_name":"SSProve/ssprove","owner":"SSProve","description":"A foundational framework for modular cryptographic proofs in Coq","archived":false,"fork":false,"pushed_at":"2025-05-06T18:08:34.000Z","size":3519,"stargazers_count":64,"open_issues_count":17,"forks_count":13,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-05-06T19:31:00.751Z","etag":null,"topics":["coq-formalization","coq-library","cryptography","formal-verification","modular-cryptographic-proofs","state-separating-proofs"],"latest_commit_sha":null,"homepage":"","language":"Coq","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SSProve.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-03-09T08:38:18.000Z","updated_at":"2025-05-02T12:16:09.000Z","dependencies_parsed_at":"2024-02-10T22:26:26.612Z","dependency_job_id":"390cb269-2e79-4c52-a3cc-0f71cb39ce45","html_url":"https://github.com/SSProve/ssprove","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSProve%2Fssprove","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSProve%2Fssprove/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSProve%2Fssprove/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSProve%2Fssprove/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SSProve","download_url":"https://codeload.github.com/SSProve/ssprove/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253981907,"owners_count":21994352,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["coq-formalization","coq-library","cryptography","formal-verification","modular-cryptographic-proofs","state-separating-proofs"],"created_at":"2024-08-04T01:00:36.674Z","updated_at":"2025-05-13T16:32:16.611Z","avatar_url":"https://github.com/SSProve.png","language":"Coq","funding_links":[],"categories":["Projects"],"sub_categories":["Frameworks"],"readme":"![SSProve](https://user-images.githubusercontent.com/5850655/111436014-c6811f00-8701-11eb-9363-3f2a1b9e9da1.png)\n\nThis repository contains the Coq formalisation of the paper:\\\n**SSProve: A Foundational Framework for Modular Cryptographic Proofs in Coq**\n- Extended journal version published at TOPLAS ([DOI](https://dl.acm.org/doi/10.1145/3594735)).\n Philipp G. Haselwarter, Exequiel Rivas, Antoine Van Muylder, Théo Winterhalter,\n Carmine Abate, Nikolaj Sidorenco, Cătălin Hrițcu, Kenji Maillard, and\n Bas Spitters. ([eprint](https://eprint.iacr.org/2021/397))\n- Conference version published at CSF 2021 (**distinguished paper award**).\n Carmine Abate, Philipp G. Haselwarter, Exequiel Rivas, Antoine Van Muylder,\n Théo Winterhalter, Cătălin Hrițcu, Kenji Maillard, and Bas Spitters.\n ([ieee](https://www.computer.org/csdl/proceedings-article/csf/2021/760700a608/1uvIdwNa5Ne),\n [eprint](https://eprint.iacr.org/2021/397/20210526:113037))\n\nSecondary literature:\n* **The Last Yard: Foundational End-to-End Verification of High-Speed Cryptography** at CPP'24. \nPhilipp G. Haselwarter, Benjamin Salling Hvass, Lasse Letager Hansen, Théo Winterhalter, Cătălin Hriţcu, and Bas Spitters. ([DOI](https://doi.org/10.1145/3636501.3636961))\n\nThis README serves as a guide to running verification and finding the\ncorrespondence between the claims in the paper and the formal proofs in Coq, as\nwell as listing the small set of axioms on which the formalisation relies\n(either entirely standard ones or transitive ones from `mathcomp-analysis`).\n\n## Documentation\n\nA documentation is available in [DOC.md].\n\n## Additional material\n\n- [CSF'21](https://youtu.be/MlwQ7CfNH5Q): Video accompanying the publication introducing the general framework (speaker: Philipp Haselwarter)\n- [TYPES'21](https://youtu.be/FdMRB1mnyUA): Video focused on semantics and programming logic (speaker: Antoine Van Muylder)\n- [Coq Workshop '21](https://youtu.be/uYhItPhA-Y8): Video illustrating the formalisation (speaker: Théo Winterhalter)\n\n## Installation\n\n#### Prerequisites\n\n- OCaml `\u003e=4.05.0 \u0026 \u003c5`\n- Coq `\u003e=8.16.0 \u0026 \u003c8.18.0`\n- Equations `1.3`\n- Mathcomp `\u003e=1.15.0`\n- Mathcomp analysis `\u003e=0.5.3`\n- Coq Extructures `0.3.1`\n- Coq Deriving `0.1`\n\nYou can get them all from the `opam` package manager for OCaml:\n```sh\nopam repo add coq-released https://coq.inria.fr/opam/released\nopam update\nopam install ./ssprove.opam\n```\n\nTo build the dependency graph, you can optionally install `graphviz`.\nOn macOS, `gsed` is additionally required for this.\n\n#### Running verification\n\nRun `make` from this directory to verify all the Coq files.\nThis should succeed displaying only the list of axioms used for our listed\nresults.\n\nRun `make graph` to build a graph of dependencies between sources.\n\n## Directory organisation\n\n| Directory | Description |\n|-----------------------|------------------------------------------------------|\n| [theories] | Root of all the Coq files |\n| [theories/Mon] | External development coming from \"Dijkstra Monads For All\" |\n| [theories/Relational] | External development coming from \"The Next 700 Relational Program Logics\"|\n| [theories/Crypt] | This paper |\n\nUnless specified with a full path, all files considered in this README can\nsafely be assumed to be in [theories/Crypt].\n\n## Mapping between paper and formalisation\n\n### Package definition and laws\n\nThe formalisation of packages can be found in the [package] directory.\n\nThe definition of packages can be found in [pkg_core_definition.v].\nHerein, `package L I E` is the type of packages with set of locations `L`,\nimport interface `I` and export interface `E`. It is defined on top of\n`raw_package` which does not contain the information about its interfaces\nand the locations it uses.\n\nPackage laws, as introduced in the paper, are all stated and proven in\n[pkg_composition.v] directly on raw packages. This technical detail is not\nmentioned in the paper, but we are nonetheless only interested in these\nlaws over proper packages whose interfaces match.\n\n#### Sequential composition\n\nIn Coq, we call `link p1 p2` the sequential composition of `p1` and `p2`\n(written `p1 ∘ p2` in the paper, but also in Coq thanks to notations).\n\n```coq\nDefinition link (p1 p2 : raw_package) : raw_package.\n```\n\nLinking is valid if the export and import match, and its set of locations\nis the union of those from both packages (`:|:` denotes union of sets):\n```coq\nLemma valid_link :\n ∀ L1 L2 I M E p1 p2,\n ValidPackage L1 M E p1 →\n ValidPackage L2 I M p2 →\n ValidPackage (L1 :|: L2) I E (link p1 p2).\n```\n\nAssociativity is stated as follows:\n\n```coq\nLemma link_assoc :\n ∀ p1 p2 p3,\n link p1 (link p2 p3) =\n link (link p1 p2) p3.\n```\nIt holds directly on raw packages, even if they are ill-formed.\n\n#### Parallel composition\n\nIn Coq, we write `par p1 p2` for the parallel composition of `p1` and `p2`\n(written `p1 || p2` in the paper).\n\n```coq\nDefinition par (p1 p2 : raw_package) : raw_package.\n```\n\nThe validity of parallel composition can be proven with the following lemma:\n```coq\nLemma valid_par :\n ∀ L1 L2 I1 I2 E1 E2 p1 p2,\n Parable p1 p2 →\n ValidPackage L1 I1 E1 p1 →\n ValidPackage L2 I2 E2 p2 →\n ValidPackage (L1 :|: L2) (I1 :|: I2) (E1 :|: E2) (par p1 p2).\n```\n\nThe `Parable` condition checks that the export interfaces are indeed disjoint.\n\nWe have commutativity as follows:\n```coq\nLemma par_commut :\n ∀ p1 p2,\n Parable p1 p2 →\n par p1 p2 = par p2 p1.\n```\nThis lemma does not work on arbitrary raw packages, it requires that the\npackages implement disjoint signatures.\n\nAssociativity on the other hand is free from this requirement:\n```coq\nLemma par_assoc :\n ∀ p1 p2 p3,\n par p1 (par p2 p3) = par (par p1 p2) p3.\n```\n\n#### Identity package\n\nThe identity package is called `ID` in Coq and has the following type:\n```coq\nDefinition ID (I : Interface) : raw_package.\n```\n\nIts validity is stated as\n```coq\nLemma valid_ID :\n ∀ L I,\n flat I →\n ValidPackage L I I (ID I).\n```\n\nThe extra `flat I` condition on the interface essentially forbids overloading:\nthere cannot be two procedures in `I` that share the same name, but have\ndifferent types. While our type of interface could in theory allow such\noverloading, the way we build packages forbids us from ever implementing them,\nhence the restriction.\n\nThe two identity laws are as follows:\n```coq\nLemma link_id :\n ∀ L I E p,\n ValidPackage L I E p →\n flat I →\n trimmed E p →\n link p (ID I) = p.\n```\n\n```coq\nLemma id_link :\n ∀ L I E p,\n ValidPackage L I E p →\n trimmed E p →\n link (ID E) p = p.\n```\n\nIn both cases, we ask that the package we link the identity package with is\n`trimmed`, meaning that it implements *exactly* its export interface and nothing\nmore. Packages created through our operations always verify this property\n(as such it can be checked automatically on those).\n\n#### Interchange between sequential and parallel composition\n\nFinally, we prove a law involving sequential and parallel composition\nstating how we can interchange them:\n```coq\nLemma interchange :\n ∀ A B C D E F L1 L2 L3 L4 p1 p2 p3 p4,\n ValidPackage L1 B A p1 →\n ValidPackage L2 E D p2 →\n ValidPackage L3 C B p3 →\n ValidPackage L4 F E p4 →\n trimmed A p1 →\n trimmed D p2 →\n Parable p3 p4 →\n par (link p1 p3) (link p2 p4) = link (par p1 p2) (par p3 p4).\n```\nwhere the last line can be read as\n`(p1 ∘ p3) || (p2 ∘ p4) = (p1 || p2) ∘ (p3 || p4)`.\n\nIt once again requires some validity and trimming properties.\n\n\n### Examples\n\n#### PRF\n\nThe PRF example is developed in [examples/PRF.v].\nThe security theorem is the following:\n\n```coq\nTheorem security_based_on_prf :\n ∀ LA A,\n ValidPackage LA\n [interface val #[i1] : 'word → 'word × 'word ] A_export A →\n fdisjoint LA (IND_CPA false).(locs) →\n fdisjoint LA (IND_CPA true).(locs) →\n Advantage IND_CPA A \u003c=\n prf_epsilon (A ∘ MOD_CPA_ff_pkg) +\n statistical_gap A +\n prf_epsilon (A ∘ MOD_CPA_tt_pkg).\n```\n\nAs we claim in the paper, it bounds the advantage of any adversary to the\ngame pair `IND_CPA` by the sum of the statistical gap and the advantages against\n`MOD_CPA`.\n\nNote that we require some state separation hypotheses here, as such disjointness\nof state is not required by our package definitions and laws.\n\n#### ElGamal\n\nThe ElGamal example is developed in [examples/ElGamal.v].\nThe security theorem is the following:\n\n```coq\nTheorem ElGamal_OT :\n ∀ LA A,\n ValidPackage LA [interface val #[challenge_id'] : 'plain → 'cipher] A_export A →\n fdisjoint LA (ots_real_vs_rnd true).(locs) →\n fdisjoint LA (ots_real_vs_rnd false).(locs) →\n Advantage ots_real_vs_rnd A \u003c= AdvantageE DH_rnd DH_real (A ∘ Aux).\n```\n\n#### KEM-DEM\n\nThe KEM-DEM case-study can be found in [examples/KEMDEM.v].\n\nThe single key lemma is identified by `single_key_a` and `single_key_b`,\ncorresponding to the two inequalities of the paper. Their statements are\nreally verbose because of a lot of side-conditions pertaining to the validity\nof the composed packages so we refer the user to the file.\n\nThe invariant used to prove perfect indistinguishability is given by\n```coq\nNotation inv := (\n heap_ignore KEY_loc ⋊\n triple_rhs pk_loc k_loc ek_loc PKE_inv ⋊\n couple_lhs pk_loc sk_loc (sameSomeRel PkeyPair)\n).\n```\nWe one again refer the use to the commented file for details.\nSaid perfect indistinguishability is stated as\n```coq\nLemma PKE_CCA_perf :\n ∀ b, (PKE_CCA KEM_DEM b) ≈₀ Aux b.\n```\nwhile the final security theorem is the following:\n```coq\nTheorem PKE_security :\n ∀ LA A,\n ValidPackage LA PKE_CCA_out A_export A →\n fdisjoint LA PKE_CCA_loc →\n fdisjoint LA Aux_loc →\n Advantage (PKE_CCA KEM_DEM) A \u003c=\n Advantage KEM_CCA (A ∘ (MOD_CCA KEM_DEM) ∘ par (ID KEM_out) (DEM true)) +\n Advantage DEM_CCA (A ∘ (MOD_CCA KEM_DEM) ∘ par (KEM false) (ID DEM_out)) +\n Advantage KEM_CCA (A ∘ (MOD_CCA KEM_DEM) ∘ par (ID KEM_out) (DEM false)).\n```\n\n#### Σ-protocols\n\nThe Σ-protocols case-study is divided over two files:\n[examples/SigmaProtocol.v] and [examples/Schnorr.v].\n\nThe security theorem for hiding of commitment scheme from Σ-protocols is:\n\n```coq\nTheorem commitment_hiding :\n ∀ LA A eps,\n ValidPackage LA [interface\n val #[ HIDING ] : chInput → chMessage\n ] A_export A →\n (∀ B,\n ValidPackage (LA :|: Com_locs) [interface\n val #[ TRANSCRIPT ] : chInput → chTranscript\n ] A_export B →\n ɛ_SHVZK B \u003c= eps\n ) →\n AdvantageE (Hiding_real ∘ Sigma_to_Com ∘ SHVZK_ideal) (Hiding_ideal ∘ Sigma_to_Com ∘ SHVZK_ideal) A \u003c=\n (ɛ_hiding A) + eps + eps.\n```\n\nAnd the corresponding theorem for binding:\n\n```coq\nTheorem commitment_binding :\n ∀ LA A LAdv Adv,\n ValidPackage LA [interface\n val #[ SOUNDNESS ] : chStatement → 'bool\n ] A_export A →\n ValidPackage LAdv [interface] [interface\n val #[ ADV ] : chStatement → chSoundness\n ] Adv →\n fdisjoint LA (Sigma_locs :|: LAdv) →\n AdvantageE (Com_Binding ∘ Adv) (Special_Soundness_f ∘ Adv) A \u003c=\n ɛ_soundness A Adv.\n```\n\nCombining the above theorems with the instantiation of Schnorr's protocol we get a commitment scheme given by:\n\n```coq\nTheorem schnorr_com_hiding :\n ∀ LA A,\n ValidPackage LA [interface\n val #[ HIDING ] : chInput → chMessage\n ] A_export A →\n fdisjoint LA Com_locs →\n fdisjoint LA Sigma_locs →\n AdvantageE (Hiding_real ∘ Sigma_to_Com ∘ SHVZK_ideal) (Hiding_ideal ∘ Sigma_to_Com ∘ SHVZK_ideal) A \u003c= 0.\n```\n\nand\n\n```coq\nTheorem schnorr_com_binding :\n ∀ LA A LAdv Adv,\n ValidPackage LA [interface\n val #[ SOUNDNESS ] : chStatement → 'bool\n ] A_export A →\n ValidPackage LAdv [interface] [interface\n val #[ ADV ] : chStatement → chSoundness\n ] Adv →\n fdisjoint LA (Sigma_locs :|: LAdv) →\n AdvantageE (Com_Binding ∘ Adv) (Special_Soundness_f ∘ Adv) A \u003c= 0.\n```\n\n### Probabilistic relational program logic\n\nThe paper version (CSF: Figure 13, journal: section 4.1) introduces a selection\nof rules for our probabilistic relational program logic.\nMost of them can be found in [package/pkg_rhl.v] which provides an interface for\nusing these rules directly with `code`.\nWe separate by a slash (/) rule names that differ in the CSF (left) and journal\n(right) version.\n\n| Rule in paper | Rule in Coq |\n|-------------------|-----------------------|\n| reflexivity | `rreflexivity_rule` |\n| seq | `rbind_rule` |\n| swap | `rswap_rule` |\n| eqDistrL | `rrewrite_eqDistrL` |\n| symmetry | `rsymmetry` |\n| for-loop | `for_loop_rule` |\n| uniform | `r_uniform_bij` |\n| dead-sample | `r_dead_sample` |\n| sample-irrelevant | `r_const_sample` |\n| asrt / assert | `r_assert'` |\n| asrtL / assertL | `r_assertL` |\n| assertD | `r_assertD` |\n| put-get | `r_put_get` |\n| async-get-lhs | `r_get_remember_lhs` |\n| async-get-lhs-rem | `r_get_remind_lhs` |\n| async-put-lhs | `r_put_lhs` |\n| restore-pre-lhs | `r_restore_lhs` |\n\nFinally, the \"bwhile\" / \"do-while\" rule is proven as\n`bounded_do_while_rule` in [rules/RulesStateProb.v].\n\n### More Lemmas and Theorems for packages\n\nWe now list the lemmas and theorems about packages from the paper.\nTheorems 1 and 2 (CSF) / Theorems 2.4 and 4.1 (journal) were proven using our\nprobabilistic relational program logic. The first two lemmas below can be found in\n[package/pkg_advantage.v], the other two in [package/pkg_rhl.v].\n\n**Lemma 1 / 2.2 (Triangle Inequality)**\n```coq\nLemma Advantage_triangle :\n ∀ P Q R A,\n AdvantageE P Q A \u003c= AdvantageE P R A + AdvantageE R Q A.\n```\n\n**Lemma 2 / 2.3 (Reduction)**\n```coq\nLemma Advantage_link :\n ∀ G₀ G₁ A P,\n AdvantageE G₀ G₁ (A ∘ P) =\n AdvantageE (P ∘ G₀) (P ∘ G₁) A.\n```\n\n**Theorem 1 / 2.4**\n```coq\nLemma eq_upto_inv_perf_ind :\n ∀ {L₀ L₁ LA E} (p₀ p₁ : raw_package) (I : precond) (A : raw_package)\n `{ValidPackage L₀ Game_import E p₀}\n `{ValidPackage L₁ Game_import E p₁}\n `{ValidPackage LA E A_export A},\n INV' L₀ L₁ I →\n I (empty_heap, empty_heap) →\n fdisjoint LA L₀ →\n fdisjoint LA L₁ →\n eq_up_to_inv E I p₀ p₁ →\n AdvantageE p₀ p₁ A = 0.\n```\n\n**Theorem 2 / 4.1**\n```coq\nLemma Pr_eq_empty :\n ∀ {X Y : ord_choiceType}\n {A : pred (X * heap_choiceType)} {B : pred (Y * heap_choiceType)}\n Ψ ϕ\n (c1 : FrStP heap_choiceType X) (c2 : FrStP heap_choiceType Y)\n ⊨ ⦃ Ψ ⦄ c1 ≈ c2 ⦃ ϕ ⦄ →\n Ψ (empty_heap, empty_heap) →\n (∀ x y, ϕ x y → (A x) ↔ (B y)) →\n \\P_[ θ_dens (θ0 c1 empty_heap) ] A =\n \\P_[ θ_dens (θ0 c2 empty_heap) ] B.\n```\n\n### Semantic model and soundness of rules\n\nThis part of the mapping corresponds to section 5. Once again,\nwe refer to results in the paper like so: CSF numbering/journal version numbering.\n\n#### 5.1 Relational effect observation\n\nIn our framework, a relational effect observation is defined\nas some kind of *lax morphism between order-enriched relative monads*.\nThis general definition as well as the ingredients it requires are provided\nin [theories/Relational/OrderEnrichedCategory.v]. There we introduce\ncategories, functors, relative monads, lax morphisms of relative\nmonads and isomorphisms of functors, all of which are order-enriched.\n\nRelational effect observations are lax morphisms between\nthe following special cases of order-enriched relative monads:\n1. A product of Type valued order-enriched relative monads,\n corresponding to pairs of effectful computations.\n2. A relational specification monad\n\nTo build the above computation part (1) of an effect observation,\nthe file [theories/Relational/OrderEnrichedRelativeMonadExamples.v]\nequips Type with a structure of order-enriched category.\nOften we use free monads to package effectful computations.\nThose are defined in [rhl_semantics/free_monad/].\n\nSince a relational specification monad as in (2) is by definition\nan order-enriched monad with codomain PreOrder, the latter\ncategory has to be endowed with an order-enrichment. This\nis done in [theories/Relational/OrderEnrichedRelativeMonadExamples.v].\n\nMore basic categories can be found in the directory\n[rhl_semantics/more_categories/], namely in the files\n[RelativeMonadMorph_prod.v], [LaxComp.v], [LaxFunctorsAndTransf.v] and\n[InitialRelativeMonad.v].\n\n\n#### 5.2 The probabilistic relational effect observation\n\nThe files of interest are mainly contained in the\n[rhl_semantics/only_prob/] directory.\n\nThis relational effect observation is called\n`thetaDex` in the development and is defined in the\nfile [rhl_semantics/only_prob/ThetaDex.v] as a composition:\nFreeProb² ---`unary_theta_dens²`---\u003e SDistr² ---`θ_morph`---\u003e Wrelprop\n\nThe first part `unary_theta_dens²` consists in interpreting pairs\nof probabilistic programs into pairs of actual subdistributions.\nThis unary semantics for probabilistic programs `unary_theta_dens`\nis defined in [rhl_semantics/only_prob/Theta_dens.v].\nIt is defined by pattern matching on the given probabilistic program\n(which can be viewed as a tree).\nThe free relative monad over a probabilistic signature is defined\nin [rhl_semantics/free_monad/FreeProbProg.v].\nThe codomain of `unary_theta_dens` is defined in\n[rhl_semantics/only_prob/SubDistr.v].\nSince subdistributions `SDistr(A)` only make sense\nwhen `A` is a `choiceType`, both the domain and codomain\nof `unary_theta_dens` are relative monads over\nappropriate inclusion functors `choiceType` -\u003e `Type`.\nThe required order-enrichment for the category of choiceTypes\nand this inclusion are defined in the file [rhl_semantics/ChoiceAsOrd.v].\n\nThe second part `θ_morph` is conceptually more important.\nIt is defined in the file [rhl_semantics/only_prob/Theta_exCP.v].\n`θ_morph` is \"really\" lax: it satisfies the morphism laws only\nup to inequalities.\nThe definition of `θ_morph` relies on the notion of couplings,\ndefined in this file [rhl_semantics/only_prob/Couplings.v].\nThe proof that it constitutes a lax morphism depends on lemmas\nfor couplings that can be found in the same file.\n\n\n#### 5.3 The stateful and probabilistic relational effect observation\n\nThe important files are contained in this directory:\n[rhl_semantics/state_prob/].\n\n\nAgain the effect observation is defined as a composition:\n`thetaFstdex:` FrStP² → stT(Frp²) → stT(Wrel).\nSee file [StateTransformingLaxMorph.v].\n\nThe first part uses `unaryIntState:` FrStP → stT(Frp)\nfrom the same file which interprets state related instructions\nas actual state manipulating functions S → Frp( - x S ).\nProbabilistic instructions are left untouched by this morphism.\n\nThe more interesting part is the second one (same file)\n`stT_thetaDex:` stT(Frp²) → stT(Wrel).\nThis morphism is obtained by state-transforming the\nrelational effect observation `thetaDex` from the previous section.\n\nMore details about the state transformer implementation are provided\nin the next section.\n\n\n#### CSF state transformer/ section 5.4 of journal version\n\nFor the definition of relative monad (Def 5.1 journal),\nsee section \"5.1 Relational effect observation\" of the present file.\n\nThe general definitions and theorems regarding the state transformer\ncan be found in [rhl_semantics/more_categories/]:\n[OrderEnrichedRelativeAdjunctions.v],\n[LaxMorphismOfRelAdjunctions.v],\n[TransformingLaxMorph.v].\n\nOn the other hand our instances can be found in [rhl_semantics/state_prob/]:\n[OrderEnrichedRelativeAdjunctionsExamples.v],\n[StateTransformingLaxMorph.v],\n[StateTransfThetaDens.v],\n[LiftStateful.v].\n\n\n##### The state transformer on relative monads (i.e. on objects)\n\nThe concerned file is [OrderEnrichedRelativeAdjunctions.v],\nsection `TransformationViaRelativeAdjunction`.\nThere we transform an arbitrary order-enriched relative monad\nusing a \"transforming adjunction\" (Thm 5.5 journal). The notion of transforming\nadjunction (Def 5.4 journal) is a generalization of the notion of state adjunction.\n\n\nState adjunctions for transforming computations/specifications\nare built in [OrderEnrichedRelativeAdjunctionsExamples.v].\n\nAll of our adjunctions are left relative adjunctions (Def 5.2 journal).\nThis notion is defined and studied in\n[OrderEnrichedRelativeAdjunctions.v] and this includes\nKleisli adjunctions of relative monads (Def 5.3 journal).\n\n##### The state transformer for lax morphisms (i.e. on arrows)\n\nSee file [TransformingLaxMorph.v].\nGiven a lax morphism of relative monads θ : M1 → M2,\nboth M1 and M2 factor through their Kleisli and\ngive rise to Kleisli adjunctions. θ induces\na lax morphism Kl(θ) between those Kleisli adjunctions.\nKl(θ) is a lax morphism between left relative adjunctions,\n(see [LaxMorphismOfRelAdjunctions.v]) and we can\ntransform such morphisms of adjunctions using\nthe theory developed in [TransformingLaxMorph.v].\nFinally, out of this transformed morphism of adjunctions we can\nextract a lax morphism between monads Tθ : T M1 → T M2, as expected.\nThis last step is also performed in [TransformingLaxMorph.v].\n\n\n## Axioms\n\n### List of axioms\n\nIn our development we rely on the following standard axioms: functional\nextensionality, proof irrelevance, and propositional extensionality, as listed\nbelow.\n\n```coq\nax_proof_irrel : ClassicalFacts.proof_irrelevance\npropositional_extensionality : ∀ P Q : Prop, P ↔ Q → P = Q\nfunctional_extensionality_dep :\n ∀ (A : Type) (B : A → Type) (f g : ∀ x : A, B x),\n (∀ x : A, f x = g x) → f = g\n```\n\nWe also rely on the constructive indefinite description axiom, whose use\nwe inherit transitively from the `mathcomp-analysis` library.\n\n```coq\nboolp.constructive_indefinite_description :\n ∀ (A : Type) (P : A → Prop), (∃ x : A, P x) → {x : A | P x}\n```\n\nThe `mathcomp-analysis` library also uses an axiom to abstract away from any\nspecific construction of the reals:\n\n```coq\nR : realType\n```\nOne could plug in any real number construction: Cauchy, Dedekind, ...\nIn `mathcomp`s ` Rstruct.v` an instance is built from any instance of the\nabstract `stdlib` reals. An instance of the latter is built from the\n(constructive) Cauchy reals in `Coq.Reals.ClassicalConstructiveReals`.\n\nFinally, by using `mathcomp-analysis` we also inherit an admitted lemma they have:\n\n```coq\ninterchange_psum :\n ∀ (R : realType) (T U : choiceType) (S : T → U → R),\n (∀ x : T, summable (T:=U) (R:=R) (S x)) →\n summable (T:=T) (R:=R) (λ x : T, psum (λ y : U, S x y)) →\n psum (λ x : T, psum (λ y : U, S x y)) =\n psum (λ y : U, psum (λ x : T, S x y))\n```\n\n### Other admits not used by results from the paper\n\nOur development also contains a few new work-in-progress results that are\nadmitted, but none of them is used to show the results from the paper above.\n\n### How to find axioms/admits\n\nWe use the `Print Assumptions`command of Coq to list the axioms/admits on which\na definition, lemma, or theorem depends. In [Main.v] we run this\ncommand on all the results above at once:\n```coq\nPrint Assumptions results_from_the_paper.\n```\nwhich yields\n```coq\nAxioms:\nboolp.propositional_extensionality : forall P Q : Prop, P \u003c-\u003e Q -\u003e P = Q\nrealsum.interchange_psum\n : forall (R : reals.Real.type) (T U : choice.Choice.type)\n (S : choice.Choice.sort T -\u003e choice.Choice.sort U -\u003e reals.Real.sort R),\n (forall x : choice.Choice.sort T, realsum.summable (T:=U) (R:=R) (S x)) -\u003e\n realsum.summable (T:=T) (R:=R)\n (fun x : choice.Choice.sort T =\u003e\n realsum.psum (fun y : choice.Choice.sort U =\u003e S x y)) -\u003e\n realsum.psum\n (fun x : choice.Choice.sort T =\u003e\n realsum.psum (fun y : choice.Choice.sort U =\u003e S x y)) =\n realsum.psum\n (fun y : choice.Choice.sort U =\u003e\n realsum.psum (fun x : choice.Choice.sort T =\u003e S x y))\nboolp.functional_extensionality_dep\n : forall (A : Type) (B : A -\u003e Type) (f g : forall x : A, B x),\n (forall x : A, f x = g x) -\u003e f = g\nFunctionalExtensionality.functional_extensionality_dep\n : forall (A : Type) (B : A -\u003e Type) (f g : forall x : A, B x),\n (forall x : A, f x = g x) -\u003e f = g\nboolp.constructive_indefinite_description\n : forall (A : Type) (P : A -\u003e Prop), (exists x : A, P x) -\u003e {x : A | P x}\nSPropBase.ax_proof_irrel : ClassicalFacts.proof_irrelevance\nAxioms.R : reals.Real.type\n```\n\nThe ElGamal example is parametrized by a cyclic group using a Coq functor.\nTo print its axioms we have to provide an instance of this functor, and for\nsimplicity we chose to use ℤ₃ as an instance even if it is not realistic.\nThe axioms we use do not depend on the instance itself.\nWe do something similar for Schnorr's protocol.\n\n\n\n\n[theories]: theories\n[theories/Mon]: theories/Mon\n[theories/Relational]: theories/Relational\n[theories/Crypt]: theories/Crypt\n[package]: theories/Crypt/package\n[pkg_core_definition.v]: theories/Crypt/package/pkg_core_definition.v\n[pkg_composition.v]: theories/Crypt/package/pkg_composition.v\n[examples/PRF.v]: theories/Crypt/examples/PRF.v\n[examples/ElGamal.v]: theories/Crypt/examples/ElGamal.v\n[examples/KEMDEM.v]: theories/Crypt/examples/KEMDEM.v\n[examples/RandomOracle.v]: theories/Crypt/examples/RandomOracle.v\n[examples/SigmaProtocol.v]: theories/Crypt/examples/SigmaProtocol.v\n[examples/Schnorr.v]: theories/Crypt/examples/Schnorr.v\n[package/pkg_rhl.v]: theories/Crypt/package/pkg_rhl.v\n[rules/RulesStateProb.v]: theories/Crypt/rules/RulesStateProb.v\n[package/pkg_advantage.v]: theories/Crypt/package/pkg_advantage.v\n[theories/Relational/OrderEnrichedCategory.v]: theories/Relational/OrderEnrichedCategory.v\n[theories/Relational/OrderEnrichedRelativeMonadExamples.v]: theories/Relational/OrderEnrichedRelativeMonadExamples.v\n[rhl_semantics/free_monad/]: theories/Crypt/rhl_semantics/free_monad/\n[rhl_semantics/free_monad/FreeProbProg.v]: theories/Crypt/rhl_semantics/free_monad/FreeProbProg.v\n[rhl_semantics/ChoiceAsOrd.v]: theories/Crypt/rhl_semantics/ChoiceAsOrd.v\n[rhl_semantics/more_categories/]: theories/Crypt/rhl_semantics/more_categories/\n[RelativeMonadMorph_prod.v]: theories/Crypt/rhl_semantics/more_categories/RelativeMonadMorph_prod.v\n[LaxComp.v]: theories/Crypt/rhl_semantics/more_categories/LaxComp.v\n[LaxFunctorsAndTransf.v]: theories/Crypt/rhl_semantics/more_categories/LaxFunctorsAndTransf.v\n[InitialRelativeMonad.v]: theories/Crypt/rhl_semantics/more_categories/InitialRelativeMonad.v\n[rhl_semantics/only_prob/]: theories/Crypt/rhl_semantics/only_prob/\n[rhl_semantics/only_prob/Couplings.v]: theories/Crypt/rhl_semantics/only_prob/Couplings.v\n[rhl_semantics/only_prob/Theta_dens.v]: theories/Crypt/rhl_semantics/only_prob/Theta_dens.v\n[rhl_semantics/only_prob/Theta_exCP.v]: theories/Crypt/rhl_semantics/only_prob/Theta_exCP.v\n[rhl_semantics/only_prob/ThetaDex.v]: theories/Crypt/rhl_semantics/only_prob/ThetaDex.v\n[rhl_semantics/only_prob/SubDistr.v]: theories/Crypt/rhl_semantics/only_prob/SubDistr.v\n[OrderEnrichedRelativeAdjunctions.v]: theories/Crypt/rhl_semantics/more_categories/OrderEnrichedRelativeAdjunctions.v\n[LaxMorphismOfRelAdjunctions.v]: theories/Crypt/rhl_semantics/more_categories/LaxMorphismOfRelAdjunctions.v\n[TransformingLaxMorph.v]: theories/Crypt/rhl_semantics/more_categories/TransformingLaxMorph.v\n[rhl_semantics/state_prob/]: theories/Crypt/rhl_semantics/state_prob/\n[OrderEnrichedRelativeAdjunctionsExamples.v]: theories/Crypt/rhl_semantics/state_prob/OrderEnrichedRelativeAdjunctionsExamples.v\n[StateTransformingLaxMorph.v]: theories/Crypt/rhl_semantics/state_prob/StateTransformingLaxMorph.v\n[StateTransfThetaDens.v]: theories/Crypt/rhl_semantics/state_prob/StateTransfThetaDens.v\n[LiftStateful.v]: theories/Crypt/rhl_semantics/state_prob/LiftStateful.v\n[rhl_semantics/state_prob/]: theories/Crypt/rhl_semantics/state_prob/\n[Main.v]: theories/Crypt/Main.v\n[DOC.md]: ./DOC.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSSProve%2Fssprove","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSSProve%2Fssprove","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSSProve%2Fssprove/lists"}