feat(X3DH): skeleton for active-adversary message secrecy#4
Draft
jinxinglim wants to merge 1 commit intomainfrom
Draft
feat(X3DH): skeleton for active-adversary message secrecy#4jinxinglim wants to merge 1 commit intomainfrom
jinxinglim wants to merge 1 commit intomainfrom
Conversation
jinxinglim
force-pushed
the
feat/x3dh-active-secrecy-skeleton
branch
2 times, most recently
from
c5e030b to
3590281
Compare
Introduces PQXDHLean/X3DH/X3DHActiveMessageSecrecy.lean — a structured
skeleton for the active (AKE-game) version of X3DH message secrecy,
mirroring the passive proof in X3DHPassiveMessageSecrecy.lean.
The file compiles with `sorry` placeholders for the proof bodies
and the most complex oracle handler (`send`). Three of five oracle
handlers are fully implemented (`corrupt`, `revealSK`, `newSession`).
A fourth (`test`) is partially implemented — once-per-game guard,
session lookup, and dispatch to a `getTestKey` callback are in
place; full freshness checks are deferred. The `activeGame` body
is fully wired with two-pass `simulateQ` semantics, so `activeReal`,
`activeRand`, and `activeSecrecyAdvantage` are now executable
end-to-end (modulo the `send` and `test`-freshness sorries).
Key components:
* `SessionStatus`, `AliceSessionRecord`, `BobSessionRecord` —
per-side session state under fixed-roles (Alice always
initiator, Bob always responder); each carries a
`transcript : List X3DHMessage` field for partnering
* `ActiveGameState` — session tables, corruption flags,
sk_revealed set, designated test session
* `Party`, `AKEQuery`, `akeSpec` — the 5-query AKE oracle spec
* `ActiveAdversary := OracleComp (unifSpec + akeSpec + KDFOracle) Bool`
* `akeQueryImpl` — unified QueryImpl over the 5 queries;
`newSession` initializes `transcript := []`
* `AKEStateM` — `StateT (ActiveGameState) (OracleComp ...)`
* `activeGame` — fully wired two-pass `simulateQ`:
pass 1 in `AKEStateM` interprets `akeSpec`; `StateT.run'`
strips the state layer; pass 2 mirrors passive's `execGame`
to land in `ProbComp`
* `activeReal` / `activeRand` — instantiate the `getTestKey`
callback differently (real key pass-through vs fresh-sample)
* `activeSecrecyAdvantage` — boolDistAdvantage between the games
* `x3dh_active_message_secrecy` — main theorem statement
Design choices documented inline:
* Fixed roles (Alice=init, Bob=resp): valid by symmetry; loses
no theorem strength
* Multi-session (paper Theorem 2 scope): per-party session tables
* 2 honest parties: third parties simulated via `Corrupt`
* `recv_*` peer-key fields are `Option G` to distinguish
"not yet received" from "received and was X"
* `transcript` field is `List X3DHMessage` on each record;
only `send` (when implemented) appends to it
* `getTestKey` callback parameterizes the real-vs-random split
* Local `X3DH_ActiveMessageSecrecy` opaque Prop (KEM-free
variant of `SecurityDefs.MessageSecrecy`)
The `## Follow-up work` section at the end of the file enumerates
11 remaining items with status markers (✓/🚧/☐) and their
dependencies.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jinxinglim
force-pushed
the
feat/x3dh-active-secrecy-skeleton
branch
from
3590281 to
120e437
Compare
Contributor
|
There is a lot here @jinxinglim. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Introduces
PQXDHLean/X3DH/X3DHActiveMessageSecrecy.lean— a structured skeleton for X3DH active-adversary (AKE-game) message secrecy, mirroring the existing passive proof inX3DHPassiveMessageSecrecy.lean.This is the natural next step after passive secrecy: the paper's Theorem 2 (§5.2, p. 479) proves a much stronger active-adversary security result. This file lays the structural foundation for that proof — types, game state, oracle handlers, game variants, and theorem statements — so future work can fill in proof bodies one piece at a time.
What's in this PR
PQXDHLean/X3DH/X3DHActiveMessageSecrecy.lean(~965 lines, ~60% comments/docstrings)lake build(3 expectedsorrywarnings on placeholder bodies)Status of components
SessionStatus,AliceSessionRecord,BobSessionRecordrecv_*fields areOption G; each record has atranscript : List X3DHMessageActiveGameState+ActiveGameState.empty+InhabitedParty,AKEQuery,akeSpec,ActiveAdversaryAKEStateM(state monad for handlers)akeQueryImpl— 5 oracle handlerscorrupt,revealSK,newSession);testpartial;sendsorryactiveGamebody (two-passsimulateQwiring)activeReal,activeRandactiveSecrecyAdvantageX3DH_ActiveMessageSecrecy(local opaque Prop)x3dh_active_message_secrecy(main theorem)sorrypassive_embeds_into_active(corollary sketch)sorry## Follow-up worksectionHow to review
The file is large (~965 lines). I'd suggest reading in this order:
Header docstring (lines 1-101) — covers the AKE game, freshness conditions, the fixed-roles simplification (Alice always init, Bob always resp) with its symmetry-based justification, and paper references.
Session statesection (lines ~136-340) —SessionStatus,X3DHMessage(currentlyUnitstub),AliceSessionRecord,BobSessionRecord,ActiveGameState. Pay attention to therecv_*field semantics (none= pending,some _= received) and thetranscriptfield (initialized to[]bynewSession; futuresendwill append). Notation convention block at the top of the section.Active adversarysection (lines ~340-430) —Party,AKEQuery,akeSpec,ActiveAdversary. The shapeOracleComp (unifSpec + akeSpec + KDFOracle) Boolis the standard VCVio idiom for an interactive AKE adversary.Oracle implementationssection (lines ~432-625) —akeQueryImpl. Three handlers (corrupt,revealSK,newSession) are fully implemented;testis partial;sendhas a detailed TODO. ThegetTestKeycallback parameterizestestfor the two-game formulation. Onlysendwill append to transcripts (when implemented).Active secrecy gamessection (lines ~625-690) —activeGame,activeReal,activeRand.activeGame's body now does the full two-passsimulateQ: pass 1 (inAKEStateM) eliminatesakeSpec;StateT.run'strips the state; pass 2 (inProbComp) mirrors passive'sexecGame.activeRealandactiveRandinstantiate thegetTestKeycallback.Advantage + theorem (lines ~695-755) —
activeSecrecyAdvantageis fully defined; the main theorem's statement uses it indirectly viaX3DH_ActiveMessageSecrecy.## Follow-up worksection (lines ~775-end) — the most important section for understanding what's deferred and why. 11 numbered items with status markers and dependency notes.Discussion items
These are design decisions worth surfacing before further work lands:
Fixed roles vs. flexible roles: documented in the header. The skeleton commits to Alice=init / Bob=resp throughout. By symmetry, no theorem is weakened. Open question: do we want to reconsider this for Double Ratchet later? (Section in header documents future-extension paths.)
X3DH_ActiveMessageSecrecyas local opaque Prop: defined here, not inSecurityDefs.lean. Should it be lifted toSecurityDefs.leanalongsideMessageSecrecyandPeerAuth(small refactor, clean PR), or stay local for now? See follow-up §5.SessionId := Natvs. abstract: currentlyNat; abstraction noted as a future refinement.X3DHMessage = Unitstub:sendissorrypartly because messages aren't concretized. Concretization would propagate type parameters (G,CT_aead,S_sig) up the stack. See follow-up §2. Thetranscriptfield currently holdsList Unit— its structure (a list per session) is in place, but the contents are trivial until concretization.recv_OPKambiguity:nonecould mean "haven't received bundle" or "received bundle with no OPK". Documented as relying on thestatusfield to disambiguate, but a more rigorous design might useOption (Option G). Worth a second look.Long-term keys as parameters vs. game state:
akeQueryImpltakesikₐ ikᵦ spkᵦas parameters rather than storing them inActiveGameState. Justified because they're sampled once at game setup and never change. Alternative: include them inActiveGameStatefor uniformity.activeGamecombined vs. split intoactiveGameOuter+execActiveGame: passive separates the game from its execution; we've combined them inactiveGame. Could split for symmetry if proofs need access to the un-execed form.Next steps (in order)
After this skeleton lands, the recommended order to fill in
sorrys:Define a partnering predicate (follow-up §1) — a concrete
arePartners : AliceSessionRecord → BobSessionRecord → Propover the newtranscriptfields. Needed by the partner-reveal freshness check (next).Concretize
Freshnesspredicates overActiveGameState(follow-up §6) — small but important. Makes theFreshnesshypothesis on the main theorem meaningful. Depends on partnering.Lift
X3DH_ActiveMessageSecrecytoSecurityDefs.lean(follow-up §5) — small refactor; arguably its own small PR.Concretize
X3DHMessageand implementsend(follow-up §2) — biggest single chunk (~200-300 LOC). Pulls inSigandAEADparameters; likely propagates type parameters throughAKEQuery/akeSpec/ActiveAdversary. Also wiressendto maintain thetranscriptfields (the only handler that does).Game-hop proof for the main theorem (follow-up §7) — multiple game hops using VCVio's
tvDist_simulateQ_le_probEvent_bad. The largest effort.passive_embeds_into_activecorollary (follow-up §9) — derivespassive_secrecy_le_ddhfrom active.Expansion to other security properties (follow-up §11) — peer auth, forward secrecy, KCI, session independence, each in its own follow-up file.