[!WARNING]
This proof is still work in progress.
This repository contains formally verified proofs of the game-based proofs presented in the X-Wing paper.
This proof has been tested using the 2024.09 version of Easycrypt.
The proof has the following structure:
KEM_ROM.ec
contains the abstract theory that defines a KEM and related security games, such as IND-CPA and IND-CCA. It then defines a concrete theory concerning KEMs in the ROM, and KEMs with two ROMs. The latter is required as the adversary will have access to two oracles in the X-Wing proof: an X-Wing decapsulation oracle, and the KEM oracle. This is because the KEM that X-Wing is instantiated with is proven to be secure in the ROM.NomGroup.eca
defines the abstract theory concerning nominal groups, and hence, X25519.PKE_ROM.ec
is similar to KEM_ROM.c
in that it defines the abstract theory of PKEs and various security games for PKEs in and out of the ROM.ML-KEM-CCR.ec
proves the CCR security bound for ML-KEM.X-Wing-Classical.ec
proves the classical security bound for X-Wing.X-Wing-PQ.ec
proves the post-quantum security bound for X-Wing.To be filled out.