Closed jadephilipoom closed 2 years ago
This isn't necessarily the strategy I'd recommend if there was unlimited time, but I think this might be the shortest path to getting the paper-essential proofs done.
FWIW HMAC inputs
-> SHA inputs
is the hmac_inner
component, so it would be a replacement (simpler) proof for the hmac_inner
. The hmac and hmac_top don't directly translate to a fold on their inputs because their output (eventually into SHA) is influenced by why the SHA module is ready (so for those circuits repeat_update_repr
would need additional logic).
influenced by why the SHA module is ready (so for those circuits
repeat_update_repr
would need additional logic).
The SHA postcondition fully specifies the is_ready
bit, so it might be easier to use repeat_update_repr
as-is and then duplicating the logic from the SHA postcondition that corresponds to the is_ready
signal. Then, in your hmac_top
postcondition or wherever, you can compute the SHA representation with repeat_update_repr
and then just do get_sha_ready_bit
just like I've illustrated with get_sha_done_bit
above to make your postcondition depend on it.
@blaxill and @fshaked , here's the lemmas I think you will need for the HMAC proof strategy we discussed just now. Basically, if you have a function that can turn a list of HMAC inputs into a list of SHA inputs, then you can feed the SHA inputs into these lemmas (particularly
postcondition_holds_big_step
andinvariant_holds_big_step
) in order to prove that e.g. the SHA postcondition holds on the latest output.This way, the HMAC representation can be the list of HMAC inputs so far. In the invariant, you'd get the SHA inputs from the HMAC inputs, and the invariant would be something like:
In order to get a useful postcondition based on whether the inner SHA circuit is done, you can define a function that looks at the SHA higher-level representation plus SHA input and decides whether the SHA circuit is done using logic similar to the SHA postcondition (basically duplicate the logic in the SHA postcondition for that specific bit of output). If that function is called
get_sha_done_bit
, then the postcondition would look something like:This isn't necessarily the strategy I'd recommend if there was unlimited time, but I think this might be the shortest path to getting the paper-essential proofs done.