verity: C13 public-key guard in the model, legacy model removal, accurate verification scope#8
Merged
Merged
Conversation
… fix verification-scope docs Model and proofs: - Wire the C13 public-key canonicality guard (review C13-V-f1, pkSeed/pkRoot masked by N_MASK, revert "Invalid public key") into c13VerifyBody so the model matches src/SPHINCs-C13Asm.sol. The guard is discharged in the refinement via wordOfHash16_land_nmask and the mkC13State_pkSeed/pkRoot canonical lemmas; Spec.lean keeps fullPkSeed/fullPkRoot := true for c13 because mkC13State binds both via wordOfHash16, so the byte spec cannot observe a non-canonical word there. - Full lake build is green. #print axioms confirms c13_refines_spec and c13_implements_spec rest on Lean core axioms plus the three named residual assembly axioms only. Scope cleanup to match the live verifier set: - Remove the legacy C12 Verity model (C12 Solidity now lives in legacy/), the older SphincsC6*/SphincsKernel trees, verity/artifacts, and test/MerkleKernelVerityTest.t.sol; prune lakefile roots accordingly. - Package renamed SphincsC6Verity -> SphincsVerity. Documentation accuracy: - README/CLAUDE.md/verity docs now state that only C13 keccak and SLH-DSA-SHA2-128-24 are modeled, that live C7/C9 are not modeled, and that the Lean models are hand-transcribed, never compiled into contracts, deployed, or replayed in Foundry. - AXIOMS.md rewritten to enumerate the exact trust surface: three C13 residual assembly axioms (issue #7), the SHA2 bridge axiom, and the opaque SHA2 primitives constant; keccak in the C13 model is concrete. Collision resistance and EUF-CMA are out-of-scope assumptions, not Lean axioms.
The probes/ directory held unvalidated work-in-progress discharge proofs for the three C13 residual assembly axioms (issue #7). The main line keeps only the building, validated state; the in-progress discharge work continues on the wip/axiom-discharge branch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR makes the Verity tree and the repo documentation match the live production verifier set, and brings the C13 model up to date with the current Solidity.
C13 model catches up with the Solidity public-key guard (review C13-V-f1)
c13VerifyBodyinverity/SphincsMinusVerifiers/Model.leannow runs the public-key canonicality guard (pkSeed/pkRootmust equal themselves masked byN_MASK, otherwise revert withInvalid public key) right after the length guard, matchingsrc/SPHINCs-C13Asm.sol.wordOfHash16_land_nmask(SegmentS2R.lean) andmkC13State_pkSeed_canonical/mkC13State_pkRoot_canonical(SegmentRejectSpec.lean).Spec.leankeepsfullPkSeed/fullPkRoot := trueforc13on purpose: the byte spec builds the state withwordOfHash16, whose low 128 bits are always zero, so a non-canonical public-key word is not observable at that boundary. The guard is a model-level fact, proved as such.Legacy scope removal
The repo's live verifiers are C7, C9, C13, and SLH-DSA-SHA2-128-24; C12 Solidity moved to
legacy/upstream. Accordingly this removes:C12Concrete.lean,C12BridgePrep.lean,C12Segment*.lean) and its lakefile roots,SphincsC6*andSphincsKerneltrees,verity/artifacts/, andverity/scripts/compile_merkle_kernel.py,test/MerkleKernelVerityTest.t.sol, the only Foundry test that replayed a Verity artifact (the small Merkle kernel). With it gone, no Verity artifact is exercised by Foundry, and the docs now say so explicitly.The lake package is renamed
SphincsC6Verity->SphincsVerity.Documentation accuracy
README.md,CLAUDE.md,verity/README.md, and theSphincsMinusVerifiers/*.mdset now state precisely: only the C13 keccak verifier and the SLH-DSA-SHA2-128-24 verifier are modeled; live C7/C9 are not modeled; the Lean models are hand-transcribed from the assembly and are not compiled into contracts, not deployed, and not replayed in Foundry.verity/SphincsMinusVerifiers/AXIOMS.mdis rewritten as an exact axiom inventory (see verification below).Verification
lake build(viaverity/scripts/build.sh) is green: no errors, nosorry, no warnings.#print axiomsconfirms the exact trust surface:c13_refines_spec/c13_implements_spec: Lean core axioms (propext,Classical.choice,Quot.sound) plus exactly the three named residual assembly axioms (c13_ok_beforeAuthOff_wotsPk_lightweight_chain_inputs_layer0,..._cells_residual_layer1,c13_reverted_layer0_..._cells_residual). Discharging these is issue verity: discharge the 4 remaining residual assembly axioms #7, addressed by a follow-up PR.slhDsaSha2_128_24_refines_spec: Lean core axioms plusslhDsaSha2_128_24_refines_byte_spec(MODEL-EXEC-BRIDGE) and the opaqueslhDsaSha2_128_24_Primitives.C13Concrete.c13PrimitivesConcrete, same pure Keccak as the interpreter), so no keccak axiom remains; collision resistance / EUF-CMA are out-of-scope cryptographic assumptions, not Lean axioms.forge buildpasses; the defaultforge testpath never referenced the removed Lean trees.Test plan
forge build/forge testverity/SphincsMinusVerifiers/AXIOMS.mdagainst#print axiomsoutput at the bottom ofProofs.leanModel.leanagainstsrc/SPHINCs-C13Asm.solVerification status
src/SPHINCs-C13Asm.solverity/SphincsMinusVerifiers/Model.lean(SphincsC13Asm_VerityModel)c13_refines_byte_spec->c13_refines_spec/c13_implements_spec(Proofs.lean)c13_ok_beforeAuthOff_wotsPk_lightweight_chain_inputs_layer0,..._cells_residual_layer1,c13_reverted_layer0_..._cells_residual); 0sorrysrc/SLH-DSA-SHA2-128-24verifier.solverity/SphincsMinusVerifiers/Model.lean(SLH_DSA_SHA2_128_24_VerityModel)slhDsaSha2_128_24_refines_byte_spec->slhDsaSha2_128_24_refines_spec(Proofs.lean)slhDsaSha2_128_24_Primitives(ProofCore.lean); 0sorryevalExpr_staticcall = none);linear_memory_aliasing: overlapping sub-wordmstores vs the word-keyed memory model block accept-path replay. Malformed-length and length-guard slices are proved without the axiomWhy axiomatized. The three C13 residual axioms pin already-proved generic WOTS chain lemmas (
C13WotsPkKeccak.lean,C13ChainCells.lean) to concrete interpreter states at the lightweight cutpoint; the concrete instantiation needs more elaboration memory than prior hosts allowed, so it was taken as a named obligation rather than proved orsorry-ed. See the AXIOMS.md "Residual Assembly Axioms" inventory and the docstrings inProofs.lean(file header, lines ~25-60, and the per-axiom ASSEMBLY OBLIGATION comments around lines 11255/11570/11978). The SHA2 bridge axiom rationale is in the same file header. C13's primitives carry no axiom: hashing is the interpreter's concrete pure Keccak.Note
Low Risk
Changes are documentation and deletion of unused Verity/Foundry artifacts; production Solidity verifiers in
src/are not modified in this diff.Overview
Scope and honesty. Top-level and
verity/docs now state that onlySPHINCs-C13AsmandSLH-DSA-SHA2-128-24verifierare modeled; live C7/C9 are explicitly unverified in Lean. Models are described as hand-transcribed, not compiled into contracts, not deployed, and not replayed in Foundry (no EVM regression against Lean).Legacy removal. Drops the old Verity trees (
SphincsC6*,SphincsC6Full,SphincsC6V,SphincsKernel),C12Concrete.lean, relatedSpec.leanc12variant wiring, andtest/MerkleKernelVerityTest.t.sol(~490 lines) plus its FFI compile path. The Lean package is renamedSphincsC6Verity→SphincsVerity.Trust surface docs.
AXIOMS.mdandAUDIT.mdare rewritten to match the slimmer inventory: C13 top-level theorems rest on Lean core plus three named residual WOTS-PK assembly axioms; SHA-2 keeps MODEL-EXEC-BRIDGE and opaque SHA-256 primitives.publicKeyOk_c13drops out of the C13Concrete axiom print list as docs clarify byte-spec vs model-level PK handling.README polish. Minor prose/formatting fixes (punctuation,
n/avs em dashes) alongside the formal verification section expansion in rootREADME.md.Reviewed by Cursor Bugbot for commit e62d833. Bugbot is set up for automated code reviews on this repo. Configure here.