Theory Constructive_Cryptography
section βΉSecurityβΊ
theory Constructive_Cryptography imports
Wiring
begin
definition "advantage π res1 res2 = Β¦spmf (connect π res1) True - spmf (connect π res2) TrueΒ¦"
locale constructive_security_aux =
fixes real_resource :: "security β ('a + 'e, 'b + 'f) resource"
and ideal_resource :: "security β ('c + 'e, 'd + 'f) resource"
and sim :: "security β ('a, 'b, 'c, 'd) converter"
and β_real :: "security β ('a, 'b) β"
and β_ideal :: "security β ('c, 'd) β"
and β_common :: "security β ('e, 'f) β"
and bound :: "security β enat"
and lossless :: "bool"
assumes WT_real [WT_intro]: "βΞ·. β_real Ξ· ββ©β β_common Ξ· β’res real_resource Ξ· β"
and WT_ideal [WT_intro]: "βΞ·. β_ideal Ξ· ββ©β β_common Ξ· β’res ideal_resource Ξ· β"
and WT_sim [WT_intro]: "βΞ·. β_real Ξ·, β_ideal Ξ· β’β©C sim Ξ· β"
and adv: "βπ :: security β ('a + 'e, 'b + 'f) distinguisher.
β¦ βΞ·. β_real Ξ· ββ©β β_common Ξ· β’g π Ξ· β;
βΞ·. interaction_bounded_by (Ξ»_. True) (π Ξ·) (bound Ξ·);
βΞ·. lossless βΉ plossless_gpv (β_real Ξ· ββ©β β_common Ξ·) (π Ξ·) β§
βΉ negligible (λη. advantage (π Ξ·) (sim Ξ· |β©= 1β©C β³ ideal_resource Ξ·) (real_resource Ξ·))"
locale constructive_security =
constructive_security_aux real_resource ideal_resource sim β_real β_ideal β_common bound lossless
for real_resource :: "security β ('a + 'e, 'b + 'f) resource"
and ideal_resource :: "security β ('c + 'e, 'd + 'f) resource"
and sim :: "security β ('a, 'b, 'c, 'd) converter"
and β_real :: "security β ('a, 'b) β"
and β_ideal :: "security β ('c, 'd) β"
and β_common :: "security β ('e, 'f) β"
and bound :: "security β enat"
and lossless :: "bool"
and w :: "security β ('c, 'd, 'a, 'b) wiring"
+
assumes correct: "βcnv. βπ :: security β ('c + 'e, 'd + 'f) distinguisher.
(βΞ·. β_ideal Ξ· ββ©β β_common Ξ· β’g π Ξ· β)
βΆ (βΞ·. interaction_bounded_by (Ξ»_. True) (π Ξ·) (bound Ξ·))
βΆ (βΞ·. lossless βΆ plossless_gpv (β_ideal Ξ· ββ©β β_common Ξ·) (π Ξ·))
βΆ (βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))"
locale constructive_security2 =
constructive_security_aux real_resource ideal_resource sim β_real β_ideal β_common bound lossless
for real_resource :: "security β ('a + 'e, 'b + 'f) resource"
and ideal_resource :: "security β ('c + 'e, 'd + 'f) resource"
and sim :: "security β ('a, 'b, 'c, 'd) converter"
and β_real :: "security β ('a, 'b) β"
and β_ideal :: "security β ('c, 'd) β"
and β_common :: "security β ('e, 'f) β"
and bound :: "security β enat"
and lossless :: "bool"
and w :: "security β ('c, 'd, 'a, 'b) wiring"
+
assumes sim: "βcnv. βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·) β§ wiring (β_ideal Ξ·) (β_ideal Ξ·) (cnv Ξ· β sim Ξ·) (id, id)"
begin
lemma constructive_security:
"constructive_security real_resource ideal_resource sim β_real β_ideal β_common bound lossless w"
proof
from sim obtain cnv
where w: "βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)"
and inverse: "βΞ·. wiring (β_ideal Ξ·) (β_ideal Ξ·) (cnv Ξ· β sim Ξ·) (id, id)"
by blast
show "βcnv. βπ. (βΞ·. β_ideal Ξ· ββ©β β_common Ξ· β’g π Ξ· β)
βΆ (βΞ·. interaction_any_bounded_by (π Ξ·) (bound Ξ·))
βΆ (βΞ·. lossless βΆ plossless_gpv (β_ideal Ξ· ββ©β β_common Ξ·) (π Ξ·))
βΆ (βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))"
proof(intro strip exI conjI)
fix π :: "security β ('c + 'e, 'd + 'f) distinguisher"
assume WT_D [rule_format, WT_intro]: "βΞ·. β_ideal Ξ· ββ©β β_common Ξ· β’g π Ξ· β"
and bound [rule_format, interaction_bound]: "βΞ·. interaction_bounded_by (Ξ»_. True) (π Ξ·) (bound Ξ·)"
and lossless [rule_format]: "βΞ·. lossless βΆ plossless_gpv (β_ideal Ξ· ββ©β β_common Ξ·) (π Ξ·)"
show "wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)" for Ξ· by fact
let ?A = "λη. outs_β (β_ideal Ξ·)"
let ?cnv = "λη. restrict_converter (?A Ξ·) (β_real Ξ·) (cnv Ξ·)"
let ?π = "λη. absorb (π Ξ·) (?cnv Ξ· |β©= 1β©C)"
have eq: "advantage (π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·) =
advantage (?π Ξ·) (sim Ξ· |β©= 1β©C β³ ideal_resource Ξ·) (real_resource Ξ·)" for Ξ·
proof -
from w[of Ξ·] have [WT_intro]: "β_ideal Ξ·, β_real Ξ· β’β©C cnv Ξ· β" by cases
have "β_ideal Ξ·, β_ideal Ξ· β’β©C ?cnv Ξ· β sim Ξ· βΌ cnv Ξ· β sim Ξ·"
by(rule eq_β_comp_cong eq_β_restrict_converter WT_intro order_refl eq_β_converter_reflI)+
also from inverse[of Ξ·] have "β_ideal Ξ·, β_ideal Ξ· β’β©C cnv Ξ· β sim Ξ· βΌ 1β©C" by cases simp
finally have inverse': "β_ideal Ξ·, β_ideal Ξ· β’β©C ?cnv Ξ· β sim Ξ· βΌ 1β©C" .
hence "β_ideal Ξ· ββ©β β_common Ξ·, β_ideal Ξ· ββ©β β_common Ξ· β’β©C ?cnv Ξ· β sim Ξ· |β©= 1β©C βΌ 1β©C |β©= 1β©C"
by(rule parallel_converter2_eq_β_cong)(intro eq_β_converter_reflI WT_intro)
also have "β_ideal Ξ· ββ©β β_common Ξ·, β_ideal Ξ· ββ©β β_common Ξ· β’β©C 1β©C |β©= 1β©C βΌ 1β©C"
by(rule parallel_converter2_id_id)
also
have eq1: "connect (π Ξ·) (?cnv Ξ· |β©= 1β©C β³ sim Ξ· |β©= 1β©C β³ ideal_resource Ξ·) =
connect (π Ξ·) (1β©C β³ ideal_resource Ξ·)"
unfolding attach_compose[symmetric] comp_converter_parallel2 comp_converter_id_right
by(rule connect_eq_resource_cong WT_intro eq_β_attach_on' calculation)+(fastforce intro: WT_intro)+
have *: "β_ideal Ξ· ββ©β β_common Ξ·, β_real Ξ· ββ©β β_common Ξ· β’β©C ?cnv Ξ· |β©= 1β©C βΌ cnv Ξ· |β©= 1β©C"
by(rule parallel_converter2_eq_β_cong eq_β_restrict_converter)+(auto intro: WT_intro eq_β_converter_reflI)
have eq2: "connect (π Ξ·) (?cnv Ξ· |β©= 1β©C β³ real_resource Ξ·) = connect (π Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·)"
by(rule connect_eq_resource_cong WT_intro eq_β_attach_on' *)+(auto intro: WT_intro)
show ?thesis unfolding advantage_def by(simp add: distinguish_attach[symmetric] eq1 eq2)
qed
have "β_real Ξ· ββ©β β_common Ξ· β’g ?π Ξ· β" for Ξ·
proof -
from w have [WT_intro]: "β_ideal Ξ·, β_real Ξ· β’β©C cnv Ξ· β" by cases
show ?thesis by(rule WT_intro)+
qed
moreover
have "interaction_any_bounded_by (absorb (π Ξ·) (?cnv Ξ· |β©= 1β©C)) (bound Ξ·)" for Ξ·
proof -
from w[of Ξ·] obtain f g where [simp]: "w Ξ· = (f, g)"
and [WT_intro]: "β_ideal Ξ·, β_real Ξ· β’β©C cnv Ξ· β"
and eq: "β_ideal Ξ·, β_real Ξ· β’β©C cnv Ξ· βΌ map_converter id id f g 1β©C" by cases
from eq_β_restrict_converter_cong[OF eq order_refl]
have *: "restrict_converter (?A Ξ·) (β_real Ξ·) (cnv Ξ·) =
restrict_converter (?A Ξ·) (β_real Ξ·) (map_converter f g id id 1β©C)"
by(subst map_converter_id_move_right) simp
show ?thesis unfolding * by interaction_bound_converter simp
qed
moreover have "plossless_gpv (β_real Ξ· ββ©β β_common Ξ·) (?π Ξ·)"
if "lossless" for Ξ·
proof -
from w[of Ξ·] obtain f g where [simp]: "w Ξ· = (f, g)"
and cnv [WT_intro]: "β_ideal Ξ·, β_real Ξ· β’β©C cnv Ξ· β"
and eq: "β_ideal Ξ·, β_real Ξ· β’β©C cnv Ξ· βΌ map_converter id id f g 1β©C" by cases
from eq_β_converterD_WT1[OF eq cnv] have β: "β_ideal Ξ· β€ map_β f g (β_real Ξ·)"
by(rule WT_map_converter_idD)
with WT_converter_id have [WT_intro]: "β_ideal Ξ·, map_β f g (β_real Ξ·) β’β©C 1β©C β"
by(rule WT_converter_mono) simp
have id: "plossless_converter (β_ideal Ξ·) (map_β f g (β_real Ξ·)) 1β©C"
by(rule plossless_converter_mono)(rule plossless_id_converter order_refl β WT_intro)+
show ?thesis unfolding eq_β_restrict_converter_cong[OF eq order_refl]
by(rule plossless_gpv_absorb lossless[OF that] plossless_parallel_converter2 plossless_restrict_converter plossless_map_converter)+
(fastforce intro: WT_intro id WT_converter_map_converter)+
qed
ultimately show "negligible (λη. advantage (π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))"
unfolding eq by(rule adv)
qed
qed
sublocale constructive_security real_resource ideal_resource sim β_real β_ideal β_common bound lossless w
by(rule constructive_security)
end
subsection βΉComposition theoremsβΊ
theorem composability:
fixes real
assumes "constructive_security middle ideal sim_inner β_middle β_inner β_common bound_inner lossless_inner w1"
assumes "constructive_security real middle sim_outer β_real β_middle β_common bound_outer lossless_outer w2"
and bound [interaction_bound]: "βΞ·. interaction_any_bounded_converter (sim_outer Ξ·) (bound_sim Ξ·)"
and bound_le: "βΞ·. bound_outer Ξ· * max (bound_sim Ξ·) 1 β€ bound_inner Ξ·"
and lossless_sim [plossless_intro]: "βΞ·. lossless_inner βΉ plossless_converter (β_real Ξ·) (β_middle Ξ·) (sim_outer Ξ·)"
shows "constructive_security real ideal (λη. sim_outer Ξ· β sim_inner Ξ·) β_real β_inner β_common bound_outer (lossless_outer β¨ lossless_inner) (λη. w1 Ξ· ββ©w w2 Ξ·)"
proof
interpret inner: constructive_security middle ideal sim_inner β_middle β_inner β_common bound_inner lossless_inner w1 by fact
interpret outer: constructive_security real middle sim_outer β_real β_middle β_common bound_outer lossless_outer w2 by fact
show "β_real Ξ· ββ©β β_common Ξ· β’res real Ξ· β"
and "β_inner Ξ· ββ©β β_common Ξ· β’res ideal Ξ· β"
and "β_real Ξ·, β_inner Ξ· β’β©C sim_outer Ξ· β sim_inner Ξ· β" for Ξ· by(rule WT_intro)+
{ fix π :: "security β ('g + 'b, 'h + 'd) distinguisher"
assume WT [WT_intro]: "β_real Ξ· ββ©β β_common Ξ· β’g π Ξ· β" for Ξ·
assume bound_outer [interaction_bound]: "interaction_bounded_by (Ξ»_. True) (π Ξ·) (bound_outer Ξ·)" for Ξ·
assume lossless [plossless_intro]:
"lossless_outer β¨ lossless_inner βΉ plossless_gpv (β_real Ξ· ββ©β β_common Ξ·) (π Ξ·)" for Ξ·
let ?π = "λη. absorb (π Ξ·) (sim_outer Ξ· |β©= 1β©C)"
have "β_middle Ξ· ββ©β β_common Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro)+
moreover have "interaction_any_bounded_by (?π Ξ·) (bound_inner Ξ·)" for Ξ·
by interaction_bound_converter(rule bound_le)
moreover have "plossless_gpv (β_middle Ξ· ββ©β β_common Ξ·) (?π Ξ·)" if lossless_inner for Ξ·
by(rule plossless_intro WT_intro | simp add: that)+
ultimately have "negligible (λη. advantage (?π Ξ·) (sim_inner Ξ· |β©= 1β©C β³ ideal Ξ·) (middle Ξ·))"
by(rule inner.adv)
also have "negligible (λη. advantage (π Ξ·) (sim_outer Ξ· |β©= 1β©C β³ middle Ξ·) (real Ξ·))"
by(rule outer.adv[OF WT bound_outer lossless]) simp
finally (negligible_plus)
show "negligible (λη. advantage (π Ξ·) (sim_outer Ξ· β sim_inner Ξ· |β©= 1β©C β³ ideal Ξ·) (real Ξ·))"
apply(rule negligible_mono)
apply(simp add: bigo_def)
apply(rule exI[where x=1])
apply simp
apply(rule always_eventually)
apply(clarsimp simp add: advantage_def)
apply(rule order_trans)
apply(rule abs_diff_triangle_ineq2)
apply(rule add_right_mono)
apply(clarsimp simp add: advantage_def distinguish_attach[symmetric] attach_compose[symmetric] comp_converter_parallel2 comp_converter_id_left)
done
next
from inner.correct obtain cnv_inner
where correct_inner: "βπ. β¦ βΞ·. β_inner Ξ· ββ©β β_common Ξ· β’g π Ξ· β;
βΞ·. interaction_any_bounded_by (π Ξ·) (bound_inner Ξ·);
βΞ·. lossless_inner βΉ plossless_gpv (β_inner Ξ· ββ©β β_common Ξ·) (π Ξ·) β§
βΉ (βΞ·. wiring (β_inner Ξ·) (β_middle Ξ·) (cnv_inner Ξ·) (w1 Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal Ξ·) (cnv_inner Ξ· |β©= 1β©C β³ middle Ξ·))"
by blast
from outer.correct obtain cnv_outer
where correct_outer: "βπ. β¦ βΞ·. β_middle Ξ· ββ©β β_common Ξ· β’g π Ξ· β;
βΞ·. interaction_any_bounded_by (π Ξ·) (bound_outer Ξ·);
βΞ·. lossless_outer βΉ plossless_gpv (β_middle Ξ· ββ©β β_common Ξ·) (π Ξ·) β§
βΉ (βΞ·. wiring (β_middle Ξ·) (β_real Ξ·) (cnv_outer Ξ·) (w2 Ξ·)) β§
negligible (λη. advantage (π Ξ·) (middle Ξ·) (cnv_outer Ξ· |β©= 1β©C β³ real Ξ·))"
by blast
show "βcnv. βπ. (βΞ·. β_inner Ξ· ββ©β β_common Ξ· β’g π Ξ· β) βΆ
(βΞ·. interaction_any_bounded_by (π Ξ·) (bound_outer Ξ·)) βΆ
(βΞ·. lossless_outer β¨ lossless_inner βΆ plossless_gpv (β_inner Ξ· ββ©β β_common Ξ·) (π Ξ·)) βΆ
(βΞ·. wiring (β_inner Ξ·) (β_real Ξ·) (cnv Ξ·) (w1 Ξ· ββ©w w2 Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal Ξ·) (cnv Ξ· |β©= 1β©C β³ real Ξ·))"
proof(intro exI strip conjI)
fix π :: "security β ('e + 'b, 'f + 'd) distinguisher"
assume WT_D [rule_format, WT_intro]: "βΞ·. β_inner Ξ· ββ©β β_common Ξ· β’g π Ξ· β"
and bound [rule_format, interaction_bound]: "βΞ·. interaction_bounded_by (Ξ»_. True) (π Ξ·) (bound_outer Ξ·)"
and lossless [rule_format]: "βΞ·. lossless_outer β¨ lossless_inner βΆ plossless_gpv (β_inner Ξ· ββ©β β_common Ξ·) (π Ξ·)"
let ?cnv = "λη. cnv_inner Ξ· β cnv_outer Ξ·"
have bound': "interaction_any_bounded_by (π Ξ·) (bound_inner Ξ·)" for Ξ· using bound[of Ξ·] bound_le[of Ξ·]
by(clarsimp elim!: interaction_bounded_by_mono order_trans[rotated] simp add: max_def)
(metis (full_types) linorder_linear more_arith_simps(6) mult_left_mono zero_le)
from correct_inner[OF WT_D bound' lossless]
have w1: "βΞ·. wiring (β_inner Ξ·) (β_middle Ξ·) (cnv_inner Ξ·) (w1 Ξ·)"
and adv1: "negligible (λη. advantage (π Ξ·) (ideal Ξ·) (cnv_inner Ξ· |β©= 1β©C β³ middle Ξ·))"
by auto
obtain f g where WT_inner [WT_intro]: "βΞ·. β_inner Ξ·, β_middle Ξ· β’β©C cnv_inner Ξ· β"
and fg [simp]: "βΞ·. w1 Ξ· = (f Ξ·, g Ξ·)"
and eq1: "βΞ·. β_inner Ξ·, β_middle Ξ· β’β©C cnv_inner Ξ· βΌ map_converter id id (f Ξ·) (g Ξ·) 1β©C"
using w1
apply(atomize_elim)
apply(fold all_conj_distrib)
apply(subst choice_iff[symmetric])+
apply(fastforce elim!: wiring.cases)
done
from w1 have [WT_intro]: "β_inner Ξ·, β_middle Ξ· β’β©C cnv_inner Ξ· β" for Ξ· by cases
let ?π = "λη. absorb (π Ξ·) (map_converter id id (f Ξ·) (g Ξ·) 1β©C |β©= 1β©C)"
have β: "β_inner Ξ· β€ map_β (f Ξ·) (g Ξ·) (β_middle Ξ·)" for Ξ·
using eq_β_converterD_WT1[OF eq1 WT_inner, of Ξ·] by(rule WT_map_converter_idD)
with WT_converter_id have [WT_intro]: "β_inner Ξ·, map_β (f Ξ·) (g Ξ·) (β_middle Ξ·) β’β©C 1β©C β"
for Ξ· by(rule WT_converter_mono) simp
have WT_D': "β_middle Ξ· ββ©β β_common Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro | simp)+
have bound': "interaction_any_bounded_by (?π Ξ·) (bound_outer Ξ·)" for Ξ·
by(subst map_converter_id_move_left)(interaction_bound; simp)
have [simp]: "plossless_converter (β_inner Ξ·) (map_β (f Ξ·) (g Ξ·) (β_middle Ξ·)) 1β©C " for Ξ·
using plossless_id_converter _ β[of Ξ·] by(rule plossless_converter_mono) auto
from lossless
have "plossless_gpv (β_middle Ξ· ββ©β β_common Ξ·) (?π Ξ·)" if lossless_outer for Ξ·
by(rule plossless_gpv_absorb)(auto simp add: that intro!: WT_intro plossless_parallel_converter2 plossless_map_converter)
from correct_outer[OF WT_D' bound' this]
have w2: "βΞ·. wiring (β_middle Ξ·) (β_real Ξ·) (cnv_outer Ξ·) (w2 Ξ·)"
and adv2: "negligible (λη. advantage (?π Ξ·) (middle Ξ·) (cnv_outer Ξ· |β©= 1β©C β³ real Ξ·))"
by auto
from w2 have [WT_intro]: "β_middle Ξ·, β_real Ξ· β’β©C cnv_outer Ξ· β" for Ξ· by cases
show "wiring (β_inner Ξ·) (β_real Ξ·) (?cnv Ξ·) (w1 Ξ· ββ©w w2 Ξ·)" for Ξ·
using w1 w2 by(rule wiring_comp_converterI)
have eq1': "connect (π Ξ·) (cnv_inner Ξ· |β©= 1β©C β³ middle Ξ·) = connect (?π Ξ·) (middle Ξ·)" for Ξ·
unfolding distinguish_attach[symmetric]
by(rule connect_eq_resource_cong WT_intro eq_β_attach_on' parallel_converter2_eq_β_cong eq1 eq_β_converter_reflI order_refl)+
have eq2': "connect (?π Ξ·) (cnv_outer Ξ· |β©= 1β©C β³ real Ξ·) = connect (π Ξ·) (?cnv Ξ· |β©= 1β©C β 1β©C β³ real Ξ·)" for Ξ·
unfolding distinguish_attach[symmetric] attach_compose comp_converter_parallel2[symmetric]
by(rule connect_eq_resource_cong WT_intro eq_β_attach_on' parallel_converter2_eq_β_cong eq1[symmetric] eq_β_converter_reflI order_refl|simp)+
show "negligible (λη. advantage (π Ξ·) (ideal Ξ·) (?cnv Ξ· |β©= 1β©C β³ real Ξ·))"
using negligible_plus[OF adv1 adv2] unfolding advantage_def eq1' eq2' comp_converter_id_right
by(rule negligible_le) simp
qed
}
qed
theorem (in constructive_security) lifting:
assumes WT_conv [WT_intro]: "βΞ·. β_common' Ξ·, β_common Ξ· β’β©C conv Ξ· β"
and bound [interaction_bound]: "βΞ·. interaction_any_bounded_converter (conv Ξ·) (bound_conv Ξ·)"
and bound_le: "βΞ·. bound' Ξ· * max (bound_conv Ξ·) 1 β€ bound Ξ·"
and lossless [plossless_intro]: "βΞ·. lossless βΉ plossless_converter (β_common' Ξ·) (β_common Ξ·) (conv Ξ·)"
shows "constructive_security
(λη. 1β©C |β©= conv Ξ· β³ real_resource Ξ·) (λη. 1β©C |β©= conv Ξ· β³ ideal_resource Ξ·) sim
β_real β_ideal β_common' bound' lossless w"
proof
fix π :: "security β ('a + 'g, 'b + 'h) distinguisher"
assume WT_π [WT_intro]: "β_real Ξ· ββ©β β_common' Ξ· β’g π Ξ· β" for Ξ·
assume bound_π [interaction_bound]: "interaction_any_bounded_by (π Ξ·) (bound' Ξ·)" for Ξ·
assume lossless_π [plossless_intro]: "lossless βΉ plossless_gpv (β_real Ξ· ββ©β β_common' Ξ·) (π Ξ·)" for Ξ·
let ?π = "λη. absorb (π Ξ·) (1β©C |β©= conv Ξ·)"
have ideal: "connect (π Ξ·) (sim Ξ· |β©= 1β©C β³ 1β©C |β©= conv Ξ· β³ ideal_resource Ξ·) = connect (?π Ξ·) (sim Ξ· |β©= 1β©C β³ ideal_resource Ξ·)" for Ξ·
by(simp add: distinguish_attach[symmetric] attach_compose[symmetric] comp_converter_parallel2 comp_converter_id_left comp_converter_id_right)
have real: "connect (π Ξ·) (1β©C |β©= conv Ξ· β³ real_resource Ξ·) = connect (?π Ξ·) (real_resource Ξ·)" for Ξ·
by(simp add: distinguish_attach[symmetric])
have "β_real Ξ· ββ©β β_common Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro)+
moreover have "interaction_any_bounded_by (?π Ξ·) (bound Ξ·)" for Ξ·
by interaction_bound_converter(use bound_le[of Ξ·] in βΉsimp add: max.commuteβΊ)
moreover have " plossless_gpv (β_real Ξ· ββ©β β_common Ξ·) (absorb (π Ξ·) (1β©C |β©= conv Ξ·))" if lossless for Ξ·
by(rule plossless_intro WT_intro | simp add: that)+
ultimately show "negligible (λη. advantage (π Ξ·) (sim Ξ· |β©= 1β©C β³ 1β©C |β©= conv Ξ· β³ ideal_resource Ξ·) (1β©C |β©= conv Ξ· β³ real_resource Ξ·))"
unfolding advantage_def ideal real by(rule adv[unfolded advantage_def])
next
from correct obtain cnv
where correct': "βπ. β¦ βΞ·. β_ideal Ξ· ββ©β β_common Ξ· β’g π Ξ· β;
βΞ·. interaction_any_bounded_by (π Ξ·) (bound Ξ·);
βΞ·. lossless βΉ plossless_gpv (β_ideal Ξ· ββ©β β_common Ξ·) (π Ξ·) β§
βΉ (βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))"
by blast
show "βcnv. βπ. (βΞ·. β_ideal Ξ· ββ©β β_common' Ξ· β’g π Ξ· β) βΆ
(βΞ·. interaction_any_bounded_by (π Ξ·) (bound' Ξ·)) βΆ
(βΞ·. lossless βΆ plossless_gpv (β_ideal Ξ· ββ©β β_common' Ξ·) (π Ξ·)) βΆ
(βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)) β§
negligible (λη. advantage (π Ξ·) (1β©C |β©= conv Ξ· β³ ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ 1β©C |β©= conv Ξ· β³ real_resource Ξ·))"
proof(intro exI conjI strip)
fix π :: "security β ('c + 'g, 'd + 'h) distinguisher"
assume WT_D [rule_format, WT_intro]: "βΞ·. β_ideal Ξ· ββ©β β_common' Ξ· β’g π Ξ· β"
and bound [rule_format, interaction_bound]: "βΞ·. interaction_bounded_by (Ξ»_. True) (π Ξ·) (bound' Ξ·)"
and lossless [rule_format]: "βΞ·. lossless βΆ plossless_gpv (β_ideal Ξ· ββ©β β_common' Ξ·) (π Ξ·)"
let ?π = "λη. absorb (π Ξ·) (1β©C |β©= conv Ξ·)"
have WT_D' [WT_intro]: "β_ideal Ξ· ββ©β β_common Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro)+
have bound': "interaction_any_bounded_by (?π Ξ·) (bound Ξ·)" for Ξ·
by interaction_bound(use bound_le[of Ξ·] in βΉauto simp add: max_def split: if_split_asmβΊ)
have "plossless_gpv (β_ideal Ξ· ββ©β β_common Ξ·) (?π Ξ·)" if lossless for Ξ·
by(rule lossless that WT_intro plossless_intro)+
from correct'[OF WT_D' bound' this]
have w1: "wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)"
and adv': "negligible (λη. advantage (?π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))" for Ξ·
by auto
show "wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)" for Ξ· by(rule w1)
have "cnv Ξ· |β©= 1β©C β³ 1β©C |β©= conv Ξ· β³ real_resource Ξ· = 1β©C |β©= conv Ξ· β³ cnv Ξ· |β©= 1β©C β³ real_resource Ξ·" for Ξ·
by(simp add: attach_compose[symmetric] comp_converter_parallel2 comp_converter_id_left comp_converter_id_right)
with adv'
show "negligible (λη. advantage (π Ξ·) (1β©C |β©= conv Ξ· β³ ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ 1β©C |β©= conv Ξ· β³ real_resource Ξ·))"
by(simp add: advantage_def distinguish_attach[symmetric])
qed
qed(rule WT_intro)+
theorem constructive_security_trivial:
fixes res
assumes [WT_intro]: "βΞ·. β Ξ· ββ©β β_common Ξ· β’res res Ξ· β"
shows "constructive_security res res (Ξ»_. 1β©C) β β β_common bound lossless (Ξ»_. (id, id))"
proof
show "β Ξ· ββ©β β_common Ξ· β’res res Ξ· β" and "β Ξ·, β Ξ· β’β©C 1β©C β" for Ξ· by(rule WT_intro)+
fix π :: "security β ('a + 'b, 'c + 'd) distinguisher"
assume WT [WT_intro]: "β Ξ· ββ©β β_common Ξ· β’g π Ξ· β" for Ξ·
have "connect (π Ξ·) (1β©C |β©= 1β©C β³ res Ξ·) = connect (π Ξ·) (1β©C β³ res Ξ·)" for Ξ·
by(rule connect_eq_resource_cong[OF WT])(fastforce intro: WT_intro eq_β_attach_on' parallel_converter2_id_id)+
then show "negligible (λη. advantage (π Ξ·) (1β©C |β©= 1β©C β³ res Ξ·) (res Ξ·))"
unfolding advantage_def by simp
next
show "βcnv. βπ. (βΞ·. β Ξ· ββ©β β_common Ξ· β’g π Ξ· β) βΆ
(βΞ·. interaction_any_bounded_by (π Ξ·) (bound Ξ·)) βΆ
(βΞ·. lossless βΆ plossless_gpv (β Ξ· ββ©β β_common Ξ·) (π Ξ·)) βΆ
(βΞ·. wiring (β Ξ·) (β Ξ·) (cnv Ξ·) (id, id)) β§
negligible (λη. advantage (π Ξ·) (res Ξ·) (cnv Ξ· |β©= 1β©C β³ res Ξ·))"
proof(intro exI strip conjI)
fix π :: "security β ('a + 'b, 'c + 'd) distinguisher"
assume WT_D [rule_format, WT_intro]: "βΞ·. β Ξ· ββ©β β_common Ξ· β’g π Ξ· β"
and bound [rule_format, interaction_bound]: "βΞ·. interaction_bounded_by (Ξ»_. True) (π Ξ·) (bound Ξ·)"
and lossless [rule_format]: "βΞ·. lossless βΆ plossless_gpv (β Ξ· ββ©β β_common Ξ·) (π Ξ·)"
show "wiring (β Ξ·) (β Ξ·) 1β©C (id, id)" for Ξ· by simp
have "connect (π Ξ·) (1β©C |β©= 1β©C β³ res Ξ·) = connect (π Ξ·) (1β©C β³ res Ξ·)" for Ξ·
by(rule connect_eq_resource_cong)(rule WT_intro eq_β_attach_on' parallel_converter2_id_id order_refl)+
then show "negligible (λη. advantage (π Ξ·) (res Ξ·) (1β©C |β©= 1β©C β³ res Ξ·))"
by(auto simp add: advantage_def)
qed
qed
theorem parallel_constructive_security:
assumes "constructive_security real1 ideal1 sim1 β_real1 β_inner1 β_common1 bound1 lossless1 w1"
assumes "constructive_security real2 ideal2 sim2 β_real2 β_inner2 β_common2 bound2 lossless2 w2"
and lossless_real1 [plossless_intro]: "βΞ·. lossless2 βΉ lossless_resource (β_real1 Ξ· ββ©β β_common1 Ξ·) (real1 Ξ·)"
and lossless_sim2 [plossless_intro]: "βΞ·. lossless1 βΉ plossless_converter (β_real2 Ξ·) (β_inner2 Ξ·) (sim2 Ξ·)"
and lossless_ideal2 [plossless_intro]: "βΞ·. lossless1 βΉ lossless_resource (β_inner2 Ξ· ββ©β β_common2 Ξ·) (ideal2 Ξ·)"
shows "constructive_security (λη. parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·) (λη. parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ·) (λη. sim1 Ξ· |β©= sim2 Ξ·)
(λη. β_real1 Ξ· ββ©β β_real2 Ξ·) (λη. β_inner1 Ξ· ββ©β β_inner2 Ξ·) (λη. β_common1 Ξ· ββ©β β_common2 Ξ·)
(λη. min (bound1 Ξ·) (bound2 Ξ·)) (lossless1 β¨ lossless2) (λη. w1 Ξ· |β©w w2 Ξ·)"
proof
interpret sec1: constructive_security real1 ideal1 sim1 β_real1 β_inner1 β_common1 bound1 lossless1 w1 by fact
interpret sec2: constructive_security real2 ideal2 sim2 β_real2 β_inner2 β_common2 bound2 lossless2 w2 by fact
show "(β_real1 Ξ· ββ©β β_real2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·) β’res parallel_wiring β³ real1 Ξ· β₯ real2 Ξ· β"
and "(β_inner1 Ξ· ββ©β β_inner2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·) β’res parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ· β"
and "β_real1 Ξ· ββ©β β_real2 Ξ·, β_inner1 Ξ· ββ©β β_inner2 Ξ· β’β©C sim1 Ξ· |β©= sim2 Ξ· β" for Ξ· by(rule WT_intro)+
fix π :: "security β (('a + 'g) + 'b + 'h, ('c + 'i) + 'd + 'j) distinguisher"
assume WT [WT_intro]: "(β_real1 Ξ· ββ©β β_real2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·) β’g π Ξ· β" for Ξ·
assume bound [interaction_bound]: "interaction_any_bounded_by (π Ξ·) (min (bound1 Ξ·) (bound2 Ξ·))" for Ξ·
assume lossless [plossless_intro]: "lossless1 β¨ lossless2 βΉ plossless_gpv ((β_real1 Ξ· ββ©β β_real2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)) (π Ξ·)" for Ξ·
let ?π = "λη. absorb (π Ξ·) (parallel_wiring β parallel_converter (converter_of_resource (real1 Ξ·)) 1β©C)"
have *:"β_uniform (outs_β ((β_real1 Ξ· ββ©β β_real2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)))
UNIV,(β_real1 Ξ· ββ©β β_common1 Ξ·) ββ©β (β_inner2 Ξ· ββ©β β_common2 Ξ·) β’β©C
((1β©C |β©= sim2 Ξ·) |β©= 1β©C) β parallel_wiring βΌ ((1β©C |β©= sim2 Ξ·) |β©= 1β©C |β©= 1β©C) β parallel_wiring" for Ξ·
by(rule eq_β_comp_cong, rule eq_β_converter_mono)
(auto simp add: le_β_def intro: parallel_converter2_eq_β_cong eq_β_converter_reflI WT_converter_parallel_converter2
WT_converter_id sec2.WT_sim parallel_converter2_id_id[symmetric] eq_β_converter_reflI WT_parallel_wiring)
have **: "outs_β ((β_real1 Ξ· ββ©β β_real2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)) β’β©R
((1β©C |β©= sim2 Ξ·) |β©= 1β©C |β©= 1β©C) β parallel_wiring β³ real1 Ξ· β₯ ideal2 Ξ· βΌ
parallel_wiring β (converter_of_resource (real1 Ξ·) |β©β 1β©C) β³ sim2 Ξ· |β©= 1β©C β³ ideal2 Ξ·" for Ξ·
unfolding comp_parallel_wiring
by(rule eq_resource_on_trans, rule eq_β_attach_on[where conv'="parallel_wiring β (1β©C |β©= sim2 Ξ· |β©= 1β©C)"]
, (rule WT_intro)+, rule eq_β_comp_cong, rule eq_β_converter_mono)
(auto simp add: le_β_def attach_compose attach_parallel2 attach_converter_of_resource_conv_parallel_resource
intro: WT_intro parallel_converter2_eq_β_cong parallel_converter2_id_id eq_β_converter_reflI)
have ideal2:
"connect (π Ξ·) ((1β©C |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ ideal2 Ξ·) =
connect (?π Ξ·) (sim2 Ξ· |β©= 1β©C β³ ideal2 Ξ·)" for Ξ·
unfolding distinguish_attach[symmetric]
proof (rule connect_eq_resource_cong[OF WT, rotated], goal_cases)
case 2
then show ?case
by(subst attach_compose[symmetric], rule eq_resource_on_trans
, rule eq_β_attach_on[where conv'="((1β©C |β©= sim2 Ξ·) |β©= 1β©C |β©= 1β©C) β parallel_wiring"])
((rule WT_intro)+ | intro * | intro ** )+
qed (rule WT_intro)+
have real2: "connect (π Ξ·) (parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·) = connect (?π Ξ·) (real2 Ξ·)" for Ξ·
unfolding distinguish_attach[symmetric]
by(simp add: attach_compose attach_converter_of_resource_conv_parallel_resource)
have "β_real2 Ξ· ββ©β β_common2 Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro)+
moreover have "interaction_any_bounded_by (?π Ξ·) (bound2 Ξ·)" for Ξ·
by interaction_bound_converter simp
moreover have "plossless_gpv (β_real2 Ξ· ββ©β β_common2 Ξ·) (?π Ξ·)" if "lossless2" for Ξ·
by(rule plossless_intro WT_intro | simp add: that)+
ultimately
have negl2: "negligible (λη. advantage (π Ξ·)
((1β©C |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ ideal2 Ξ·)
(parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·))"
unfolding advantage_def ideal2 real2 by(rule sec2.adv[unfolded advantage_def])
let ?π = "λη. absorb (π Ξ·) (parallel_wiring β parallel_converter 1β©C (converter_of_resource (sim2 Ξ· |β©= 1β©C β³ ideal2 Ξ·)))"
have ideal1:
"connect (π Ξ·) ((sim1 Ξ· |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ·) =
connect (?π Ξ·) (sim1 Ξ· |β©= 1β©C β³ ideal1 Ξ·)" for Ξ·
proof -
have *: "β_uniform ((outs_β (β_real1 Ξ·) <+> outs_β (β_real2 Ξ·)) <+> outs_β (β_common1 Ξ·) <+>
outs_β (β_common2 Ξ·)) UNIV,(β_inner1 Ξ· ββ©β β_common1 Ξ·) ββ©β (β_inner2 Ξ· ββ©β β_common2 Ξ·) β’β©C
((sim1 Ξ· |β©= sim2 Ξ·) |β©= 1β©C) β parallel_wiring βΌ ((sim1 Ξ· |β©= sim2 Ξ·) |β©= 1β©C |β©= 1β©C) β parallel_wiring"
by(rule eq_β_comp_cong, rule eq_β_converter_mono)
(auto simp add: le_β_def comp_parallel_wiring' attach_compose attach_parallel2 attach_converter_of_resource_conv_parallel_resource2
intro: WT_intro parallel_converter2_id_id[symmetric] eq_β_converter_reflI parallel_converter2_eq_β_cong eq_β_converter_mono)
have **:"((outs_β (β_real1 Ξ·) <+> outs_β (β_real2 Ξ·)) <+> outs_β (β_common1 Ξ·) <+> outs_β (β_common2 Ξ·)) β’β©R
(sim1 Ξ· |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ· βΌ
parallel_wiring β (1β©C |β©β converter_of_resource (sim2 Ξ· |β©= 1β©C β³ ideal2 Ξ·)) β³ sim1 Ξ· |β©= 1β©C β³ ideal1 Ξ·"
unfolding attach_compose[symmetric]
by(rule eq_resource_on_trans, rule eq_β_attach_on[where conv'="((sim1 Ξ· |β©= sim2 Ξ·) |β©= 1β©C |β©= 1β©C) β parallel_wiring"])
((rule WT_intro)+ | intro * | auto simp add: le_β_def comp_parallel_wiring' attach_compose
attach_parallel2 attach_converter_of_resource_conv_parallel_resource2 intro: WT_intro *)+
show ?thesis
unfolding distinguish_attach[symmetric] using WT
by(rule connect_eq_resource_cong) (simp add: **, (rule WT_intro)+)
qed
have real1:
"connect (π Ξ·) ((1β©C |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ ideal2 Ξ·) =
connect (?π Ξ·) (real1 Ξ·)" for Ξ·
proof -
have **: "β_uniform (outs_β ((β_real1 Ξ· ββ©β β_real2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)))
UNIV,(β_real1 Ξ· ββ©β β_common1 Ξ·) ββ©β (β_inner2 Ξ· ββ©β β_common2 Ξ·) β’β©C
((1β©C |β©= sim2 Ξ·) |β©= 1β©C) β parallel_wiring βΌ ((1β©C |β©= sim2 Ξ·) |β©= 1β©C |β©= 1β©C) β parallel_wiring"
by(rule eq_β_comp_cong, rule eq_β_converter_mono)
(auto simp add: le_β_def intro: WT_intro parallel_converter2_eq_β_cong WT_converter_parallel_converter2
parallel_converter2_id_id[symmetric] eq_β_converter_reflI WT_parallel_wiring)
have *: "outs_β ((β_real1 Ξ· ββ©β β_real2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)) β’β©R
parallel_wiring β ((1β©C |β©= 1β©C) |β©= sim2 Ξ· |β©= 1β©C) β³ real1 Ξ· β₯ ideal2 Ξ· βΌ
parallel_wiring β (1β©C |β©β converter_of_resource (sim2 Ξ· |β©= 1β©C β³ ideal2 Ξ·)) β³ real1 Ξ·"
by(rule eq_resource_on_trans, rule eq_β_attach_on[where conv'="parallel_wiring β (1β©C |β©= sim2 Ξ· |β©= 1β©C)"]
, (rule WT_intro)+, rule eq_β_comp_cong, rule eq_β_converter_mono)
(auto simp add: le_β_def attach_compose attach_converter_of_resource_conv_parallel_resource2 attach_parallel2
intro: WT_intro parallel_converter2_eq_β_cong parallel_converter2_id_id eq_β_converter_reflI)
show ?thesis
unfolding distinguish_attach[symmetric] using WT
by(rule connect_eq_resource_cong, fold attach_compose)
(rule eq_resource_on_trans[where res'="((1β©C |β©= sim2 Ξ·) |β©= 1β©C |β©= 1β©C) β parallel_wiring β³ real1 Ξ· β₯ ideal2 Ξ·"]
, (rule eq_β_attach_on, (intro * ** | subst comp_parallel_wiring | rule eq_β_attach_on | (rule WT_intro eq_β_attach_on)+ )+))
qed
have "β_real1 Ξ· ββ©β β_common1 Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro)+
moreover have "interaction_any_bounded_by (?π Ξ·) (bound1 Ξ·)" for Ξ·
by interaction_bound_converter simp
moreover have "plossless_gpv (β_real1 Ξ· ββ©β β_common1 Ξ·) (?π Ξ·)" if "lossless1" for Ξ·
by(rule plossless_intro WT_intro | simp add: that)+
ultimately
have negl1: "negligible (λη. advantage (π Ξ·)
((sim1 Ξ· |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ·)
((1β©C |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ ideal2 Ξ·))"
unfolding advantage_def ideal1 real1 by(rule sec1.adv[unfolded advantage_def])
from negligible_plus[OF negl1 negl2]
show "negligible (λη. advantage (π Ξ·) ((sim1 Ξ· |β©= sim2 Ξ·) |β©= 1β©C β³ parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ·)
(parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·))"
by(rule negligible_mono) (auto simp add: advantage_def intro!: eventuallyI landau_o.big_mono )
next
interpret sec1: constructive_security real1 ideal1 sim1 β_real1 β_inner1 β_common1 bound1 lossless1 w1 by fact
interpret sec2: constructive_security real2 ideal2 sim2 β_real2 β_inner2 β_common2 bound2 lossless2 w2 by fact
from sec1.correct obtain cnv1
where correct1: "βπ. β¦ βΞ·. β_inner1 Ξ· ββ©β β_common1 Ξ· β’g π Ξ· β;
βΞ·. interaction_any_bounded_by (π Ξ·) (bound1 Ξ·);
βΞ·. lossless1 βΉ plossless_gpv (β_inner1 Ξ· ββ©β β_common1 Ξ·) (π Ξ·) β§
βΉ (βΞ·. wiring (β_inner1 Ξ·) (β_real1 Ξ·) (cnv1 Ξ·) (w1 Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal1 Ξ·) (cnv1 Ξ· |β©= 1β©C β³ real1 Ξ·))"
by blast
from sec2.correct obtain cnv2
where correct2: "βπ. β¦ βΞ·. β_inner2 Ξ· ββ©β β_common2 Ξ· β’g π Ξ· β;
βΞ·. interaction_any_bounded_by (π Ξ·) (bound2 Ξ·);
βΞ·. lossless2 βΉ plossless_gpv (β_inner2 Ξ· ββ©β β_common2 Ξ·) (π Ξ·) β§
βΉ (βΞ·. wiring (β_inner2 Ξ·) (β_real2 Ξ·) (cnv2 Ξ·) (w2 Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal2 Ξ·) (cnv2 Ξ· |β©= 1β©C β³ real2 Ξ·))"
by blast
show "βcnv. βπ. (βΞ·. (β_inner1 Ξ· ββ©β β_inner2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·) β’g π Ξ· β) βΆ
(βΞ·. interaction_any_bounded_by (π Ξ·) (min (bound1 Ξ·) (bound2 Ξ·))) βΆ
(βΞ·. lossless1 β¨ lossless2 βΆ plossless_gpv ((β_inner1 Ξ· ββ©β β_inner2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)) (π Ξ·)) βΆ
(βΞ·. wiring (β_inner1 Ξ· ββ©β β_inner2 Ξ·) (β_real1 Ξ· ββ©β β_real2 Ξ·) (cnv Ξ·) (w1 Ξ· |β©w w2 Ξ·)) β§
negligible (λη. advantage (π Ξ·) (parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ·) (cnv Ξ· |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·))"
proof(intro exI strip conjI)
fix π :: "security β (('e + 'k) + 'b + 'h, ('f + 'l) + 'd + 'j) distinguisher"
assume WT_D [rule_format, WT_intro]: "βΞ·. (β_inner1 Ξ· ββ©β β_inner2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·) β’g π Ξ· β"
and bound [rule_format, interaction_bound]: "βΞ·. interaction_any_bounded_by (π Ξ·) (min (bound1 Ξ·) (bound2 Ξ·))"
and lossless [rule_format, plossless_intro]: "βΞ·. lossless1 β¨ lossless2 βΆ plossless_gpv ((β_inner1 Ξ· ββ©β β_inner2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)) (π Ξ·)"
let ?cnv = "λη. cnv1 Ξ· |β©= cnv2 Ξ·"
let ?π1 = "λη. absorb (π Ξ·) (parallel_wiring β parallel_converter 1β©C (converter_of_resource (ideal2 Ξ·)))"
have WT1: "β_inner1 Ξ· ββ©β β_common1 Ξ· β’g ?π1 Ξ· β" for Ξ· by(rule WT_intro)+
have bound1: "interaction_any_bounded_by (?π1 Ξ·) (bound1 Ξ·)" for Ξ· by interaction_bound simp
have "plossless_gpv (β_inner1 Ξ· ββ©β β_common1 Ξ·) (?π1 Ξ·)" if lossless1 for Ξ·
by(rule plossless_intro WT_intro | simp add: that)+
from correct1[OF WT1 bound1 this]
have w1: "wiring (β_inner1 Ξ·) (β_real1 Ξ·) (cnv1 Ξ·) (w1 Ξ·)"
and adv1: "negligible (λη. advantage (?π1 Ξ·) (ideal1 Ξ·) (cnv1 Ξ· |β©= 1β©C β³ real1 Ξ·))" for Ξ·
by auto
from w1 obtain f g where fg: "βΞ·. w1 Ξ· = (f Ξ·, g Ξ·)"
and [WT_intro]: "βΞ·. β_inner1 Ξ·, β_real1 Ξ· β’β©C cnv1 Ξ· β"
and eq1: "βΞ·. β_inner1 Ξ·, β_real1 Ξ· β’β©C cnv1 Ξ· βΌ map_converter id id (f Ξ·) (g Ξ·) 1β©C"
apply atomize_elim
apply(fold all_conj_distrib)
apply(subst choice_iff[symmetric])+
apply(fastforce elim!: wiring.cases)
done
have β1: "β_inner1 Ξ· β€ map_β (f Ξ·) (g Ξ·) (β_real1 Ξ·)" for Ξ·
using eq_β_converterD_WT1[OF eq1] by(rule WT_map_converter_idD)(rule WT_intro)
with WT_converter_id order_refl have [WT_intro]: "β_inner1 Ξ·, map_β (f Ξ·) (g Ξ·) (β_real1 Ξ·) β’β©C 1β©C β" for Ξ·
by(rule WT_converter_mono)
have lossless1 [plossless_intro]: "plossless_converter (β_inner1 Ξ·) (β_real1 Ξ·) (map_converter id id (f Ξ·) (g Ξ·) 1β©C)" for Ξ·
by(rule plossless_map_converter)(rule plossless_intro order_refl β1 WT_intro plossless_converter_mono | simp)+
let ?π2 = "λη. absorb (π Ξ·) (parallel_wiring β parallel_converter (converter_of_resource (map_converter id id (f Ξ·) (g Ξ·) 1β©C |β©= 1β©C β³ real1 Ξ·)) 1β©C)"
have WT2: "β_inner2 Ξ· ββ©β β_common2 Ξ· β’g ?π2 Ξ· β" for Ξ· by(rule WT_intro | simp)+
have bound2: "interaction_any_bounded_by (?π2 Ξ·) (bound2 Ξ·)" for Ξ· by interaction_bound simp
have "plossless_gpv (β_inner2 Ξ· ββ©β β_common2 Ξ·) (?π2 Ξ·)" if lossless2 for Ξ·
by(rule plossless_intro WT_intro | simp add: that)+
from correct2[OF WT2 bound2 this]
have w2: "wiring (β_inner2 Ξ·) (β_real2 Ξ·) (cnv2 Ξ·) (w2 Ξ·)"
and adv2: "negligible (λη. advantage (?π2 Ξ·) (ideal2 Ξ·) (cnv2 Ξ· |β©= 1β©C β³ real2 Ξ·))" for Ξ·
by auto
from w2 have [WT_intro]: "β_inner2 Ξ·, β_real2 Ξ· β’β©C cnv2 Ξ· β" for Ξ· by cases
have *: "connect (π Ξ·) (?cnv Ξ· |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·) =
connect (?π2 Ξ·) (cnv2 Ξ· |β©= 1β©C β³ real2 Ξ·)" for Ξ·
proof -
have "outs_β ((β_inner1 Ξ· ββ©β β_inner2 Ξ·) ββ©β (β_common1 Ξ· ββ©β β_common2 Ξ·)) β’β©R
?cnv Ξ· |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ real2 Ξ· βΌ
(map_converter id id (f Ξ·) (g Ξ·) 1β©C |β©= cnv2 Ξ·) |β©= (1β©C |β©= 1β©C) β³ parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·"
by(rule eq_β_attach_on' WT_intro parallel_converter2_eq_β_cong eq1 eq_β_converter_reflI parallel_converter2_id_id[symmetric])+ simp
also have "(map_converter id id (f Ξ·) (g Ξ·) 1β©C |β©= cnv2 Ξ·) |β©= (1β©C |β©= 1β©C) β³ parallel_wiring β³ real1 Ξ· β₯ real2 Ξ· =
parallel_wiring β³ (map_converter id id (f Ξ·) (g Ξ·) 1β©C |β©= 1β©C β³ real1 Ξ·) β₯ (cnv2 Ξ· |β©= 1β©C β³ real2 Ξ·)"
by(simp add: comp_parallel_wiring' attach_compose attach_parallel2)
finally show ?thesis
by(auto intro!: connect_eq_resource_cong[OF WT_D] intro: WT_intro simp add: distinguish_attach[symmetric] attach_compose attach_converter_of_resource_conv_parallel_resource)
qed
have **: "connect (?π2 Ξ·) (ideal2 Ξ·) = connect (?π1 Ξ·) (cnv1 Ξ· |β©= 1β©C β³ real1 Ξ·)" for Ξ·
proof -
have "connect (?π2 Ξ·) (ideal2 Ξ·) =
connect (π Ξ·) (parallel_wiring β³ ((map_converter id id (f Ξ·) (g Ξ·) 1β©C |β©= 1β©C) |β©= 1β©C) β³ (real1 Ξ· β₯ ideal2 Ξ·))"
by(simp add: distinguish_attach[symmetric] attach_converter_of_resource_conv_parallel_resource attach_compose attach_parallel2)
also have "β¦ = connect (π Ξ·) (parallel_wiring β³ ((cnv1 Ξ· |β©= 1β©C) |β©= 1β©C) β³ (real1 Ξ· β₯ ideal2 Ξ·))"
unfolding attach_compose[symmetric] using WT_D
by(rule connect_eq_resource_cong[symmetric])
(rule eq_β_attach_on' WT_intro eq_β_comp_cong eq_β_converter_reflI parallel_converter2_eq_β_cong eq1 | simp)+
also have "β¦ = connect (?π1 Ξ·) (cnv1 Ξ· |β©= 1β©C β³ real1 Ξ·)"
by(simp add: distinguish_attach[symmetric] attach_converter_of_resource_conv_parallel_resource2 attach_compose attach_parallel2)
finally show ?thesis .
qed
have ***: "connect (?π1 Ξ·) (ideal1 Ξ·) = connect (π Ξ·) (parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ·)" for Ξ·
by(auto intro!: connect_eq_resource_cong[OF WT_D] simp add: attach_converter_of_resource_conv_parallel_resource2 distinguish_attach[symmetric] attach_compose intro: WT_intro)
show "wiring (β_inner1 Ξ· ββ©β β_inner2 Ξ·) (β_real1 Ξ· ββ©β β_real2 Ξ·) (?cnv Ξ·) (w1 Ξ· |β©w w2 Ξ·)" for Ξ·
using w1 w2 by(rule wiring_parallel_converter2)
from negligible_plus[OF adv1 adv2]
show "negligible (λη. advantage (π Ξ·) (parallel_wiring β³ ideal1 Ξ· β₯ ideal2 Ξ·) (?cnv Ξ· |β©= 1β©C β³ parallel_wiring β³ real1 Ξ· β₯ real2 Ξ·))"
by(rule negligible_le)(simp add: advantage_def * ** ***)
qed
qed
theorem (in constructive_security) parallel_realisation1:
assumes WT_res: "βΞ·. β_res Ξ· ββ©β β_common' Ξ· β’res res Ξ· β"
and lossless_res: "βΞ·. lossless βΉ lossless_resource (β_res Ξ· ββ©β β_common' Ξ·) (res Ξ·)"
shows "constructive_security (λη. parallel_wiring β³ res Ξ· β₯ real_resource Ξ·)
(λη. parallel_wiring β³ (res Ξ· β₯ ideal_resource Ξ·)) (λη. parallel_converter2 id_converter (sim Ξ·))
(λη. β_res Ξ· ββ©β β_real Ξ·) (λη. β_res Ξ· ββ©β β_ideal Ξ·) (λη. β_common' Ξ· ββ©β β_common Ξ·) bound lossless (λη. (id, id) |β©w w Ξ·)"
by(rule parallel_constructive_security[OF constructive_security_trivial[where lossless=False and bound="Ξ»_. β", OF WT_res], simplified, OF _ lossless_res])
unfold_locales
theorem (in constructive_security) parallel_realisation2:
assumes WT_res: "βΞ·. β_res Ξ· ββ©β β_common' Ξ· β’res res Ξ· β"
and lossless_res: "βΞ·. lossless βΉ lossless_resource (β_res Ξ· ββ©β β_common' Ξ·) (res Ξ·)"
shows "constructive_security (λη. parallel_wiring β³ real_resource Ξ· β₯ res Ξ·)
(λη. parallel_wiring β³ (ideal_resource Ξ· β₯ res Ξ·)) (λη. parallel_converter2 (sim Ξ·) id_converter)
(λη. β_real Ξ· ββ©β β_res Ξ·) (λη. β_ideal Ξ· ββ©β β_res Ξ·) (λη. β_common Ξ· ββ©β β_common' Ξ·) bound lossless (λη. w Ξ· |β©w (id, id))"
by(rule parallel_constructive_security[OF _ constructive_security_trivial[where lossless=False and bound="Ξ»_. β", OF WT_res], simplified, OF _ lossless_res])
unfold_locales
theorem (in constructive_security) parallel_resource1:
assumes WT_res [WT_intro]: "βΞ·. β_res Ξ· β’res res Ξ· β"
and lossless_res [plossless_intro]: "βΞ·. lossless βΉ lossless_resource (β_res Ξ·) (res Ξ·)"
shows "constructive_security (λη. parallel_resource1_wiring β³ res Ξ· β₯ real_resource Ξ·)
(λη. parallel_resource1_wiring β³ res Ξ· β₯ ideal_resource Ξ·) sim
β_real β_ideal (λη. β_res Ξ· ββ©β β_common Ξ·) bound lossless w"
proof
fix π :: "security β ('a + 'g + 'e, 'b + 'h + 'f) distinguisher"
assume WT [WT_intro]: "β_real Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·) β’g π Ξ· β" for Ξ·
assume bound [interaction_bound]: "interaction_any_bounded_by (π Ξ·) (bound Ξ·)" for Ξ·
assume lossless [plossless_intro]: "lossless βΉ plossless_gpv (β_real Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·)) (π Ξ·)" for Ξ·
let ?π = "λη. absorb (π Ξ·) (swap_lassocr β parallel_converter (converter_of_resource (res Ξ·)) 1β©C)"
have ideal:
"connect (π Ξ·) (sim Ξ· |β©= 1β©C β³ parallel_resource1_wiring β³ res Ξ· β₯ ideal_resource Ξ·) =
connect (?π Ξ·) (sim Ξ· |β©= 1β©C β³ ideal_resource Ξ·)" for Ξ·
proof -
have[intro]: "β_uniform (outs_β (β_real Ξ·) <+> outs_β (β_res Ξ·) <+> outs_β (β_common Ξ·))
UNIV,β_ideal Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·) β’β©C sim Ξ· |β©= 1β©C βΌ sim Ξ· |β©= 1β©C |β©= 1β©C "
by(rule eq_β_converter_mono) (auto simp add: le_β_def intro!:
WT_intro parallel_converter2_id_id[symmetric] parallel_converter2_eq_β_cong eq_β_converter_reflI)
have *: "outs_β (β_real Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·)) β’β©R (sim Ξ· |β©= 1β©C) β parallel_resource1_wiring β³ res Ξ· β₯ ideal_resource Ξ· βΌ
swap_lassocr β (converter_of_resource (res Ξ·) |β©β 1β©C) β³ sim Ξ· |β©= 1β©C β³ ideal_resource Ξ·"
by (rule eq_resource_on_trans[where res'="(sim Ξ· |β©= 1β©C |β©= 1β©C) β parallel_resource1_wiring β³ res Ξ· β₯ ideal_resource Ξ·"],
rule eq_β_attach_on, (rule WT_intro)+, rule eq_β_comp_cong)
(auto simp add: parallel_resource1_wiring_def comp_swap_lassocr attach_compose attach_parallel2
attach_converter_of_resource_conv_parallel_resource intro!: WT_intro eq_β_converter_reflI)
show ?thesis
unfolding distinguish_attach[symmetric] using WT
by(rule connect_eq_resource_cong, subst attach_compose[symmetric])
(intro *, (rule WT_intro)+)
qed
have real:
"connect (π Ξ·) (parallel_resource1_wiring β³ res Ξ· β₯ real_resource Ξ·) =
connect (?π Ξ·) (real_resource Ξ·)" for Ξ·
unfolding distinguish_attach[symmetric]
by(simp add: attach_compose attach_converter_of_resource_conv_parallel_resource parallel_resource1_wiring_def)
have "β_real Ξ· ββ©β β_common Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro)+
moreover have "interaction_any_bounded_by (?π Ξ·) (bound Ξ·)" for Ξ·
by interaction_bound_converter simp
moreover have "plossless_gpv (β_real Ξ· ββ©β β_common Ξ·) (?π Ξ·)" if lossless for Ξ·
by(rule plossless_intro WT_intro | simp add: that)+
ultimately show "negligible (λη. advantage (π Ξ·) (sim Ξ· |β©= 1β©C β³
parallel_resource1_wiring β³ res Ξ· β₯ ideal_resource Ξ·)
(parallel_resource1_wiring β³ res Ξ· β₯ real_resource Ξ·))"
unfolding advantage_def ideal real by(rule adv[unfolded advantage_def])
next
from correct obtain cnv
where correct': "βπ. β¦ βΞ·. β_ideal Ξ· ββ©β β_common Ξ· β’g π Ξ· β;
βΞ·. interaction_any_bounded_by (π Ξ·) (bound Ξ·);
βΞ·. lossless βΉ plossless_gpv (β_ideal Ξ· ββ©β β_common Ξ·) (π Ξ·) β§
βΉ (βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)) β§
negligible (λη. advantage (π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))"
by blast
show "βcnv. βπ. (βΞ·. β_ideal Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·) β’g π Ξ· β) βΆ
(βΞ·. interaction_any_bounded_by (π Ξ·) (bound Ξ·)) βΆ
(βΞ·. lossless βΆ plossless_gpv (β_ideal Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·)) (π Ξ·)) βΆ
(βΞ·. wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)) β§
negligible (λη. advantage (π Ξ·) (parallel_resource1_wiring β³ res Ξ· β₯ ideal_resource Ξ·)
(cnv Ξ· |β©= 1β©C β³ parallel_resource1_wiring β³ res Ξ· β₯ real_resource Ξ·))"
proof(intro exI conjI strip)
fix π :: "security β ('c + 'g + 'e, 'd + 'h + 'f) distinguisher"
assume WT_D [rule_format, WT_intro]: "βΞ·. β_ideal Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·) β’g π Ξ· β"
and bound [rule_format, interaction_bound]: "βΞ·. interaction_any_bounded_by (π Ξ·) (bound Ξ·)"
and lossless [rule_format, plossless_intro]: "βΞ·. lossless βΆ plossless_gpv (β_ideal Ξ· ββ©β (β_res Ξ· ββ©β β_common Ξ·)) (π Ξ·)"
let ?π = "λη. absorb (π Ξ·) (swap_lassocr β parallel_converter (converter_of_resource (res Ξ·)) 1β©C)"
have WT': "β_ideal Ξ· ββ©β β_common Ξ· β’g ?π Ξ· β" for Ξ· by(rule WT_intro)+
have bound': "interaction_any_bounded_by (?π Ξ·) (bound Ξ·)" for Ξ· by interaction_bound simp
have lossless': "plossless_gpv (β_ideal Ξ· ββ©β β_common Ξ·) (?π Ξ·)" if lossless for Ξ·
by(rule plossless_intro WT_intro that)+
from correct'[OF WT' bound' lossless']
have w: "wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)"
and adv: "negligible (λη. advantage (?π Ξ·) (ideal_resource Ξ·) (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))"
for Ξ· by auto
show "wiring (β_ideal Ξ·) (β_real Ξ·) (cnv Ξ·) (w Ξ·)" for Ξ· by(rule w)
from w have [WT_intro]: "β_ideal Ξ·, β_real Ξ· β’β©C cnv Ξ· β" for Ξ· by cases
have "connect (π Ξ·) (swap_lassocr β³ res Ξ· β₯ (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·)) =
connect (π Ξ·) (cnv Ξ· |β©= 1β©C β³ swap_lassocr β³ res Ξ· β₯ real_resource Ξ·)" for Ξ·
proof -
have "connect (π Ξ·) (cnv Ξ· |β©= 1β©C β³ swap_lassocr β³ res Ξ· β₯ real_resource Ξ·) =
connect (π Ξ·) (cnv Ξ· |β©= 1β©C |β©= 1β©C β³ swap_lassocr β³ res Ξ· β₯ real_resource Ξ·)"
by(rule connect_eq_resource_cong[OF WT_D])
(rule eq_β_attach_on' WT_intro parallel_converter2_eq_β_cong eq_β_converter_reflI parallel_converter2_id_id[symmetric] | simp)+
also have "β¦ = connect (π Ξ·) (swap_lassocr β³ res Ξ· β₯ (cnv Ξ· |β©= 1β©C β³ real_resource Ξ·))"
by(simp add: comp_swap_lassocr' attach_compose attach_parallel2)
finally show ?thesis by simp
qed
with adv show "negligible (λη. advantage (π Ξ·) (parallel_resource1_wiring β³ res Ξ· β₯ ideal_resource Ξ·)
(cnv Ξ· |β©= 1β©C β³ parallel_resource1_wiring β³ res Ξ· β₯ real_resource Ξ·))"
by(simp add: advantage_def distinguish_attach[symmetric] attach_compose attach_converter_of_resource_conv_parallel_resource parallel_resource1_wiring_def)
qed
qed(rule WT_intro)+
end