[ml-kem] improve auditability of Lean proof#190
Conversation
The idea is to reduce the trust that needs to be put into the lift operations. There are now several theorems that essentially state that lift behaves as expected. Additionally, the top level theorems now don't rely on lift in their post-conditions, but explicitly compare the outputs of the spec and impl.
b9c428e to
13339b9
Compare
|
There are really two issues that you are trying to mitigate here: 1. We need to trust that the definitions of the
|
|
Regarding 1, the intention was to have theorems about lift that would be easier to understand than the definitions of the functions. I agree that this did not succeed and the theorems are actually more complicated. Regarding 2, If I understand correctly, the impl result should be in [-q/2, q/2] (i.e. [-1664, 1664] if the impl is correct as it works on the "barret representative" of x mod q. By adding q if negative, we should get the actual value mod q that is computed by the spec. Currently, all theorems only state that the impl values satisfy So I guess, no, there are not two possible correct values for the impl to return as I understand it. But this isn't captured by the proof. Thinking about it, it seems what I actually want is to prove that the impl values stay in |
|
If there is really only one possible value that the impl could return, then the theorem statement in this PR seems overly complicated (and probably doesn't even capture it fully). I see two options that seem reasonable:
We need to find out whether there is really only one possible output. I believe at least some variants of Barrett do not guarantee that. |
|
I just talked to @karthikbhargavan, and he says that the implementation may be off by Q, which is why he wrote the main theorem as stated. |
b31eb4f to
f40207d
Compare
In this PR, I tried to improve the auditability of the top-level theorems of the ML-KEM proof with the help of claude to address my review comment on #171.
I'm not sure whether I succeeded with this and if this is actually better.
@abentkamp what are your thoughts on this?