A Lean 4 formalization of the Dolev-Yao attacker model for symbolic cryptographic protocols, built on Mathlib.
Theorem (DolevYao.nonce_secret). A Dolev-Yao attacker who observes
both messages of a symmetric-key challenge-response protocol — but does not
possess the shared key — cannot derive the nonce. Encryption without the
key is opaque.
The formalization also includes:
DolevYao.Derivable— the attacker capability relation, combining Paulson'sanalz(decomposition) andsynth(construction) into a single inductive definitionDolevYao.guarded— a semantic invariant: a term is guarded when every occurrence of the secret and key sits inside an encryption layerDolevYao.guarded_of_derivable— the invariant preservation theorem: derivability cannot break through encryption without the key
All proofs are constructive (no Classical.choice or Decidable.em) and
compile with zero sorrys.
A minimal two-message challenge-response between Alice and Bob sharing a
symmetric key kAB:
Message 1: Alice → Bob: enc ⟨nA, Alice⟩ kAB
Message 2: Bob → Alice: enc nA kAB
Alice generates a fresh nonce nA, pairs it with her identity, encrypts
with the shared key, and sends. Bob decrypts, extracts the nonce, and
echoes it back encrypted.
The secrecy proof uses a semantic invariant rather than direct inversion
on the derivation. We define a predicate guarded secret key t meaning
"every occurrence of secret and key in t is sealed inside an
enc _ key layer." Then:
- Both protocol messages are guarded (each is encrypted under
kAB). - The key
kABis not guarded — it would needkAB ≠ kAB. - Every Dolev-Yao rule preserves guardedness. The critical case is
decryption: to decrypt
enc m kAB, the attacker needskAB, butkABis not guarded, so it cannot itself be derived from any guarded set. - The nonce
nAis not guarded — it would neednA ≠ nA. - Therefore
nAis not derivable.
This is analogous to Paulson's closure argument with analz/synth, but
packaged as a single preservation lemma over our combined Derivable
relation.
| File | Contents |
|---|---|
DolevYao/Terms.lean |
Term inductive type (atoms, pairs, symmetric encryption) |
DolevYao/Derivable.lean |
Derivable relation, guarded invariant, guarded_of_derivable |
DolevYao/Protocol.lean |
Protocol constants, nonce_secret theorem |
DolevYao.lean |
Root import |
TUTORIAL.md |
Annotated walkthrough of every definition and proof |
Requires elan.
lake update # resolve dependencies
lake exe cache get # download pre-built Mathlib (saves hours)
lake build # compile — should finish in seconds-
D. Dolev, A. C. Yao, On the Security of Public Key Protocols (IEEE Trans. Information Theory, 1983). The original model. Section 2's formalization of attacker capabilities as closure rules is the direct ancestor of our
Derivablerelation. -
L. C. Paulson, The Inductive Approach to Verifying Cryptographic Protocols (J. Computer Security, 1998). The closest existing mechanization (Isabelle/HOL). His
analzandsynthsets split the attacker into decomposition and construction phases; we combine them into one relation and use a semantic invariant (guarded) instead of a closure characterization. -
B. Blanchet, Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif (Foundations and Trends in Privacy and Security, 2016). Section 2 gives a clean modern presentation of symbolic terms and attacker rules that maps well to an inductive Lean definition.
-
Mathlib4. Provides the
Finsetinfrastructure used for the attacker's knowledge set.