feat(MacFromPRF): deterministic MAC from PRF is UF-CMA secure (Boneh-Shoup Thm 6.2)

[astefano]

This PR formalizes Theorem 6.2 from Boneh-Shoup: a deterministic MAC constructed from a secure PRF is UF-CMA secure, with an explicit advantage bound. It adds VCVio/CryptoFoundations/MacFromPRF.lean (PRF-to-MAC bridge, reduction adversary, and the security theorem prfMac_ufcma_advantage_le). It also adds a small helper (logCache_subset_queryLog) in VCVio/OracleComp/QueryTracking/Structures.lean.

closes #408

Made with Cursor

[github-actions]

🤖 PR Summary

Mathematical Formalization

• Boneh-Shoup Theorem 6.2: Formalization of the PRF-to-MAC construction and proof of UF-CMA security.
• prfMac_ufcma_advantage_le: Theorem providing a concrete advantage bound for the security reduction.
• Proof of perfect completeness for the PRF-to-MAC construction.
• Implementation is complete with no sorry or admit placeholders.

Infrastructure and Utility

• Added logCache_subset_queryLog helper in QueryTracking/Structures.lean.
• Added wasQueried_cons_self and wasQueried_cons_of_ne lemmas for reasoning about QueryLog state transitions.

---

Statistics

Metric	Count
📝 Files Changed	3
✅ Lines Added	469
❌ Lines Removed	0

---

Lean Declarations

✏️ **Added:** 16 declaration(s)

• def toMacAlg [DecidableEq R] (prf : PRFScheme K D R) : MacAlg ProbComp D K R where in VCVio/CryptoFoundations/MacFromPRF.lean
• noncomputable def macToPRFReduction (prf : PRFScheme K D R) in VCVio/CryptoFoundations/MacFromPRF.lean
• private theorem simulateQ_prfReal_macToPRFQueryImpl_run in VCVio/CryptoFoundations/MacFromPRF.lean
• theorem prfIdealExp_macToPRFReduction_le [Nonempty R] [SampleableType R] [Fintype R] in VCVio/CryptoFoundations/MacFromPRF.lean
• theorem prfRealExp_macToPRFReduction_eq_UF_CMA_Exp (prf : PRFScheme K D R) in VCVio/CryptoFoundations/MacFromPRF.lean
• private theorem log_cache_invariant_aux [SampleableType R] in VCVio/CryptoFoundations/MacFromPRF.lean
• private def prfFuncQuery (msg : D) : in VCVio/CryptoFoundations/MacFromPRF.lean
• private def ufCmaImpl (prf : PRFScheme K D R) (k : K) : in VCVio/CryptoFoundations/MacFromPRF.lean
• noncomputable def macToPRFQueryImpl : in VCVio/CryptoFoundations/MacFromPRF.lean
• lemma wasQueried_cons_self [spec.DecidableEq] {t : spec.Domain} {u : spec.Range t} in VCVio/OracleComp/QueryTracking/Structures.lean
• private theorem prfRealExp_macToPRFReduction_eq_body (prf : PRFScheme K D R) in VCVio/CryptoFoundations/MacFromPRF.lean
• lemma wasQueried_cons_of_ne [spec.DecidableEq] {t t' : spec.Domain} in VCVio/OracleComp/QueryTracking/Structures.lean
• private theorem prfIdealExp_macToPRFReduction_eq_ideal_body [SampleableType R] in VCVio/CryptoFoundations/MacFromPRF.lean
• theorem prf_implies_uf_cma [Nonempty R] [SampleableType R] [Fintype R] in VCVio/CryptoFoundations/MacFromPRF.lean
• private theorem log_cache_invariant [SampleableType R] in VCVio/CryptoFoundations/MacFromPRF.lean
• theorem toMacAlg_perfectlyComplete [DecidableEq R] (prf : PRFScheme K D R) : in VCVio/CryptoFoundations/MacFromPRF.lean

---

sorry Tracking

• No sorrys were added, removed, or affected.

---

📋 **Additional Analysis**

No findings.

---

📄 **Per-File Summaries**

• VCVio.lean: This change updates the top-level VCVio.lean file to include the MacFromPRF module, integrating foundations for Message Authentication Codes derived from Pseudorandom Functions into the library. No new definitions, theorems, or sorry placeholders are added directly to this file.
• VCVio/CryptoFoundations/MacFromPRF.lean: This file formalizes the standard construction of a deterministic Message Authentication Code (MAC) from a Pseudorandom Function (PRF). It introduces new definitions and theorems to prove the construction's perfect completeness and establishes a security reduction (Boneh-Shoup Theorem 6.2) showing that PRF security implies UF-CMA security without any sorry placeholders.
• VCVio/OracleComp/QueryTracking/Structures.lean: This update introduces two new theorems, wasQueried_cons_self and wasQueried_cons_of_ne, which formalize the behavior of the wasQueried predicate when prepending queries to a QueryLog. These lemmas provide necessary tools for reasoning about query tracking state transitions and do not contain any sorry placeholders.

---

Last updated: 2026-05-28 06:32 UTC.

[dtumad]

These two lemmas can probably be marked @[simp].