opaque-lattice/proofs

Formal Security Proofs for NTRU-LWR-OPRF

Verified with Scryer Prolog.

Files

File	Description
ntru_lwr_oprf.pl	Main security proofs: correctness, obliviousness, key recovery hardness
noise_analysis.pl	Quantitative noise bounds and LWR correctness analysis
security_model.pl	Formal adversarial model and composition theorem
hash_sensitivity.pl	Analysis of why fresh random breaks correctness

Running the Proofs

# Install Scryer Prolog
cargo install scryer-prolog

# Run all proofs
scryer-prolog ntru_lwr_oprf.pl
scryer-prolog noise_analysis.pl
scryer-prolog security_model.pl
scryer-prolog hash_sensitivity.pl

Key Results

Proved Properties

Property	Status	Proof
Correctness	✅	Same password → same output (with deterministic blinding)
Obliviousness	✅	Server cannot learn password from (C, r_pk)
Key Recovery Hard	✅	Reduces to Ring-LWE problem
Pseudorandomness	✅	Output indistinguishable from random
Protocol Unlinkability	✅	AKE wrapper hides linkable OPRF

The Fundamental Tension

UNLINKABLE ∧ CORRECT is impossible for lattice OPRFs

Proof:
  UNLINKABLE ⟹ fresh random (r,e) each session
  Fresh (r,e)  ⟹ noise η varies
  CORRECT     ⟹ round(k·s + η) must be constant
  But varying η can cross bin boundaries
  ∴ ¬CORRECT

Resolution: Accept OPRF-level linkability, achieve protocol-level
            unlinkability via Kyber AKE encryption wrapper.

Security Parameters

Parameter	Value	Security
Ring degree p	761	Prime (NTRU Prime)
Modulus q	4591	Prime, x^p-x-1 irreducible
Classical security	248 bits	Lattice reduction
Quantum security	~128 bits	Post-Grover

Composition Theorem

The full protocol composes:

1. NTRU-LWR-OPRF: Oblivious, Pseudorandom, Linkable
2. Kyber KEM: IND-CCA2 secure
3. Symmetric encryption: IND-CPA secure

Result: Protocol is Oblivious, Pseudorandom, and Unlinkable.