CryptHOL: Game-Based Proofs in Higher-Order Logic

Abstract

Game-based proofs are a well-established paradigm for structuring security arguments and simplifying their understanding. We present a novel framework, CryptHOL, for rigorous game-based proofs that is supported by mechanical theorem proving. CryptHOL is based on a new semantic domain with an associated functional programming language for expressing games. We embed our framework in the Isabelle/HOL theorem prover and, using the theory of relational parametricity, we tailor Isabelle’s existing proof automation to game-based proofs. By basing our framework on a conservative extension of higher-order logic and providing automation support, the resulting proofs are trustworthy and comprehensible, and the framework is extensible and widely applicable. We evaluate our framework by formalising different game-based proofs from the literature and comparing the results with existing formal-methods tools.

Appendices

Appendix A Further Background

This appendix provides further background to make the paper more accessible to cryptographers missing background in languages and logic. It is intended to enable them to convince themselves that cryptographic formalisations using CryptHOL have the indented meaning.

1.1 A.1 Justifying Recursive Function Definitions

Recursive function definitions must be justified to avoid inconsistencies. For example, the recursive specification for a function \({\textsf {bad}} \mathrel {:}\mathbbm {1}\mathbin {\Rightarrow }\mathbb {N}\) must not be admitted. If it were, we could derive , a contradiction. So, the justification must prove that the recursion equation has a solution.

The recursive definitions in this paper are justified using three principles: well-founded recursion, least fixpoints, and primitive corecursion. Each definition principle yields a corresponding proof principle.

For well-founded recursion, the specification must be accompanied by a proof that the recursion terminates. Then, there is always a solution. Proofs about functions defined by well-founded recursion proceed by well-founded induction. In Isabelle/HOL, the \(\mathbf{function }\) package [39] is based on well-founded recursion.

For least fixpoints, a recursive specification \(f(x) \equiv \ldots f(\ldots ) \ldots x \ldots \) of a function \(f \mathrel {:}\tau _1 \mathbin {\Rightarrow }\tau _2\) is transformed into the associated functional \(F(f,x) \equiv \ldots f(\ldots ) \ldots x \ldots \), which is not recursive. If \(f\)’s codomain \(\tau _2\) is a chain-complete partial order (i.e. there is a partial order \(\sqsubseteq \) on \(\tau _2\) in which every totally ordered subset has a least upper bound) and \(F \mathrel {:}(\tau _1 \mathbin {\Rightarrow }\tau _2) \mathbin {\Rightarrow }(\tau _1 \mathbin {\Rightarrow }\tau _2)\) is monotone, then the transfinite iteration of \(F\) starting at the least element leads to the least fixpoint of \(F\), which is taken as the definition of \(f\) [40]. Proofs about least fixpoints use fixpoint induction, i.e. the property \(P\) must hold for the least element and be preserved by the functional \(F\). Fixpoint induction also demands that \(P\) be admissible, i.e. whenever \(P\) holds for all elements of a non-empty, totally ordered subset \(A\) of \(\tau _1 \mathbin {\Rightarrow }\tau _2\), then \(P\) must also hold for the least upper bound of \(A\).

In Isabelle/HOL, the \(\mathbf{partial }\text{- }\mathbf{function }\) command [40] is built on the least fixpoint principle. For example, suppose that \({\textsf {bad}}\) had the type \(\mathbbm {1}\mathbin {\Rightarrow }\mathbb {N}^\infty \) where \(\mathbb {N}^\infty \) denotes the natural numbers extended with infinitely. The least fixpoint principle could then justify \({\textsf {bad}}\)’s definition because \(\mathbb {N}^\infty \) with the usual order is a chain-complete partial order. We would get the solution for the recursive specification. The recursive definitions in Fig. 3 are all justified by the least fixpoint principle.

Primitive corecursion is explained in Appendix A.2.

1.2 A.2 Corecursion and Coinduction

CryptHOL heavily uses coinductive definitions and proofs to handle finite and infinite objects uniformly. To make the formalisation and proofs more accessible, we briefly review the coinductive concepts that we use and compare them to their inductive counterparts using a simple example. In a nutshell, coinduction is the dual to induction.

Coinductive Datatypes. To compare inductive and coinductive definitions, consider the construction rules for binary trees with integers at the leaves:

1. (a)

   If \(n \mathrel {:}\mathbb {Z}\), then \({\textsf {Leaf}}(n)\) is a tree.

2. (b)

   If \(l\) and \(r\) are trees, then \({\textsf {Node}}(l, r)\) is a tree.

If we want to define the set \(\mathbb {T}\) of trees inductively, we say that \(\mathbb {T}\) is the smallest set that is closed under the construction rules (a) and (b). This means that every tree in \(\mathbb {T}\) is built in finitely many steps according to the above rules. Thus, \(\mathbb {T}\) contains all finite binary trees. This yields an (inductive) datatype:

Conversely, in a coinductive definition, we say that \(\overline{\mathbb {T}}\) is the largest set that is consistent with the rules (a) and (b). This means that \(\overline{\mathbb {T}}\) contains everything where we cannot rule out in finitely many steps that it was not built according to the above rules. Thus, every tree can be decomposed into either a leaf or a node with two child trees. Additionally, we identify all elements in \(\overline{\mathbb {T}}\) that cannot be distinguished by finitely many decomposition steps, i.e. bisimilar trees are considered identical. Then, \(\overline{\mathbb {T}}\) is the set of all finite and infinite binary trees. This gives a coinductive datatype (or codatatype):

Codatatypes provide a natural way to model computations. One can only observe finite parts of a computation’s behaviour, just like one can only decompose codatatypes to a finite depth. In contrast, datatypes model finite objects that can be completely analysed.

Corecursion Recursion is the primary definition principle for functions that take a datatype value as an argument, and corecursion is for functions that return a codatatype value. For example, the function \({\textsf {d}}\) below on the left computes the depth of a finite binary tree as a natural number, which is modelled as a datatype in Peano style. The function \({\textsf {max}}\) (not shown) returns the maximum of its two arguments. This recursive definition is acceptable because the recursion terminates: the subtrees \(l\) and \(r\) given to the recursive calls are strictly smaller than \({\textsf {Node}}(l, r)\) since all trees in \(\mathbb {T}\) are finite. In fact, it is even primitively recursive, because the recursive calls are on the direct arguments \(l\) and \(r\) of the constructor \({\textsf {Node}}\). In this view, \({\textsf {d}}\) destructs its argument.

On the right, \(\overline{{\textsf {d}}}\) computes the depths of trees in \(\overline{\mathbb {T}}\). As these trees may be infinite, \(\overline{{\textsf {d}}}\)’s return type is the natural numbers extended with infinity, which we model as the Peano codatatype (the infinite term \({\textsf {Suc}}({\textsf {Suc}}({\textsf {Suc}}(\ldots )))\) represents infinity). This recursive definition cannot be justified by a termination argument because the recursion does not terminate for infinite trees. Instead, corecursion on \(\mathbb {N}^\infty \) is the right definition principle. To this end, one must check that \(\overline{{\textsf {d}}}\) is productive, i.e. whenever we want to inspect \(\overline{{\textsf {d}}}\)’s output to some finite depth, \(\overline{{\textsf {d}}}\) decomposes its argument \(t \mathrel {:}\overline{\mathbb {T}}\) only to some finite depth. Here, to produce one \({\textsf {Suc}}\) constructor, \(\overline{{\textsf {d}}}\) peels off one \({\textsf {Node}}\) constructor. This definition is not primitively corecursive, because the context of the corecursive calls \(\overline{{\textsf {d}}}(l)\) and \(\overline{{\textsf {d}}}(r)\) does not consist of only one \({\textsf {Suc}}\) constructor, but also includes the \({\textsf {max}}\) function.

Coinduction. Induction requires an inductive assumption like “\(t\) is a finite tree”: If we can prove that a property \(P\) holds for all \({\textsf {Leaf}}(n)\) and is preserved by \(Node\)s, i.e. \(P\) is closed under the tree construction rules (a) and (b), then \(P\) holds for all finite trees. This proof principle is valid because \(\mathbb {T}\) is the smallest set closed under the construction rules.

In contrast, coinduction establishes a coinductive conclusion like “two trees are equal”. If we can prove that a relation \(R\) is consistent with the tree construction rules (a) and (b), then \(R\)-related trees are equal. This proof principle is valid because equality is the largest relation consistent with the construction rules (as bisimilar trees are identified).

For example, let \({\textsf {mirror}}\) be a function which swaps all left and right subtrees of all nodes in a tree. We prove \(\forall t \mathrel {:}\mathbb {T}.\ {\textsf {d}}({\textsf {mirror}}(t)) = {\textsf {d}}(t)\) by induction on the inductive assumption \(t \mathrel {:}\mathbb {T}\). Conversely, \(\forall t \mathrel {:}\overline{\mathbb {T}}.\ \overline{{\textsf {d}}}({\textsf {mirror}}(t)) = {\textsf {d}}(t)\) is proven by coinduction on the coinductive equality relation on \(\mathbb {N}^\infty \).

1.3 A.3 Relational Parametricity and Representation Independence

A function like \(\pi _1\mathrel {:}\alpha \mathbin {\times }\beta \mathbin {\Rightarrow }\alpha \) is polymorphic in a type variable \(\alpha \) if its behaviour does not depend on the actual type of the argument, i.e. the function behaves uniformly for all type instances. Reynolds [69] and Wadler [80] formalised this notion of independence using relational parametricity. They interpret the type of a function as a relation between values instead of a set of values. Type constructors without type arguments like \(\mathbb {B}\), \(\mathbb {N}\), and \(\mathbb {R}\) become the identity relation on the set of values, which we denote by \({\widetilde{\mathbb {B}}}\), \({\widetilde{\mathbb {N}}}\), and \({\widetilde{\mathbb {R}}}\), respectively. Type constructors with type arguments like \(\mathbin {\times }\) and \(\mathbin {\Rightarrow }\) become relation transformers, i.e. functions from relations to relations, which we write with a \(\widetilde{~}\) over the type constructor. For example, \((\mathbin {{\widetilde{\mathord {\mathbin {\times }}}}}) \mathrel {:}\mathbb {P}(\alpha \mathbin {\times }\alpha ') \mathbin {\Rightarrow }\mathbb {P}(\beta \mathbin {\times }\beta ') \mathbin {\Rightarrow }\mathbb {P}((\alpha \mathbin {\times }\beta ) \mathbin {\times }(\alpha ' \mathbin {\times }\beta '))\) lifts two relations component-wise to pairs. Formally, \((x, y) \mathrel {(A \mathbin {{\widetilde{\mathord {\mathbin {\times }}}}}B)} (x', y')\) iff \(x \mathrel {A} x'\) and \(y \mathrel {B} y'\). Similarly, for the function space relates two functions \(f\) and \(g\) iff they transform relatedness in \(A\) into relatedness in \(B\). Formally, iff \(f(x) \mathrel {B} g(y)\) whenever \(x \mathrel {A} y\). Now, a function is relationally parametric in a type variable \(\alpha \) iff it is related to itself in the relation that corresponds to its type where \(\alpha \) is interpreted by an arbitrary relation \(A\). For example, \(\pi _1\) being parametric in \(\alpha \) and \(\beta \) is expressed by

(18)

Note the similarity between \(\pi _1\)’s type and the relation. We list the relators for further type constructors:

• Sums\({\textsf {Left}}(x) \mathrel {(A \mathbin {{\widetilde{\mathord {\mathord {+}}}}}B)} {\textsf {Left}}(y)\) iff \(x \mathrel {A} y\), and \({\textsf {Right}}(x) \mathrel {(A \mathbin {{\widetilde{\mathord {\mathord {+}}}}}B)} {\textsf {Right}}(y)\) iff \(x \mathrel {B} y\), but \(\mathbin {{\widetilde{\mathord {\mathord {+}}}}}\) does not relate \({\textsf {Left}}(\_)\) and \({\textsf {Right}}(\_)\).

• Sets\(X \mathrel {{\widetilde{\mathbb {P}}}(R)} Y\) iff \(R[X] \subseteq Y\) and \(R^{-1}[Y] \subseteq X\).

• Maybe\({\widetilde{\mathbb {M}}}(A)\) relates \({\textsf {None}}\) to \({\textsf {None}}\), and \(\textsf {Some}(x)\) to \(\textsf {Some}(y)\) whenever \(x \mathrel {A} y\), and nothing else.

Wadler [80] proved that all functions definable in the polymorphic lambda calculus are parametric. He also demonstrated that adding polymorphic equality destroys this property. Higher-order logic has polymorphic equality \((\mathord {=})\) and description operators, so not all HOL functions are parametric. Thus, parametricity is not a free theorem in our setting; we must prove it for every constant. Fortunately, function application and function composition preserve parametricity. Hence, functions defined in terms of parametric functions are parametric too.

Wadler also showed that if all types are \(\omega \)-ccpos, all functions are continuous and all relations are admissible and strict, then the fixpoint operator (defined by countable iteration) is parametric [80]. We do not consider the fixpoint operator as part of the language itself, but as a definition principle for recursive user-specified functions. That is, we assume that \({\textsf {fix}}\) is always applied to a monotone function. Thus, preservation of parametricity (Theorem 1) suffices and we do not need Wadler’s restrictions of the semantic domains. So, monotonicity (instead of continuity as discussed in Sect. 4.2) is expressed as a precondition on the given functions.

Wadler’s free theorems express that parametric functions commute with the lift operation \(\widehat{~}\). For example, we get \(\pi _1( xy \rhd (f \mathbin {\widehat{\mathbin {\times }}}g)) = f(\pi _1( xy ))\) from (18) by instantiating \(A\) and \(B\) with the graphs of the functions \(f\) and \(g\), respectively, and by unfolding the definitions of \(\mathbin {\widehat{\mathbin {\times }}}\) and the relators. Wadler calls this a free theorem because we do not need any property of \(\pi _1\) other than (18); in particular, we do not need to unfold \(\pi _1\)’s definition. In this tiny example, it might have been easier to unfold the definition, but for complicated function definitions, proofs by parametricity are more systematic and therefore automatic.

Representation independence [60] expresses that changing the implementation of a module in a program does not affect the overall result. Mitchell uses parametricity to formalise this notion as follows. If we can find a bisimulation relation for all functions in the interface of the module being changed, and the remainder of the program is parametric in the type defined by the module, then the change does not affect the program. That is, representation independence lifts bisimilarity over contexts using parametricity. For example, consider a deterministic transducer given by its transition function \(\delta \mathrel {:}\sigma \mathbin {\Rightarrow }\alpha \mathbin {\Rightarrow }\beta \mathbin {\times }\sigma \), which, given a state \(s \mathrel {:}\sigma \) and a input letter \(x \mathrel {:}\alpha \), computes an output letter from the output alphabet \(\beta \) and the successor state. This is the interface of the module. The recursive function \({\textsf {run}}_{\delta }\) given below computes a run of the transducer with transition function \(\delta \) from state \(s\) on the input word \(w \mathrel {:}\mathbb {L}(\alpha )\).

$$\begin{aligned} {\textsf {run}}_{\delta }(s, [\,]) \equiv [\,] \qquad \qquad {\textsf {run}}_{\delta }(s, x\cdot w) \equiv {{\textsf {let}}}\ (y, s') = \delta (s, x)\ {\textsf {in}}y \cdot {\textsf {run}}_{\delta }(s', w) . \end{aligned}$$

This is the context of the transducer module. Note that \({\textsf {run}}_{}\) is parametric in the state space, i.e.

for all \(S\). Now, representation independence says that we can replace the transducer \(\delta _1\) by a bisimilar one \(\delta _2\) (and the initial state \(s_1\) by \(s_2\)) without changing the overall result. Here, bisimilarity means that we find a bisimulation relation \(S\) between the states of the two transducers, i.e. (i) \(S\) relates the initial states \(s_1\) and \(s_2\), and (ii) whenever \(S\) relates two states \(s_1\) and \(s_2\) and for all inputs \(x\), the transition functions \(\delta (s_1, x)\) and \(\delta (s_2, x)\) return the same output and successor states which \(S\) relates. As parametricity is compositional, this result scales to arbitrarily large contexts, not just a small function like \({\textsf {run}}_{}\).

In Isabelle, the transfer package [34] implements representation independence as a proof engine. That is, having proven bisimilarity of two particular transition functions, a single invocation of this engine lifts the bisimilarity property over arbitrarily large contexts.

B Proofs

1.1 B.1 Subprobabilities are a CCPO

Proof of Proposition 1

We have to show that \(\mathrel \sqsubseteq \) is a partial order and that \(\bigsqcup {Y}\) is well defined and the least upper bound for every chain \(Y\), i.e. every set of spmfs all of whose elements are comparable in \(\mathrel \sqsubseteq \). The difficult part is to show that \(\bigsqcup {Y}\) is well defined. In particular, we must show that the support of \(\bigsqcup Y\) is countable even if \(Y\) is uncountable. Then, it is not hard to see that \(\bigsqcup {Y}\) sums up to at most 1.

Clearly, we have \({\textsf {support}}\left( \bigsqcup Y\right) = \cup _{p \in Y} {\textsf {support}}(p)\). Yet, the union of an uncountable sequence of increasing countable sets need not be countable in general. In the following, we show that even for uncountable chains \(Y\) of spmfs, the union of the supports remains countable. To this end, we identify a countable sub-sequence of \(Y\) whose lub has the same support. The key idea is that for \(\mathrel \sqsubseteq \)-comparable spmfs \(p\) and \(q\), the order can be decided by looking only at the assigned probability masses, namely \(p \mathrel \sqsubseteq q\) iff \(\Vert p\Vert \le \Vert q\Vert \). So suppose without loss of generality that \(Y\) does not contain a maximal element (otherwise, the lub is the maximal element and we are done). The set of assigned probability masses \(A = \{\,\Vert p\Vert \mid p \in Y\,\}\) has a supremum \(r \le 1\), as \(1\) bounds the set from above. The closure of \(A\) contains the supremum \(r\), so \(A\) must contain a countable increasing sequence which converges to \(r\). This sequence gives rise to a countable sub-sequence \(Z\) of \(Y\), for which we show \((\cup _{p \in Y} {\textsf {support}}(p)) \subseteq (\cup _{q \in Z} {\textsf {support}}(q))\). For any \(p \in Y\), there is a \(q \in Z\) such that \(\Vert p\Vert \le \Vert q\Vert \), as the assigned probability masses in \(Z\) converge to \(r\) from below and \(p\) is not maximal. Hence, \(p \mathrel \sqsubseteq q\) as \(p\) and \(q\) are related in \(\mathrel \sqsubseteq \), and therefore \({\textsf {support}}(p) \subseteq {\textsf {support}}(q)\) as \({\textsf {support}}\) is monotone. \(\square \)

The attentive reader might wonder why we need transfinite iteration for the fixpoint despite having shown that uncountable chains can be reduced to countable ones for the purpose of lubs. Countable fixpoint iteration, which defines the least fixpoint as \(\bigsqcup \{\,f^i(\mathord {\bot }) \mid i \in \mathbb {N}\,\}\), does not suffice. (Here, function iteration is defined by \(f^0 = {\textsf {id}}\) and \(f^{n+1} = f \circ f^n\).) The reason is that the chain \(\{\,f^i(\mathord {\bot }) \mid i \in \mathbb {N}\,\}\) might stop before the least fixpoint is reached. Consider, e.g. the monotone spmf transformer \(f \mathrel {:}\mathbb {D}(\mathbbm {1}) \mathbin {\Rightarrow }\mathbb {D}(\mathbbm {1})\) given by

$$\begin{aligned} f(p) {!}x = {\textsf {if}}\ p {!}x < \tfrac{1}{2}\ {\textsf {then}}\ \tfrac{2 \cdot p {!}x + 1}{4}\ {\textsf {else}}\ 1 . \end{aligned}$$

The countable iteration of \(f\) starting at \(\mathord {\bot }\) yields a sequence of spmfs which assign to the masses \(0\), \(\frac{1}{4}\), \(\frac{3}{8}\), \(\frac{7}{16}\), \(\frac{15}{32}\), ... The least upper bound of this sequence assigns \(\frac{1}{2}\) to . That is, the iteration has not yet reached \(f\)’s fixed point, which assigns the mass \(1\) to . This is because \(f\) is not (chain) continuous, i.e. it does not preserve lubs.

1.2 B.2 Fixpoints Preserve Parametricity

A relation \(R \mathrel {:}\mathbb {P}(A \mathbin {\times }B)\) is admissible w.r.t. two ccpos iff for any chain \(Y \subseteq R\) of pairs in the product ccpo (the ordering is component-wise), \(R\) relates the component-wise lubs of \(Y\).

Proof of Theorem 1

We prove Theorem 1 by parallel induction on the two fixpoints. Both inductive cases are trivial. The base case requires \({\widetilde{\mathbb {D}}}(R)\) to be strict, i.e. it relates the least elements, which holds trivially. The step case is precisely the relatedness condition of \(f\) and \(g\), which the theorem assumes. Parallel fixpoint induction is a valid proof principle because \({\widetilde{\mathbb {D}}}(R)\) is admissible by Proposition 4. \(\square \)

Proposition 4

\({\widetilde{\mathbb {D}}}(\_)\) is admissible.

Proof

We exploit the characterisation of \({\widetilde{\mathbb {D}}}\) in terms of . We must show \((\bigsqcup {(Y \rhd ^{\widehat{\mathbb {P}}} \pi _1)}) \mathrel {{\widetilde{\mathbb {D}}}(R)} (\bigsqcup {(Y \rhd ^{\widehat{\mathbb {P}}} \pi _2)})\) for all chains \(Y\) of pairs in \({\widetilde{\mathbb {D}}}(R)\). By the characterisation of \({\widetilde{\mathbb {D}}}\) (Lemma 1), this holds as follows: The first and last steps exploit that the lub commutes with , and the inequality follows from monotonicity of \({\textsf {SUP}}\) and the characterisation of \({\widetilde{\mathbb {D}}}\) for elements of the chain.

\(\square \)

Note that it is not clear how to prove admissibility via the characterisation in terms of couplings. The problem is that the couplings for the pairs in the chain need not form a chain themselves. So we cannot construct the coupling for the lubs as the lub of the couplings.

Admissibility of relators is preserved by the function space (ordered point-wise) and products (ordered component-wise).

C Guide for CryptHOL source syntax

The notation in this article is intended to make the presentation easy to follow. The CryptHOL source code and examples in the Archive of Formal Proofs [49, 53] use a somewhat different notation that follows Isabelle/HOL conventions. To help the reader to navigate the sources, this appendix relates the different notations.

Type constructors are written as a single letter in blackboard style in this article, whereas they are spelled out in words in the sources. Table 2 lists the correspondences. The notation for infix type constructors (products \(\mathbin {\times }\), sums \(\mathbin {+}\), and function space \(\mathbin {\Rightarrow }\)) remains the same. Moreover, type constructors are written in postfix in Isabelle and type variables start with a prime \({}'\), and type annotations use a double colon \(\mathbin {::}\) instead of a single colon \(\mathrel {:}\). For example, what is written \(p \mathrel {:}\mathbb {D}(\mathbb {L}(\alpha ) \mathbin {\times }\beta )\) in this article becomes \(p \mathbin {::} ({}'\!\alpha \ {\textsf {list}} \mathbin {\times }{}'\beta )\ {\textsf {spmf}}\) in the sources.

Table 2 Notation for type constructors in this article and in the sources. The type constructor \({\textsf {spmf}}\) abbreviates \({\textsf {option}}\ {\textsf {pmf}}\) in Isabelle/HOL

Function application is written without parentheses in Isabelle, but compound arguments must be parenthesised. Forward function application is rarely used. For example, \(f( arg _1, arg _2, g(x, y), arg _4) \rhd h\ z\) becomes \(h\ z\ (f\ arg _1\ arg _2\ (g\ x\ y)\ arg _4)\). Indices and function parameters in superscripts become ordinary function arguments, too. For instance, \(\mathcal {O}_{{\textsf {enc}}}^{k, b}(L, (m_1, m_0))\) in Sect. 6.1 is a HOL function applied to four arguments: \({\textsf {oracle\text{- }encrypt}}\ k\ b\ L\ (m_1, m_0)\), namely a key \(k\), a bit \(b\), a storage \(L\), and a pair of messages \((m_1, m_0)\). In this article, we have moved the first two into superscripts to indicate that they are actually function parameters. Relations are modelled as binary predicates, i.e. functions of type \(\alpha \mathbin {\Rightarrow }\beta \mathbin {\Rightarrow }\mathbb {B}\), rather than sets of pairs, and are usually written prefix instead of infix.

Table 3 Notation comparison for functions in this article and the CryptHOL sources

Table 4 File names for the sources for the examples in this article

Locale instantiation in Isabelle marks the name prefix with a single colon  :  instead of \(\equiv \) and locale parameters are not parenthesised, like for functions. For example, \( \mathbf{sublocale }\ {\textsf {concrete}} \equiv {\textsf {ELGAMAL}}(\mathcal {G}(\eta ))\ \mathbf{for }\ \eta \) from Fig. 2 is actually written as \( \mathbf{sublocale }\ {\textsf {concrete}}:{\textsf {ELGAMAL}}\ \text {``}\mathcal {G}\ \eta \text {''}\ \mathbf{for }\ \eta \).

Lifting of functions and relations over type constructors is expressed as ordinary HOL functions with the following naming convention. A function \({\textsf {map}}\text{- }\tau \) lifts functions over the type constructor \(\tau \), and the operator \({\textsf {rel}}\text{- }\tau \) does so for relations. For example, \(\widehat{\mathbb {D}}(f)\) and \({\widetilde{\mathbb {D}}}(R)\) are written as \({\textsf {map}}\text{- }{\textsf {spmf}}\ f\) and \({\textsf {rel}}\text{- }{\textsf {spmf}}\ R\), respectively. The exception are lists with \({\textsf {map}}\) and \({\textsf {list}}\text{- }{\textsf {all2}}\), pairs with \({\textsf {map}}\text{- }{\textsf {prod}}\) and \({\textsf {rel}}\text{- }{\textsf {prod}}\), sums with \({\textsf {map}}\text{- }{\textsf {sum}}\) and \({\textsf {rel}}\text{- }{\textsf {sum}}\), and functions with \((\mathbin {\mathord {-}\mathord {-}\mathord {-}\mathord {>}})\) and \((\mathbin {\mathord {=}\mathord {=}\mathord {=}\mathord {>}})\). For example, relational parametricity of the first projection on pairs (18) is written as \( \forall A\ B.\ ({\textsf {rel}}\text{- }{\textsf {prod}}\ A\ B \mathbin {\mathord {=}\mathord {=}\mathord {=}\mathord {>}} A)\ {\textsf {fst}}\ {\textsf {fst}} \), where \({\textsf {fst}}\) is Isabelle’s notation for \(\pi _1\).

Some functions have different names and notation in the CryptHOL sources. Table 3 lists the most important differences. Changes in capitalisation and for definitions in the examples and case studies are not shown. Table 4 lists the files where the examples can be found in the sources.