refactor: extract helpers, deduplicate proofs, relocate misplaced code

- Extract ENNReal Cauchy-Schwarz inequalities to ToMathlib/Data/ENNReal/SumSquares.lean
- Factor out cipherGivenMsg_uniform_of_uniformKey_of_uniqueKey in SymmEncAlg.lean,
  derive both Shannon theorems and ciphertextRowsEqualAt from it
- Remove unused perfectSecrecyAt_iff_allDefs / perfectSecrecy_iff_allDefs lemmas
- Move XOR probability lemmas to OracleComp/Constructions/BitVec.lean
- Add generic probEvent_liftComp_uniformSample_eq_of_eq helper in SeededOracle.lean,
  simplify seed-slot collision lemmas in Fork.lean
- Extract length_eq_of_mem_support_generateSeed to deduplicate repeated blocks

Net -150 lines.

Made-with: Cursor

Author: quangvdao

Examples/OneTimePad.lean

@@ -4,7 +4,7 @@ Released under Apache 2.0 license as described in the file LICENSE.
 Authors: Devon Tuma
 -/
 import VCVio.CryptoFoundations.SymmEncAlg
-import VCVio.EvalDist.BitVec
+import VCVio.OracleComp.Constructions.BitVec
 import Mathlib.Data.Vector.Zip
 
 /-!
@@ -32,73 +32,6 @@ namespace oneTimePad
 lemma complete : (oneTimePad).Complete := by
   simp [oneTimePad, SymmEncAlg.Complete, SymmEncAlg.CompleteExp]
 
-lemma probOutput_xor_uniform (sp : ℕ) (msg σ : BitVec sp) :
-    Pr[= σ | (fun k : BitVec sp => k ^^^ msg) <$> ($ᵗ BitVec sp)] =
-      (Fintype.card (BitVec sp) : ℝ≥0∞)⁻¹ := by
-  calc
-    Pr[= σ | (fun k : BitVec sp => k ^^^ msg) <$> ($ᵗ BitVec sp)] =
-        Pr[= σ | (msg ^^^ ·) <$> ($ᵗ BitVec sp)] := by
-          simp [BitVec.xor_comm]
-    _ = Pr[= msg ^^^ σ | ($ᵗ BitVec sp)] := by
-          simpa using probOutput_xor_map (mx := ($ᵗ BitVec sp)) (x := msg) (y := σ)
-    _ = (Fintype.card (BitVec sp) : ℝ≥0∞)⁻¹ := by
-          simp [probOutput_uniformSample]
-
-lemma probOutput_pair_xor_uniform (sp : ℕ) (mx : ProbComp (BitVec sp))
-    (msg σ : BitVec sp) :
-    Pr[= (msg, σ) | do
-      let msg' ← mx
-      let k ← $ᵗ BitVec sp
-      return (msg', k ^^^ msg')] =
-      Pr[= msg | mx] * (Fintype.card (BitVec sp) : ℝ≥0∞)⁻¹ := by
-  let inv : ℝ≥0∞ := (Fintype.card (BitVec sp) : ℝ≥0∞)⁻¹
-  rw [probOutput_bind_eq_tsum]
-  have hinner (msg' : BitVec sp) :
-      Pr[= (msg, σ) | do
-        let k ← $ᵗ BitVec sp
-        return (msg', k ^^^ msg')] = if msg = msg' then inv else 0 := by
-    calc
-      Pr[= (msg, σ) | do
-        let k ← $ᵗ BitVec sp
-        return (msg', k ^^^ msg')] =
-          Pr[= (msg, σ) | (msg', ·) <$> ((fun k : BitVec sp => k ^^^ msg') <$> ($ᵗ BitVec sp))] := by
-            simp
-      _ = if msg = msg' then
-          Pr[= σ | (fun k : BitVec sp => k ^^^ msg') <$> ($ᵗ BitVec sp)] else 0 := by
-            simpa using
-              (probOutput_prod_mk_snd_map
-                (my := (fun k : BitVec sp => k ^^^ msg') <$> ($ᵗ BitVec sp))
-                (x := msg') (z := (msg, σ)))
-      _ = if msg = msg' then inv else 0 := by
-            by_cases h : msg = msg' <;> simp [h, inv, probOutput_xor_uniform]
-  simp_rw [hinner]
-  calc
-    ∑' msg', Pr[= msg' | mx] * (if msg = msg' then inv else 0) =
-        ∑' msg', (Pr[= msg' | mx] * (if msg = msg' then 1 else 0)) * inv := by
-          refine tsum_congr fun msg' => ?_
-          by_cases h : msg = msg' <;> simp [h, inv, mul_comm]
-    _ = (∑' msg', Pr[= msg' | mx] * (if msg = msg' then 1 else 0)) * inv := by
-          rw [ENNReal.tsum_mul_right]
-    _ = Pr[= msg | mx] * inv := by
-          have hsum :
-              ∑' msg', Pr[= msg' | mx] * (if msg = msg' then 1 else 0) =
-                Pr[= msg | mx] := by
-            simp
-          rw [hsum]
-
-lemma probOutput_cipher_from_pair_uniform (sp : ℕ) (mx : ProbComp (BitVec sp))
-    (σ : BitVec sp) :
-    Pr[= σ | do
-      let msg' ← mx
-      let k ← $ᵗ BitVec sp
-      return (k ^^^ msg')] =
-      (Fintype.card (BitVec sp) : ℝ≥0∞)⁻¹ := by
-  rw [probOutput_bind_of_const (mx := mx)
-    (y := σ) (r := (Fintype.card (BitVec sp) : ℝ≥0∞)⁻¹)]
-  · simp
-  · intro msg hmsg
-    simpa using probOutput_xor_uniform sp msg σ
-
 lemma probOutput_cipher_uniform (sp : ℕ)
     (mgen : OracleComp oneTimePad.spec (BitVec sp)) (σ : BitVec sp) :
     Pr[= σ | oneTimePad.PerfectSecrecyCipherExp sp mgen] =

ToMathlib/Data/ENNReal/SumSquares.lean

@@ -0,0 +1,56 @@
+/-
+Copyright (c) 2026 Quang Dao. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Quang Dao
+-/
+import Mathlib.Topology.Algebra.InfiniteSum.ENNReal
+
+/-!
+# Sum-of-squares inequalities for `ℝ≥0∞`
+
+Cauchy-Schwarz-style inequalities relating sums, products, and squares over `ℝ≥0∞`.
+These are used in the forking lemma and other game-hopping arguments.
+-/
+
+open Finset ENNReal
+
+namespace ENNReal
+
+lemma two_mul_le_add_sq (a b : ℝ≥0∞) :
+    2 * a * b ≤ a ^ 2 + b ^ 2 := by
+  rcases eq_or_ne a ⊤ with rfl | ha
+  · simp [top_pow, top_add, le_top]
+  rcases eq_or_ne b ⊤ with rfl | hb
+  · simp [top_pow, add_top, le_top]
+  rw [← ENNReal.coe_toNNReal ha, ← ENNReal.coe_toNNReal hb]
+  exact_mod_cast _root_.two_mul_le_add_sq a.toNNReal b.toNNReal
+
+lemma sq_sum_le_card_mul_sum_sq {ι' : Type*}
+    (s : Finset ι') (f : ι' → ℝ≥0∞) :
+    (∑ i ∈ s, f i) ^ 2 ≤ s.card * ∑ i ∈ s, f i ^ 2 := by
+  rw [sq, Finset.sum_mul_sum]
+  suffices h : 2 * ∑ i ∈ s, ∑ j ∈ s, f i * f j ≤ 2 * (↑s.card * ∑ i ∈ s, f i ^ 2) by
+    have h2 : (2 : ℝ≥0∞) ≠ 0 := by norm_num
+    have h2' : (2 : ℝ≥0∞) ≠ ⊤ := by norm_num
+    calc ∑ i ∈ s, ∑ j ∈ s, f i * f j
+      _ = 2⁻¹ * (2 * ∑ i ∈ s, ∑ j ∈ s, f i * f j) := by
+          rw [← mul_assoc, ENNReal.inv_mul_cancel h2 h2', one_mul]
+      _ ≤ 2⁻¹ * (2 * (↑s.card * ∑ i ∈ s, f i ^ 2)) := by gcongr
+      _ = ↑s.card * ∑ i ∈ s, f i ^ 2 := by
+          rw [← mul_assoc, ENNReal.inv_mul_cancel h2 h2', one_mul]
+  calc 2 * ∑ i ∈ s, ∑ j ∈ s, f i * f j
+    _ = ∑ i ∈ s, ∑ j ∈ s, 2 * (f i * f j) := by
+        rw [Finset.mul_sum]; congr 1; ext i; rw [Finset.mul_sum]
+    _ ≤ ∑ i ∈ s, ∑ j ∈ s, (f i ^ 2 + f j ^ 2) := by
+        gcongr with i _ j _
+        calc 2 * (f i * f j) = 2 * f i * f j := (mul_assoc ..).symm
+          _ ≤ f i ^ 2 + f j ^ 2 := ENNReal.two_mul_le_add_sq (f i) (f j)
+    _ = ∑ i ∈ s, (↑s.card * f i ^ 2 + ∑ j ∈ s, f j ^ 2) := by
+        congr 1; ext i
+        rw [Finset.sum_add_distrib, Finset.sum_const, nsmul_eq_mul]
+    _ = ↑s.card * ∑ i ∈ s, f i ^ 2 + ↑s.card * ∑ i ∈ s, f i ^ 2 := by
+        rw [Finset.sum_add_distrib, Finset.mul_sum, Finset.sum_const, nsmul_eq_mul,
+          Finset.mul_sum]
+    _ = 2 * (↑s.card * ∑ i ∈ s, f i ^ 2) := by rw [← two_mul]
+
+end ENNReal

VCVio/CryptoFoundations/Fork.lean

@@ -7,6 +7,7 @@ import VCVio.CryptoFoundations.SecExp
 import VCVio.OracleComp.QueryTracking.SeededOracle
 import VCVio.OracleComp.QueryTracking.LoggingOracle
 import VCVio.OracleComp.Coercions.Add
+import ToMathlib.Data.ENNReal.SumSquares
 
 /-!
 # Forking Lemma
@@ -26,45 +27,6 @@ then re-samples one oracle response, bounding the probability that both runs suc
 
 open OracleSpec OracleComp ENNReal Function Finset
 
-/-! ### ENNReal Cauchy-Schwarz inequality -/
-
-private lemma ENNReal.two_mul_le_add_sq (a b : ℝ≥0∞) :
-    2 * a * b ≤ a ^ 2 + b ^ 2 := by
-  rcases eq_or_ne a ⊤ with rfl | ha
-  · simp [top_pow, top_add, le_top]
-  rcases eq_or_ne b ⊤ with rfl | hb
-  · simp [top_pow, add_top, le_top]
-  rw [← ENNReal.coe_toNNReal ha, ← ENNReal.coe_toNNReal hb]
-  exact_mod_cast _root_.two_mul_le_add_sq a.toNNReal b.toNNReal
-
-private lemma ENNReal.sq_sum_le_card_mul_sum_sq {ι' : Type*}
-    (s : Finset ι') (f : ι' → ℝ≥0∞) :
-    (∑ i ∈ s, f i) ^ 2 ≤ s.card * ∑ i ∈ s, f i ^ 2 := by
-  rw [sq, Finset.sum_mul_sum]
-  suffices h : 2 * ∑ i ∈ s, ∑ j ∈ s, f i * f j ≤ 2 * (↑s.card * ∑ i ∈ s, f i ^ 2) by
-    have h2 : (2 : ℝ≥0∞) ≠ 0 := by norm_num
-    have h2' : (2 : ℝ≥0∞) ≠ ⊤ := by norm_num
-    calc ∑ i ∈ s, ∑ j ∈ s, f i * f j
-      _ = 2⁻¹ * (2 * ∑ i ∈ s, ∑ j ∈ s, f i * f j) := by
-          rw [← mul_assoc, ENNReal.inv_mul_cancel h2 h2', one_mul]
-      _ ≤ 2⁻¹ * (2 * (↑s.card * ∑ i ∈ s, f i ^ 2)) := by gcongr
-      _ = ↑s.card * ∑ i ∈ s, f i ^ 2 := by
-          rw [← mul_assoc, ENNReal.inv_mul_cancel h2 h2', one_mul]
-  calc 2 * ∑ i ∈ s, ∑ j ∈ s, f i * f j
-    _ = ∑ i ∈ s, ∑ j ∈ s, 2 * (f i * f j) := by
-        rw [Finset.mul_sum]; congr 1; ext i; rw [Finset.mul_sum]
-    _ ≤ ∑ i ∈ s, ∑ j ∈ s, (f i ^ 2 + f j ^ 2) := by
-        gcongr with i _ j _
-        calc 2 * (f i * f j) = 2 * f i * f j := (mul_assoc ..).symm
-          _ ≤ f i ^ 2 + f j ^ 2 := ENNReal.two_mul_le_add_sq (f i) (f j)
-    _ = ∑ i ∈ s, (↑s.card * f i ^ 2 + ∑ j ∈ s, f j ^ 2) := by
-        congr 1; ext i
-        rw [Finset.sum_add_distrib, Finset.sum_const, nsmul_eq_mul]
-    _ = ↑s.card * ∑ i ∈ s, f i ^ 2 + ↑s.card * ∑ i ∈ s, f i ^ 2 := by
-        rw [Finset.sum_add_distrib, Finset.mul_sum, Finset.sum_const, nsmul_eq_mul,
-          Finset.mul_sum]
-    _ = 2 * (↑s.card * ∑ i ∈ s, f i ^ 2) := by rw [← two_mul]
-
 namespace OracleComp
 
 variable {ι : Type} [DecidableEq ι] {spec : OracleSpec ι}
@@ -146,7 +108,7 @@ private lemma probEvent_fork_fst_eq_probEvent_pair (s : Fin (qb i + 1)) :
       x₁ x₂ hmem with ⟨t, h₁, h₂⟩
     simp [h₁, h₂]
 
-omit [DecidableEq ι] [spec.DecidableEq] in
+omit [spec.DecidableEq] in
 private lemma probEvent_uniform_eq_seedSlot_le_inv (s : Fin (qb i + 1))
     (seed : QuerySeed spec) :
     let h : ℝ≥0∞ := ↑(Fintype.card (spec.Range i))
@@ -156,44 +118,27 @@ private lemma probEvent_uniform_eq_seedSlot_le_inv (s : Fin (qb i + 1))
   · simp [hnone]
   · rcases Option.ne_none_iff_exists'.mp hnone with ⟨u₀, hu₀⟩
     rw [hu₀]
-    calc
-      Pr[fun u : spec.Range i => (some u₀ : Option (spec.Range i)) = some u |
-            liftComp ($ᵗ spec.Range i) spec]
-        = Pr[fun u : spec.Range i => u₀ = u | liftComp ($ᵗ spec.Range i) spec] := by simp
-      _ = (↑(Fintype.card (spec.Range i)) : ℝ≥0∞)⁻¹ := by
-            rw [probEvent_eq_eq_probOutput']
-            have hLift :
-                Pr[= u₀ | liftComp (($ᵗ spec.Range i : ProbComp (spec.Range i))) spec] =
-                  Pr[= u₀ | ($ᵗ spec.Range i : ProbComp (spec.Range i))] := by
-              simpa using
-                (probOutput_liftComp (spec := unifSpec) (superSpec := spec)
-                  (mx := ($ᵗ spec.Range i : ProbComp (spec.Range i))) (x := u₀))
-            rw [hLift]
-            simp [probOutput_uniformSample]
-      _ ≤ (↑(Fintype.card (spec.Range i)) : ℝ≥0∞)⁻¹ := le_rfl
-
-omit [DecidableEq ι] [spec.DecidableEq] in
+    have : Pr[fun u : spec.Range i => (some u₀ : Option (spec.Range i)) = some u |
+          liftComp ($ᵗ spec.Range i) spec] =
+        Pr[fun u : spec.Range i => u₀ = u | liftComp ($ᵗ spec.Range i) spec] := by
+      congr 1; ext; simp
+    rw [this]
+    exact le_of_eq (seededOracle.probEvent_liftComp_uniformSample_eq_of_eq u₀)
+
+omit [spec.DecidableEq] in
 private lemma probEvent_uniform_eq_seedSlot_eq_inv_of_get (s : Fin (qb i + 1))
     (seed : QuerySeed spec) {u₀ : spec.Range i}
     (hu₀ : (seed i)[↑s]? = some u₀) :
     let h : ℝ≥0∞ := ↑(Fintype.card (spec.Range i))
     Pr[fun u : spec.Range i => (seed i)[↑s]? = some u | liftComp ($ᵗ spec.Range i) spec] = h⁻¹ := by
   simp only
   rw [hu₀]
-  calc
-    Pr[fun u : spec.Range i => (some u₀ : Option (spec.Range i)) = some u |
-          liftComp ($ᵗ spec.Range i) spec]
-      = Pr[fun u : spec.Range i => u₀ = u | liftComp ($ᵗ spec.Range i) spec] := by simp
-    _ = (↑(Fintype.card (spec.Range i)) : ℝ≥0∞)⁻¹ := by
-          rw [probEvent_eq_eq_probOutput']
-          have hLift :
-              Pr[= u₀ | liftComp (($ᵗ spec.Range i : ProbComp (spec.Range i))) spec] =
-                Pr[= u₀ | ($ᵗ spec.Range i : ProbComp (spec.Range i))] := by
-            simpa using
-              (probOutput_liftComp (spec := unifSpec) (superSpec := spec)
-                (mx := ($ᵗ spec.Range i : ProbComp (spec.Range i))) (x := u₀))
-          rw [hLift]
-          simp [probOutput_uniformSample]
+  have : Pr[fun u : spec.Range i => (some u₀ : Option (spec.Range i)) = some u |
+        liftComp ($ᵗ spec.Range i) spec] =
+      Pr[fun u : spec.Range i => u₀ = u | liftComp ($ᵗ spec.Range i) spec] := by
+    congr 1; ext; simp
+  rw [this]
+  exact seededOracle.probEvent_liftComp_uniformSample_eq_of_eq u₀
 
 private lemma probOutput_collision_given_seed_le (s : Fin (qb i + 1))
     (seed : QuerySeed spec) :