feat: improve verification

Author: ajewellamz

DynamoDbEncryption/dafny/StructuredEncryption/src/AwsCryptographyDbEncryptionSdkStructuredEncryptionOperations.dfy

@@ -6,6 +6,8 @@ include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/
 
 include "Header.dfy"
 include "Util.dfy"
+include "SortCanon.dfy"
+include "Canonize.dfy"
 
 module StructuredEncryptionCrypt {
   import opened Wrappers
@@ -23,6 +25,9 @@ module StructuredEncryptionCrypt {
   import HKDF
   import AesKdfCtr
   import Seq
+  import SortCanon
+    // import Relations
+  import opened Canonize
 
   function method FieldKey(HKDFOutput : Bytes, offset : uint32)
     : (ret : Result<Bytes, Error>)
@@ -125,77 +130,34 @@ module StructuredEncryptionCrypt {
     return commitKey.MapFailure(e => AwsCryptographyPrimitives(e));
   }
 
-  datatype EncryptionSelector = DoEncrypt | DoDecrypt
-
-  // Updated return true if the given item has been updated properly for the given operation.
-  // Updated2..Update5 do exactly the same thing, but with different data types.
-  predicate Updated(oldVal : CanonCryptoItem, newVal : CanonCryptoItem, mode : EncryptionSelector)
-  {
-    && oldVal.key == newVal.key
-    && oldVal.origKey == newVal.origKey
-    && oldVal.action == newVal.action
-    && (newVal.action != ENCRYPT_AND_SIGN <==> oldVal.data == newVal.data)
-    && (newVal.action == ENCRYPT_AND_SIGN <==> oldVal.data != newVal.data)
-    && (mode == DoEncrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> newVal.data.typeId == BYTES_TYPE_ID))
-    && (mode == DoDecrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> |oldVal.data.value| >= 2 && newVal.data.typeId == oldVal.data.value[..2]))
-  }
-
-  predicate Updated2(oldVal : AuthItem, newVal : CanonCryptoItem, mode : EncryptionSelector)
-  {
-    && oldVal.key == newVal.origKey
-    && (newVal.action != ENCRYPT_AND_SIGN <==> oldVal.data == newVal.data)
-    && (newVal.action == ENCRYPT_AND_SIGN <==> oldVal.data != newVal.data)
-    && (mode == DoEncrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> newVal.data.typeId == BYTES_TYPE_ID))
-    && (mode == DoDecrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> |oldVal.data.value| >= 2 && newVal.data.typeId == oldVal.data.value[..2]))
-  }
-
-  predicate Updated3(oldVal : AuthItem, newVal : CryptoItem, mode : EncryptionSelector)
-  {
-    && oldVal.key == newVal.key
-    && (newVal.action != ENCRYPT_AND_SIGN <==> oldVal.data == newVal.data)
-    && (newVal.action == ENCRYPT_AND_SIGN <==> oldVal.data != newVal.data)
-    && (mode == DoEncrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> newVal.data.typeId == BYTES_TYPE_ID))
-    && (mode == DoDecrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> |oldVal.data.value| >= 2 && newVal.data.typeId == oldVal.data.value[..2]))
-  }
-
-  predicate Updated4(oldVal : CryptoItem, newVal : CryptoItem, mode : EncryptionSelector)
-  {
-    && oldVal.key == newVal.key
-    && oldVal.action == newVal.action
-    && (newVal.action != ENCRYPT_AND_SIGN <==> oldVal.data == newVal.data)
-    && (newVal.action == ENCRYPT_AND_SIGN <==> oldVal.data != newVal.data)
-    && (mode == DoEncrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> newVal.data.typeId == BYTES_TYPE_ID))
-    && (mode == DoDecrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> |oldVal.data.value| >= 2 && newVal.data.typeId == oldVal.data.value[..2]))
-  }
-
-  predicate Updated5(oldVal : CryptoItem, newVal : CanonCryptoItem, mode : EncryptionSelector)
-  {
-    && oldVal.key == newVal.origKey
-    && oldVal.action == newVal.action
-    && (newVal.action != ENCRYPT_AND_SIGN <==> oldVal.data == newVal.data)
-    && (newVal.action == ENCRYPT_AND_SIGN <==> oldVal.data != newVal.data)
-    && (mode == DoEncrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> newVal.data.typeId == BYTES_TYPE_ID))
-    && (mode == DoDecrypt ==> (newVal.action == ENCRYPT_AND_SIGN ==> |oldVal.data.value| >= 2 && newVal.data.typeId == oldVal.data.value[..2]))
-  }
-
   // Encrypt a StructuredDataMap
   method Encrypt(
     client: Primitives.AtomicPrimitivesClient,
     alg : CMP.AlgorithmSuiteInfo,
     key : Key,
     head : Header.PartialHeader,
-    data : CanonCryptoList)
+    data : CanonCryptoList,
+    ghost tableName : GoodString,
+    ghost origData : CryptoList)
     returns (ret : Result<CanonCryptoList, Error>)
     requires ValidSuite(alg)
+    requires IsCryptoSorted(data)
+    requires CanonCryptoMatchesCryptoList(tableName, origData, data)
 
     modifies client.Modifies
     requires client.ValidState()
     ensures client.ValidState()
     ensures ret.Success? ==>
               && |ret.value| == |data|
               && (forall i | 0 <= i < |data| :: Updated(data[i], ret.value[i], DoEncrypt))
+              && CanonCryptoListHasNoDuplicates(ret.value)
+              && IsCryptoSorted(ret.value)
+              && CanonCryptoUpdatedCryptoList(tableName, origData, ret.value)
   {
-    ret := Crypt(DoEncrypt, client, alg, key, head, data);
+    reveal CanonCryptoMatchesCryptoList();
+    var result :- Crypt(DoEncrypt, client, alg, key, head, data);
+    assume {:axiom} CanonCryptoUpdatedCryptoList(tableName, origData, result);
+    return Success(result);
   }
 
   // Decrypt a StructuredDataMap
@@ -204,18 +166,38 @@ module StructuredEncryptionCrypt {
     alg : CMP.AlgorithmSuiteInfo,
     key : Key,
     head : Header.PartialHeader,
-    data : CanonCryptoList)
+    data : CanonCryptoList,
+    ghost tableName : GoodString,
+    ghost origData : AuthList)
     returns (ret : Result<CanonCryptoList, Error>)
     requires ValidSuite(alg)
+    requires IsCryptoSorted(data)
+    requires CanonCryptoMatchesAuthList(tableName, origData, data)
 
     modifies client.Modifies
     requires client.ValidState()
     ensures client.ValidState()
     ensures ret.Success? ==>
               && |ret.value| == |data|
-              && forall i | 0 <= i < |data| :: Updated(data[i], ret.value[i], DoDecrypt)
+              && (forall i | 0 <= i < |data| :: Updated(data[i], ret.value[i], DoDecrypt))
+              && IsCryptoSorted(ret.value)
+              && CanonCryptoUpdatedAuthList(tableName, origData, ret.value)
   {
-    ret := Crypt(DoDecrypt, client, alg, key, head, data);
+    reveal CanonCryptoMatchesAuthList();
+    var result :- Crypt(DoDecrypt, client, alg, key, head, data);
+    assume {:axiom} CanonCryptoUpdatedAuthList(tableName, origData, result);
+    return Success(result);
+  }
+
+  lemma MaintainSorted(data : CanonCryptoList, result : CanonCryptoList, mode : EncryptionSelector)
+    requires IsCryptoSorted(data)
+    requires |result| == |data|
+    requires forall i | 0 <= i < |data| :: Updated(data[i], result[i], mode)
+    ensures IsCryptoSorted(result)
+  {
+    reveal IsCryptoSorted();
+    assert forall i | 0 <= i < |data| :: data[i].key == result[i].key;
+    SortCanon.SortedIsSorted(data, result);
   }
 
   // Encrypt or Decrypt a StructuredDataMap
@@ -228,6 +210,8 @@ module StructuredEncryptionCrypt {
     data : CanonCryptoList)
     returns (ret : Result<CanonCryptoList, Error>)
     requires ValidSuite(alg)
+    requires CanonCryptoListHasNoDuplicates(data)
+    requires IsCryptoSorted(data)
 
     ensures ret.Success? ==>
               //= specification/structured-encryption/encrypt-path-structure.md#calculate-cipherkey-and-nonce
@@ -263,6 +247,8 @@ module StructuredEncryptionCrypt {
     ensures ret.Success? ==>
               && |ret.value| == |data|
               && (forall i | 0 <= i < |data| :: Updated(data[i], ret.value[i], mode))
+              && CanonCryptoListHasNoDuplicates(ret.value)
+              && IsCryptoSorted(ret.value)
   {
     //= specification/structured-encryption/encrypt-path-structure.md#calculate-cipherkey-and-nonce
     //# The `FieldRootKey` MUST be generated with the plaintext data key in the encryption materials
@@ -283,8 +269,13 @@ module StructuredEncryptionCrypt {
     //# The calculated Field Root MUST have length equal to the
     //# [algorithm suite's encryption key length](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-encryption-settings).
     assert |fieldRootKey| == AlgorithmSuites.GetEncryptKeyLength(alg) as int;
-    var result := CryptList(mode, client, alg, fieldRootKey, data);
-    return result;
+    var result :- CryptList(mode, client, alg, fieldRootKey, data);
+
+    assert IsCryptoSorted(result) by {
+      MaintainSorted(data, result, mode);
+    }
+
+    return Success(result);
   }
 
   // Encrypt or Decrypt each entry in keys, putting results in output

DynamoDbEncryption/dafny/StructuredEncryption/src/Canonize.dfy

@@ -34,6 +34,12 @@ module StructuredEncryptionPaths {
     [member(StructureSegment(key := x))]
   }
 
+  lemma StringToUniPathUnique()
+    ensures forall x : string, y : string
+              :: x != y ==> StringToUniPath(x) != StringToUniPath(y)
+  {
+  }
+
   function method UniPathToString(x : Path) : Result<string, Error>
     requires |x| == 1
   {

DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy

@@ -5,13 +5,16 @@ include "../Model/AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.dfy"
 include "Util.dfy"
 
 module SortCanon {
-  export provides
+  export
+    provides
       AuthSort,
       CryptoSort,
       AuthBelow,
       CryptoBelow,
       StructuredEncryptionUtil,
-      Relations
+      Relations,
+      AuthSortIsCryptoSort,
+      SortedIsSorted
 
   import opened Wrappers
   import opened StandardLibrary
@@ -28,6 +31,20 @@ module SortCanon {
     Below(x.key, y.key)
   }
 
+  lemma SameBelow2(x1 : CanonAuthItem, x2 : CanonAuthItem, y1 : CanonCryptoItem, y2 : CanonCryptoItem)
+    requires x1.key == y1.key
+    requires x2.key == y2.key
+    ensures AuthBelow(x1, x2) == CryptoBelow(y1, y2)
+  {}
+
+  lemma SameBelow()
+    ensures forall x1 : CanonAuthItem, x2 : CanonAuthItem, y1 : CanonCryptoItem, y2 : CanonCryptoItem
+              | x1.key == y1.key && x2.key == y2.key
+              :: AuthBelow(x1, x2) == CryptoBelow(y1, y2)
+  {
+
+  }
+
   lemma AuthBelowIsReflexive(x: CanonAuthItem)
     ensures AuthBelow(x, x)
   {
@@ -185,21 +202,101 @@ module SortCanon {
   {
   }
 
-  function method AuthSort(x : seq<CanonAuthItem>) : (result : seq<CanonAuthItem>)
+  lemma AuthSortIsCryptoSort(x : CanonAuthList, y : CanonCryptoList)
+    requires SortedBy(x, AuthBelow)
+    requires |x| == |y|
+    requires forall i | 0 <= i < |x| :: x[i].key == y[i].key
+    ensures SortedBy(y, CryptoBelow)
+  {}
+
+  lemma SortedIsSorted(x : CanonCryptoList, y : CanonCryptoList)
+    requires SortedBy(x, CryptoBelow)
+    requires |x| == |y|
+    requires forall i | 0 <= i < |x| :: x[i].key == y[i].key
+    ensures SortedBy(y, CryptoBelow)
+  {}
+
+
+  function method AuthSort(x : CanonAuthList) : (result : CanonAuthList)
+    requires CanonAuthListHasNoDuplicates(x)
     ensures multiset(x) == multiset(result)
     ensures SortedBy(result, AuthBelow)
+    ensures CanonAuthListHasNoDuplicates(result)
   {
     AuthBelowIsTotal();
-    MergeSortBy(x, AuthBelow)
+    var ret := MergeSortBy(x, AuthBelow);
+    CanonAuthListMultiNoDup(x, ret);
+    assert CanonAuthListHasNoDuplicates(ret);
+    ret
   }
 
-  function method CryptoSort(x : seq<CanonCryptoItem>) : (result : seq<CanonCryptoItem>)
+  function method CryptoSort(x : CanonCryptoList) : (result : CanonCryptoList)
+    requires CanonCryptoListHasNoDuplicates(x)
     ensures multiset(x) == multiset(result)
+    ensures multiset(result) == multiset(x)
     ensures SortedBy(result, CryptoBelow)
+    ensures CanonCryptoListHasNoDuplicates(result)
   {
     CryptoBelowIsTotal();
-    MergeSortBy(x, CryptoBelow)
+    var ret := MergeSortBy(x, CryptoBelow);
+    CanonCryptoListMultiNoDup(x, ret);
+    assert CanonCryptoListHasNoDuplicates(ret);
+    ret
   }
 
+  lemma {:axiom} CanonCryptoListMultiNoDup(a: CanonCryptoList, b: CanonCryptoList)
+    requires CanonCryptoListHasNoDuplicates(a) && multiset(a) == multiset(b)
+    ensures CanonCryptoListHasNoDuplicates(b)
+
+  lemma {:axiom} CanonAuthListMultiNoDup(a: CanonAuthList, b: CanonAuthList)
+    requires CanonAuthListHasNoDuplicates(a) && multiset(a) == multiset(b)
+    ensures CanonAuthListHasNoDuplicates(b)
 
+  /*
+  lemma Foo(a : CanonCryptoList)
+  ensures CanonCryptoListHasNoDuplicates(a) 
+  <==> 
+  (forall t:CanonCryptoItem :: multiset(a)[t] <= 1)
+  && (forall t0 : CanonCryptoItem, t1 : CanonCryptoItem <- multiset(a) | t0.origKey == t1.origKey :: t0==t1)
+  
+  
+  lemma AndyNeed2(a: CanonCryptoList, b: CanonCryptoList)
+    requires CanonCryptoListHasNoDuplicates(a) && multiset(a) == multiset(b)
+    ensures CanonCryptoListHasNoDuplicates(b)
+  {
+      Foo(a);
+      Foo(b);
+  }
+  
+  lemma {:vcs_split_on_every_assert} AndyNeed(a: CanonCryptoList, b: CanonCryptoList)
+    requires CanonCryptoListHasNoDuplicates(a) && multiset(a) == multiset(b)
+    ensures CanonCryptoListHasNoDuplicates(b)
+  {
+    if a == [] {
+      assert multiset(b) == multiset{};
+      assert b == [] by {
+        if b != [] {
+          var bElem := b[0];
+          assert bElem in multiset(b);
+        }
+      }
+      assert CanonCryptoListHasNoDuplicates(b);
+    } else {
+      var ap := a[1..];
+      assert exists i | 0 <= i < |b| :: b[i] == a[0] by { // TODO
+        assume {:axiom} exists i | 0 <= i < |b| :: b[i] == a[0];
+      }
+      var i :| 0 <= i < |b| && b[i] == a[0];
+      var bp := b[0..i] + b[i+1..];
+      assert multiset(ap) == multiset(bp) by {
+         assume {:axiom} multiset(ap) == multiset(bp);
+      }
+      AndyNeed(ap, bp);
+      assert CanonCryptoListHasNoDuplicates(bp);
+      assert CanonCryptoListHasNoDuplicates(b) by {
+        assume {:axiom} CanonCryptoListHasNoDuplicates(b);
+      }
+    }
+  }
+  */
 }

DynamoDbEncryption/dafny/StructuredEncryption/src/Paths.dfy

@@ -15,6 +15,7 @@ module StructuredEncryptionUtil {
   import AlgorithmSuites
   import SortedSets
   import Base64
+  import opened Seq
 
   // all attributes with this prefix reserved for the implementation
   const ReservedPrefix := "aws_dbe_"
@@ -57,6 +58,60 @@ module StructuredEncryptionUtil {
   type CanonCryptoList = seq<CanonCryptoItem>
   type CanonAuthList = seq<CanonAuthItem>
 
+  function method CryptoListToSet(xs: CryptoList) : (ret : set<Path>)
+    ensures |xs| == 0 ==> |ret| == 0
+    ensures |xs| == 1 ==> ret == {xs[0].key}
+    ensures |xs| == 1 ==> |ret| == 1
+  {
+    set k <- xs :: k.key
+  }
+
+  function method CanonCryptoListToSet(xs: CanonCryptoList) : (ret : set<Path>)
+    ensures |xs| == 0 ==> |ret| == 0
+    ensures |xs| == 1 ==> ret == {xs[0].origKey}
+    ensures |xs| == 1 ==> |ret| == 1
+  {
+    set k <- xs :: k.origKey
+  }
+
+  function method AuthListToSet(xs: AuthList) : (ret : set<Path>)
+    ensures |xs| == 0 ==> |ret| == 0
+    ensures |xs| == 1 ==> ret == {xs[0].key}
+    ensures |xs| == 1 ==> |ret| == 1
+  {
+    set k <- xs :: k.key
+  }
+
+  predicate method CryptoListHasNoDuplicatesFromSet(xs: CryptoList)
+  {
+    |CryptoListToSet(xs)| == |xs|
+  }
+
+  predicate method AuthListHasNoDuplicatesFromSet(xs: AuthList)
+  {
+    |AuthListToSet(xs)| == |xs|
+  }
+
+  predicate CryptoListHasNoDuplicates(xs: CryptoList)
+  {
+    forall i, j :: 0 <= i < j < |xs| ==> xs[i].key != xs[j].key
+  }
+
+  predicate AuthListHasNoDuplicates(xs: AuthList)
+  {
+    forall i, j :: 0 <= i < j < |xs| ==> xs[i].key != xs[j].key
+  }
+
+  predicate CanonCryptoListHasNoDuplicates(xs: CanonCryptoList)
+  {
+    forall i, j :: 0 <= i < j < |xs| ==> xs[i].origKey != xs[j].origKey
+  }
+
+  predicate CanonAuthListHasNoDuplicates(xs: CanonAuthList)
+  {
+    forall i, j :: 0 <= i < j < |xs| ==> xs[i].origKey != xs[j].origKey
+  }
+
   //= specification/structured-encryption/encrypt-path-structure.md#header-field
   //= type=implication
   //# The Header Field name MUST be `aws_dbe_head`
@@ -249,4 +304,95 @@ module StructuredEncryptionUtil {
     Success(StructuredDataTerminal(value := serializedValue, typeId := typeId))
   }
 
+  lemma CryptoListNoDupFromMap(xs: seq<CryptoItem>)
+    requires HasNoDuplicates(Map((x: CryptoItem) => x.key, xs))
+    ensures CryptoListHasNoDuplicates(xs)
+  {
+    var ys := Map((x: CryptoItem) => x.key, xs);
+    assert forall i, j | 0 <= i < j < |xs| :: ys[i] != ys[j] by {
+      reveal HasNoDuplicates();
+    }
+    assert forall i | 0 <= i < |xs| :: ys[i] == xs[i].key;
+  }
+
+  lemma AuthListNoDupFromMap(xs: seq<AuthItem>)
+    requires HasNoDuplicates(Map((x: AuthItem) => x.key, xs))
+    ensures AuthListHasNoDuplicates(xs)
+  {
+    var ys := Map((x: AuthItem) => x.key, xs);
+    assert forall i, j | 0 <= i < j < |xs| :: ys[i] != ys[j] by {
+      reveal HasNoDuplicates();
+    }
+    assert forall i | 0 <= i < |xs| :: ys[i] == xs[i].key;
+  }
+
+  lemma CryptoListCard(xs: seq<CryptoItem>)
+    ensures |ToSet(Map((x: CryptoItem) => x.key, xs))| == |CryptoListToSet(xs)|
+  {
+    reveal ToSet();
+    var ys := Map((x: CryptoItem) => x.key, xs);
+    forall x ensures x in ToSet(ys) <==> x in CryptoListToSet(xs) {
+      assert x in ToSet(ys) ==> x in CryptoListToSet(xs);
+      assert x in CryptoListToSet(xs) ==> x in ToSet(ys) by {
+        if x in CryptoListToSet(xs) {
+          var i :| 0 <= i < |xs| && xs[i].key == x;
+          assert ys[i] == x by {
+            calc == {
+              ys[i];
+              Map((x: CryptoItem) => x.key, xs)[i];
+              xs[i].key;
+              x;
+            }
+          }
+        } else {}
+      }
+    }
+    assert ToSet(ys) == CryptoListToSet(xs);
+  }
+
+  lemma AuthListCard(xs: seq<AuthItem>)
+    ensures |ToSet(Map((x: AuthItem) => x.key, xs))| == |AuthListToSet(xs)|
+  {
+    reveal ToSet();
+    var ys := Map((x: AuthItem) => x.key, xs);
+    forall x ensures x in ToSet(ys) <==> x in AuthListToSet(xs) {
+      assert x in ToSet(ys) ==> x in AuthListToSet(xs);
+      assert x in AuthListToSet(xs) ==> x in ToSet(ys) by {
+        if x in AuthListToSet(xs) {
+          var i :| 0 <= i < |xs| && xs[i].key == x;
+          assert ys[i] == x by {
+            calc == {
+              ys[i];
+              Map((x: AuthItem) => x.key, xs)[i];
+              xs[i].key;
+              x;
+            }
+          }
+        } else {}
+      }
+    }
+    assert ToSet(ys) == AuthListToSet(xs);
+  }
+
+  lemma SetSizeImpliesCryptoListHasNoDuplicates(xs: seq<CryptoItem>)
+    requires CryptoListHasNoDuplicatesFromSet(xs)
+    ensures CryptoListHasNoDuplicates(xs)
+  {
+    var ys := Map((x: CryptoItem) => x.key, xs);
+    CryptoListCard(xs);
+    LemmaNoDuplicatesCardinalityOfSet(ys);
+    CryptoListNoDupFromMap(xs);
+  }
+
+  lemma SetSizeImpliesAuthListHasNoDuplicates(xs: seq<AuthItem>)
+    requires AuthListHasNoDuplicatesFromSet(xs)
+    ensures AuthListHasNoDuplicates(xs)
+  {
+    var ys := Map((x: AuthItem) => x.key, xs);
+    AuthListCard(xs);
+    LemmaNoDuplicatesCardinalityOfSet(ys);
+    AuthListNoDupFromMap(xs);
+  }
+
+
 }

DynamoDbEncryption/dafny/StructuredEncryption/src/SortCanon.dfy

@@ -19,6 +19,7 @@ module TestHeader {
   import opened UTF8
   import Aws.Cryptography.Primitives
   import AlgorithmSuites
+  import Canonize
 
   method {:test} TestRoundTrip() {
     var head := PartialHeader (
@@ -136,7 +137,7 @@ module TestHeader {
       MakeCrypto("pqr", DO_NOTHING)
     ];
     var tableName : GoodString := "name";
-    var canonSchema :- expect OPS.CanonizeForEncrypt(tableName, schemaMap);
+    var canonSchema :- expect Canonize.ForEncrypt(tableName, schemaMap);
     var legend :- expect MakeLegend(canonSchema);
     //= specification/structured-encryption/header.md#encrypt-legend-bytes
     //= type=test
@@ -158,7 +159,7 @@ module TestHeader {
       MakeCrypto("zzzz", DO_NOTHING)
     ];
     var tableName : GoodString := "name";
-    var canonSchema :- expect OPS.CanonizeForEncrypt(tableName, schemaMap);
+    var canonSchema :- expect Canonize.ForEncrypt(tableName, schemaMap);
     var legend :- expect MakeLegend(canonSchema);
     //= specification/structured-encryption/header.md#encrypt-legend-bytes
     //= type=test
@@ -180,7 +181,7 @@ module TestHeader {
       MakeCrypto("aaaa", SIGN_ONLY)
     ];
     var tableName : GoodString := "name";
-    var canonSchema :- expect OPS.CanonizeForEncrypt(tableName, schemaMap);
+    var canonSchema :- expect Canonize.ForEncrypt(tableName, schemaMap);
     var legend :- expect MakeLegend(canonSchema);
     //= specification/structured-encryption/header.md#encrypt-legend-bytes
     //= type=test