2,153 research outputs found
On formal verification of arithmetic-based cryptographic primitives
Cryptographic primitives are fundamental for information security: they are
used as basic components for cryptographic protocols or public-key
cryptosystems. In many cases, their security proofs consist in showing that
they are reducible to computationally hard problems. Those reductions can be
subtle and tedious, and thus not easily checkable. On top of the proof
assistant Coq, we had implemented in previous work a toolbox for writing and
checking game-based security proofs of cryptographic primitives. In this paper
we describe its extension with number-theoretic capabilities so that it is now
possible to write and check arithmetic-based cryptographic primitives in our
toolbox. We illustrate our work by machine checking the game-based proofs of
unpredictability of the pseudo-random bit generator of Blum, Blum and Shub, and
semantic security of the public-key cryptographic scheme of Goldwasser and
Micali.Comment: 13 page
Meta-F*: Proof Automation with SMT, Tactics, and Metaprograms
We introduce Meta-F*, a tactics and metaprogramming framework for the F*
program verifier. The main novelty of Meta-F* is allowing the use of tactics
and metaprogramming to discharge assertions not solvable by SMT, or to just
simplify them into well-behaved SMT fragments. Plus, Meta-F* can be used to
generate verified code automatically.
Meta-F* is implemented as an F* effect, which, given the powerful effect
system of F*, heavily increases code reuse and even enables the lightweight
verification of metaprograms. Metaprograms can be either interpreted, or
compiled to efficient native code that can be dynamically loaded into the F*
type-checker and can interoperate with interpreted code. Evaluation on
realistic case studies shows that Meta-F* provides substantial gains in proof
development, efficiency, and robustness.Comment: Full version of ESOP'19 pape
Computer-aided proofs for multiparty computation with active security
Secure multi-party computation (MPC) is a general cryptographic technique
that allows distrusting parties to compute a function of their individual
inputs, while only revealing the output of the function. It has found
applications in areas such as auctioning, email filtering, and secure
teleconference. Given its importance, it is crucial that the protocols are
specified and implemented correctly. In the programming language community it
has become good practice to use computer proof assistants to verify correctness
proofs. In the field of cryptography, EasyCrypt is the state of the art proof
assistant. It provides an embedded language for probabilistic programming,
together with a specialized logic, embedded into an ambient general purpose
higher-order logic. It allows us to conveniently express cryptographic
properties. EasyCrypt has been used successfully on many applications,
including public-key encryption, signatures, garbled circuits and differential
privacy. Here we show for the first time that it can also be used to prove
security of MPC against a malicious adversary. We formalize additive and
replicated secret sharing schemes and apply them to Maurer's MPC protocol for
secure addition and multiplication. Our method extends to general polynomial
functions. We follow the insights from EasyCrypt that security proofs can be
often be reduced to proofs about program equivalence, a topic that is well
understood in the verification of programming languages. In particular, we show
that in the passive case the non-interference-based definition is equivalent to
a standard game-based security definition. For the active case we provide a new
NI definition, which we call input independence
Certified compilation for cryptography: Extended x86 instructions and constant-time verification
We present a new tool for the generation and verification of high-assurance high-speed machine-level cryptography implementations: a certified C compiler supporting instruction extensions to the x86. We demonstrate the practical applicability of our tool by incorporating it into supercop: a toolkit for measuring the performance of cryptographic software, which includes over 2000 different implementations. We show i. that the coverage of x86 implementations in supercop increases significantly due to the added support of instruction extensions via intrinsics and ii. that the obtained verifiably correct implementations are much closer in performance to unverified ones. We extend our compiler with a specialized type system that acts at pre-assembly level; this is the first constant-time verifier that can deal with extended instruction sets. We confirm that, by using instruction extensions, the performance penalty for verifiably constant-time code can be greatly reduced.This work is financed by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within the project PTDC/CCI-INF/31698/2017, and by the Norte Portugal Regional Operational Programme (NORTE 2020) under the Portugal 2020 Partnership Agreement, through the European Regional Development Fund (ERDF) and also by national funds through the FCT, within project NORTE-01-0145-FEDER-028550 (REASSURE)
CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives
Most software domains rely on compilers to translate high-level code to
multiple different machine languages, with performance not too much worse than
what developers would have the patience to write directly in assembly language.
However, cryptography has been an exception, where many performance-critical
routines have been written directly in assembly (sometimes through
metaprogramming layers). Some past work has shown how to do formal verification
of that assembly, and other work has shown how to generate C code automatically
along with formal proof, but with consequent performance penalties vs. the
best-known assembly. We present CryptOpt, the first compilation pipeline that
specializes high-level cryptographic functional programs into assembly code
significantly faster than what GCC or Clang produce, with mechanized proof (in
Coq) whose final theorem statement mentions little beyond the input functional
program and the operational semantics of x86-64 assembly. On the optimization
side, we apply randomized search through the space of assembly programs, with
repeated automatic benchmarking on target CPUs. On the formal-verification
side, we connect to the Fiat Cryptography framework (which translates
functional programs into C-like IR code) and extend it with a new formally
verified program-equivalence checker, incorporating a modest subset of known
features of SMT solvers and symbolic-execution engines. The overall prototype
is quite practical, e.g. producing new fastest-known implementations for the
relatively new Intel i9 12G, of finite-field arithmetic for both Curve25519
(part of the TLS standard) and the Bitcoin elliptic curve secp256k1
HERMES: Scalable, Secure, and Privacy-Enhancing Vehicle Access System
We propose HERMES, a scalable, secure, and privacy-enhancing system for users
to share and access vehicles. HERMES securely outsources operations of vehicle
access token generation to a set of untrusted servers. It builds on an earlier
proposal, namely SePCAR [1], and extends the system design for improved
efficiency and scalability. To cater to system and user needs for secure and
private computations, HERMES utilizes and combines several cryptographic
primitives with secure multiparty computation efficiently. It conceals secret
keys of vehicles and transaction details from the servers, including vehicle
booking details, access token information, and user and vehicle identities. It
also provides user accountability in case of disputes. Besides, we provide
semantic security analysis and prove that HERMES meets its security and privacy
requirements. Last but not least, we demonstrate that HERMES is efficient and,
in contrast to SePCAR, scales to a large number of users and vehicles, making
it practical for real-world deployments. We build our evaluations with two
different multiparty computation protocols: HtMAC-MiMC and CBC-MAC-AES. Our
results demonstrate that HERMES with HtMAC-MiMC requires only approx 1,83 ms
for generating an access token for a single-vehicle owner and approx 11,9 ms
for a large branch of rental companies with over a thousand vehicles. It
handles 546 and 84 access token generations per second, respectively. This
results in HERMES being 696 (with HtMAC-MiMC) and 42 (with CBC-MAC-AES) times
faster compared to in SePCAR for a single-vehicle owner access token
generation. Furthermore, we show that HERMES is practical on the vehicle side,
too, as access token operations performed on a prototype vehicle on-board unit
take only approx 62,087 ms
Practical realisation and elimination of an ECC-related software bug attack
We analyse and exploit implementation features in OpenSSL version 0.9.8g which permit an attack against ECDH-based functionality. The attack, although more general, can recover the entire (static) private key from an associated SSL server via adaptive queries when the NIST curve P-256 is used. One can view it as a software-oriented analogue of the bug attack concept due to Biham et al. and, consequently, as the first bug attack to be successfully applied against a real-world system. In addition to the attack and a posteriori countermeasures, we show that formal verification, while rarely used at present, is a viable means of detecting the features which the attack hinges on. Based on the security implications of the attack and the extra justification posed by the possibility of intentionally incorrect implementations in collaborative software development, we conclude that applying and extending the coverage of formal verification to augment existing test strategies for OpenSSL-like software should be deemed a worthwhile, long-term challenge.This work has been supported in part by EPSRC via grant EP/H001689/1 and by project SMART, funded by ENIAC Joint Undertaking (GA 120224)
- …