8 research outputs found
Automatic Certified Verification of Cryptographic Programs with COQCRYPTOLINE
COQCRYPTOLINE is an automatic certified verification tool for cryptographic programs. It is built on OCAML programs extracted from algorithms fully certified in COQ with SS- REFLECT. Similar to other automatic tools, COQCRYPTO- LINE calls external decision procedures during verification. To ensure correctness, all answers from external decision procedures are validated by certified certificate checkers in COQCRYPTOLINE. We evaluate COQCRYPTOLINE on cryp- tographic programs from BITCOIN, BORINGSSL, NSS, and OPENSSL. The first certified verification of the reference implementation for number theoretic transform in the post- quantum key exchange mechanism KYBER is also reported
Verified NTT Multiplications for NISTPQC KEM Lattice Finalists: Kyber, SABER, and NTRU
Postquantum cryptography requires a different set of arithmetic routines from traditional public-key cryptography such as elliptic curves. In particular, in each of the lattice-based NISTPQC Key Establishment finalists, every state-ofthe-art optimized implementation for lattice-based schemes still in the NISTPQC round 3 currently uses a different complex multiplication based on the Number Theoretic Transform. We verify the NTT-based multiplications used in NTRU, Kyber, and SABER for both the AVX2 implementation for Intel CPUs and for the pqm4 implementation for the ARM Cortex M4 using the tool CryptoLine. e extended CryptoLine and as a result are able to verify that in six instances multiplications are correct including range properties.
We demonstrate the feasibility for a programmer to verify his or her high-speed assembly code for PQC, as well as to verify someone else’s high-speed PQC software in assembly code, with some cooperation from the programmer
Zero-cost meta-programmed stateful functors in F*
Writing code is hard; proving it correct is even harder. As the scale of
verified software projects reaches new heights, the problem of efficiently
verifying large amounts of software becomes more and more salient. Nowhere is
this issue more evident than in the context of verified cryptographic
libraries. To achieve feature-parity and be competitive with unverified
cryptographic libraries, a very large number of algorithms and APIs need to be
verified. However, the task is oftentimes repetitive, and factoring out
commonality between algorithms is fraught with difficulties, requiring until
now a significant amount of manual effort.
This paper shows how a judicious combination of known functional programming
techniques leads to an order-of-magnitude improvement in the amount of verified
code produced by the popular HACL* cryptographic library, without compromising
performance. We review three techniques that build upon each other, in order of
increasing sophistication. First, we use dependent types to crisply capture the
specification and state machine of a block algorithm, a cryptographic notion
that was until now only informally and imprecisely specified. Next, we rely on
partial evaluation to author a higher-order, stateful functor that transforms
any unsafe block API into a safe counterpart. Finally, we rely on elaborator
reflection to automate the very process of authoring a functor, using a
code-rewriting tactic. This culminates in a style akin to templatized C++ code,
but relying on a userland tactic and partial evaluation, rather than built-in
compiler support
Verifying Classic McEliece: examining the role of formal methods in post-quantum cryptography standardisation
Developers of computer-aided cryptographic tools are optimistic that formal methods will become a vital part of developing new cryptographic systems. We study the use of such tools to specify and verify the implementation of Classic McEliece, one of the code-based cryptography candidates in the fourth round of the NIST Post-Quantum standardisation Process. From our case study we draw conclusions about the practical applicability of these methods to the development of novel cryptography
Certified compilation for cryptography: Extended x86 instructions and constant-time verification
We present a new tool for the generation and verification of high-assurance high-speed machine-level cryptography implementations: a certified C compiler supporting instruction extensions to the x86. We demonstrate the practical applicability of our tool by incorporating it into supercop: a toolkit for measuring the performance of cryptographic software, which includes over 2000 different implementations. We show i. that the coverage of x86 implementations in supercop increases significantly due to the added support of instruction extensions via intrinsics and ii. that the obtained verifiably correct implementations are much closer in performance to unverified ones. We extend our compiler with a specialized type system that acts at pre-assembly level; this is the first constant-time verifier that can deal with extended instruction sets. We confirm that, by using instruction extensions, the performance penalty for verifiably constant-time code can be greatly reduced.This work is financed by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within the project PTDC/CCI-INF/31698/2017, and by the Norte Portugal Regional Operational Programme (NORTE 2020) under the Portugal 2020 Partnership Agreement, through the European Regional Development Fund (ERDF) and also by national funds through the FCT, within project NORTE-01-0145-FEDER-028550 (REASSURE)
CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives
Most software domains rely on compilers to translate high-level code to
multiple different machine languages, with performance not too much worse than
what developers would have the patience to write directly in assembly language.
However, cryptography has been an exception, where many performance-critical
routines have been written directly in assembly (sometimes through
metaprogramming layers). Some past work has shown how to do formal verification
of that assembly, and other work has shown how to generate C code automatically
along with formal proof, but with consequent performance penalties vs. the
best-known assembly. We present CryptOpt, the first compilation pipeline that
specializes high-level cryptographic functional programs into assembly code
significantly faster than what GCC or Clang produce, with mechanized proof (in
Coq) whose final theorem statement mentions little beyond the input functional
program and the operational semantics of x86-64 assembly. On the optimization
side, we apply randomized search through the space of assembly programs, with
repeated automatic benchmarking on target CPUs. On the formal-verification
side, we connect to the Fiat Cryptography framework (which translates
functional programs into C-like IR code) and extend it with a new formally
verified program-equivalence checker, incorporating a modest subset of known
features of SMT solvers and symbolic-execution engines. The overall prototype
is quite practical, e.g. producing new fastest-known implementations for the
relatively new Intel i9 12G, of finite-field arithmetic for both Curve25519
(part of the TLS standard) and the Bitcoin elliptic curve secp256k1