Certifying Zero-Knowledge Circuits with Refinement Types

Zero-knowledge (ZK) proof systems have emerged as a promising solution for building security-sensitive applications. However, bugs in ZK applications are extremely difficult to detect and can allow a malicious party to silently exploit the system without leaving any observable trace. This paper presents Coda, a novel statically-typed language for building zero-knowledge applications. Critically, Coda makes it possible to formally specify and statically check properties of a ZK application through a rich refinement type system. One of the key challenges in formally verifying ZK applications is that they require reasoning about polynomial equations over large prime fields that go beyond the capabilities of automated theorem provers. Coda mitigates this challenge by generating a set of Coq lemmas that can be proven in an interactive manner with the help of a tactic library. We have used Coda to re-implement 79 arithmetic circuits from widely-used Circom libraries and applications. Our evaluation shows that Coda makes it possible to specify important and formally verify correctness properties of these circuits. Our evaluation also revealed 6 previously-unknown vulnerabilities in the original Circom projects

A type-theory for higher-order amortized analysis

Die Verifikation von "Worst-Case" Schranken für Ressourcennutzung ist ein wichtiges Problem in der Informatik. Der Nutzen einer solchen Verifikation hängt von der Präzision der Analyse ab. Aus Gründen der Präzision ist es manchmal nützlich, die durchschnittlichen Kosten einer Folge von Operationen zu berücksichtigen, statt die Kosten jeder einzelnen Operation getrennt zu betrachten. Diese Art von Analyse wird oft als amortisierte Ressourcenanalyse bezeichnet. Typischerweise profitieren Programme, die ihren Zustand optimieren, um die Kosten zukünftiger Ausführungen zu reduzieren, von solchen Ansätzen. Die Analyse der Ressourcennutzung einer mit zwei (LIFO) Listen implementierten funktionalen (FIFO) Schlange ist ein klassisches Beispiel für eine amortisierte Analyse. In dieser Arbeit präsentieren wir λamor, eine Typentheorie für die amortisierte Analyse der Ressourcennutzung höherstufiger Programme. Eine typische amortisierte Analyse speichert einen "ghost state", der als Potenzial bezeichnet wird, zusammen mit den Datenstrukturen. Die Kernidee der amortisierten Analyse ist es, zu zeigen, dass das dem Programm zur Verfügung stehende Potenzial ausreicht, um die Ressourcennutzung des Programms zu erfassen. Die Verifikation in λamor basiert auf der Realisierung dieser Idee in einer Typentheorie. Wir erreichen dies indem wir ein allgemeines typentheoretisches Konstrukt zur Darstellung des Potenzials auf der Ebene von Typen definieren und anschließend eine affine Typentheorie aufbauen. Mit λamor zeigen wir, dass eine typentheoretische amortisierte Analyse mit gut verstandenen Konzepten aus substrukturellen und modalen Typentheorien durchgeführt werden kann. Trotzdem ergibt sich ein äußerst aussagekräftiges Framework, das für die Ressourcenanalyse von höherstufigen Programmen, sowohl ein einem "strikten", als auch in einem "lazy" Setting, verwendet werden kann. Wir präsentieren Einbettungen zweier stark verschiedener Arten von typentheoretischen Ressourcenanalyseframeworks (eines basiert auf Effekten, das andere auf Koeffekten) in λamor. Wir zeigen, dass λamor korrekt (sound) ist (mithilfe eines "Logical relations" Modells) und, dass es vollständig für PCF-Programme ist (unter Verwendung einer der Einbettungen). Als nächstes verwenden wir Ideen von λamor, um eine andere Typentheorie (genannt λcg) für einen ganz anderen Anwendungsfall - Informationsflusskontrolle (IFC) - zu entwickeln. λcg verwendet ähnliche typentheoretische Konstrukte wie λamor für das Potenzial verwendet, um die Vertraulichkeitsmarkierungen (den "ghost state" für IFC) darzustellen. Schließlich abstrahieren wir von den spezifischen "ghost states" (Potenzial und Vertraulichkeitsmarkierungen) und entwickeln eine Typentheorie für einen allgemeinen "ghost state" mit einer monoidalen Struktur.Verification of worst-case bounds (on the resource usage of programs) is an important problem in computer science. The usefulness of such verification depends on the precision of the underlying analysis. For precision, sometimes it is useful to consider the average cost over a sequence of operations, instead of separately considering the cost of each individual operation. This kind of an analysis is often referred to as amortized resource analysis. Typically, programs that optimize their internal state to reduce the cost of future executions benefit from such approaches. Analyzing resource usage of a standard functional (FIFO) queue implemented using two functional (LIFO) lists is a classic example of amortized analysis. In this thesis we present λamor, a type-theory for amortized resource analysis of higher-order functional programs. A typical amortized analysis works by storing a ghost state called the potential with data structures. The key idea underlying amortized analysis is to show that, the available potential with the program is sufficient to account for the resource usage of that program. Verification in λamor is based on internalizing this idea into a type theory. We achieve this by providing a general type-theoretic construct to represent potential at the level of types and then building an affine type-theory around it. With λamor we show that, type-theoretic amortized analysis can be performed using well understood concepts from sub-structural and modal type theories. Yet, it yields an extremely expressive framework which can be used for resource analysis of higher-order programs, both in a strict and lazy setting. We show embeddings of two very different styles (one based on effects and the other on coeffects) of type-theoretic resource analysis frameworks into λamor. We show that λamor is sound (using a logical relations model) and complete for cost analysis of PCF programs (using one of the embeddings). Next, we apply ideas from λamor to develop another type theory (called λcg) for a very different domain – Information Flow Control (IFC). λcg uses a similar typetheoretic construct (which λamor uses for the potential) to represent confidentiality label (the ghost state for IFC). Finally, we abstract away from the specific ghost states (potential and confidentiality label) and describe how to develop a type-theory for a general ghost state with a monoidal structure

Adaptive object management for distributed systems

This thesis describes an architecture supporting the management of pluggable software components and evaluates it against the requirement for an enterprise integration platform for the manufacturing and petrochemical industries. In a distributed environment, we need mechanisms to manage objects and their interactions. At the least, we must be able to create objects in different processes on different nodes; we must be able to link them together so that they can pass messages to each other across the network; and we must deliver their messages in a timely and reliable manner. Object based environments which support these services already exist, for example ANSAware(ANSA, 1989), DEC's Objectbroker(ACA,1992), Iona's Orbix(Orbix,1994)Yet such environments provide limited support for composing applications from pluggable components. Pluggability is the ability to install and configure a component into an environment dynamically when the component is used, without specifying static dependencies between components when they are produced. Pluggability is supported to a degree by dynamic binding. Components may be programmed to import references to other components and to explore their interfaces at runtime, without using static type dependencies. Yet thus overloads the component with the responsibility to explore bindings. What is still generally missing is an efficient general-purpose binding model for managing bindings between independently produced components. In addition, existing environments provide no clear strategy for dealing with fine grained objects. The overhead of runtime binding and remote messaging will severely reduce performance where there are a lot of objects with complex patterns of interaction. We need an adaptive approach to managing configurations of pluggable components according to the needs and constraints of the environment. Management is made difficult by embedding bindings in component implementations and by relying on strong typing as the only means of verifying and validating bindings. To solve these problems we have built a set of configuration tools on top of an existing distributed support environment. Specification tools facilitate the construction of independent pluggable components. Visual composition tools facilitate the configuration of components into applications and the verification of composite behaviours. A configuration model is constructed which maintains the environmental state. Adaptive management is made possible by changing the management policy according to this state. Such policy changes affect the location of objects, their bindings, and the choice of messaging system

On the Power of Coercion Abstraction

International audienceErasable coercions in System F-eta, also known as retyping functions, are well-typed eta-expansions of the identity. They may change the type of terms without changing their behavior and can thus be erased before reduction. Coercions in F-eta can model subtyping of known types and some displacement of quantifiers, but not subtyping assumptions nor certain forms of delayed type instantiation. We generalize F-eta by allowing abstraction over retyping functions. We follow a general approach where computing with coercions can be seen as computing in the lambda-calculus but keeping track of which parts of terms are coercions. We obtain a language where coercions do not contribute to the reduction but may block it and are thus not erasable. We recover erasable coercions by choosing a weak reduction strategy and restricting coercion abstraction to value-forms or by restricting abstraction to coercions that are polymorphic in their domain or codomain. The latter variant subsumes F-eta, F-sub, and MLF in a unified framework