109 research outputs found
Zero-cost meta-programmed stateful functors in F*
Writing code is hard; proving it correct is even harder. As the scale of
verified software projects reaches new heights, the problem of efficiently
verifying large amounts of software becomes more and more salient. Nowhere is
this issue more evident than in the context of verified cryptographic
libraries. To achieve feature-parity and be competitive with unverified
cryptographic libraries, a very large number of algorithms and APIs need to be
verified. However, the task is oftentimes repetitive, and factoring out
commonality between algorithms is fraught with difficulties, requiring until
now a significant amount of manual effort.
This paper shows how a judicious combination of known functional programming
techniques leads to an order-of-magnitude improvement in the amount of verified
code produced by the popular HACL* cryptographic library, without compromising
performance. We review three techniques that build upon each other, in order of
increasing sophistication. First, we use dependent types to crisply capture the
specification and state machine of a block algorithm, a cryptographic notion
that was until now only informally and imprecisely specified. Next, we rely on
partial evaluation to author a higher-order, stateful functor that transforms
any unsafe block API into a safe counterpart. Finally, we rely on elaborator
reflection to automate the very process of authoring a functor, using a
code-rewriting tactic. This culminates in a style akin to templatized C++ code,
but relying on a userland tactic and partial evaluation, rather than built-in
compiler support
Trustee: Full Privacy Preserving Vickrey Auction on top of Ethereum
The wide deployment of tokens for digital assets on top of Ethereum implies
the need for powerful trading platforms. Vickrey auctions have been known to
determine the real market price of items as bidders are motivated to submit
their own monetary valuations without leaking their information to the
competitors. Recent constructions have utilized various cryptographic protocols
such as ZKP and MPC, however, these approaches either are partially
privacy-preserving or require complex computations with several rounds. In this
paper, we overcome these limits by presenting Trustee as a Vickrey auction on
Ethereum which fully preserves bids' privacy at relatively much lower fees.
Trustee consists of three components: a front-end smart contract deployed on
Ethereum, an Intel SGX enclave, and a relay to redirect messages between them.
Initially, the enclave generates an Ethereum account and ECDH key-pair.
Subsequently, the relay publishes the account's address and ECDH public key on
the smart contract. As a prerequisite, bidders are encouraged to verify the
authenticity and security of Trustee by using the SGX remote attestation
service. To participate in the auction, bidders utilize the ECDH public key to
encrypt their bids and submit them to the smart contract. Once the bidding
interval is closed, the relay retrieves the encrypted bids and feeds them to
the enclave that autonomously generates a signed transaction indicating the
auction winner. Finally, the relay submits the transaction to the smart
contract which verifies the transaction's authenticity and the parameters'
consistency before accepting the claimed auction winner. As part of our
contributions, we have made a prototype for Trustee available on Github for the
community to review and inspect it. Additionally, we analyze the security
features of Trustee and report on the transactions' gas cost incurred on
Trustee smart contract.Comment: Presented at Financial Cryptography and Data Security 2019, 3rd
Workshop on Trusted Smart Contract
Verifying constant-time implementations
The constant-time programming discipline is an effective countermeasure against timing attacks, which can lead to complete breaks of otherwise secure systems. However, adhering to constant-time programming is hard on its own, and extremely hard under additional efficiency and legacy constraints. This makes automated verification of constant-time code an essential component for building secure software.
We propose a novel approach for verifying constant- time security of real-world code. Our approach is able to validate implementations that locally and intentionally violate the constant-time policy, when such violations are benign and leak no more information than the pub- lic outputs of the computation. Such implementations, which are used in cryptographic libraries to obtain impor- tant speedups or to comply with legacy APIs, would be declared insecure by all prior solutions.
We implement our approach in a publicly available, cross-platform, and fully automated prototype, ct-verif, that leverages the SMACK and Boogie tools and verifies optimized LLVM implementations. We present verifica- tion results obtained over a wide range of constant-time components from the NaCl, OpenSSL, FourQ and other off-the-shelf libraries. The diversity and scale of our ex- amples, as well as the fact that we deal with top-level APIs rather than being limited to low-level leaf functions, distinguishes ct-verif from prior tools.
Our approach is based on a simple reduction of constant-time security of a program P to safety of a prod- uct program Q that simulates two executions of P. We formalize and verify the reduction for a core high-level language using the Coq proof assistant.The first two authors were funded
by Project “TEC4Growth - Pervasive Intelligence,
Enhancers and Proofs of Concept with Industrial
Impact/NORTE-01-0145-FEDER-000020”, which is fi-
nanced by the North Portugal Regional Operational
Programme (NORTE 2020), under the PORTUGAL
2020 Partnership Agreement, and through the European Regional Development Fund (ERDF). The third and
fourth authors were supported by projects S2013/ICE2731
N-GREENS Software-CM and ONR Grants
N000141210914 (AutoCrypt) and N000141512750 (SynCrypt).
The fourth author was also supported by FP7
Marie Cure Actions-COFUND 291803 (Amarout II).
We thank Peter Schwabe for providing us with a collection
of negative examples. We thank Hovav Shacham,
Craig Costello and Patrick Longa for helpful observations
on our verification results. TEC4Growth - Pervasive Intelligence, Enhancers and Proofs of Concept with Industrial Impact/NORTE-01-0145-FEDER-000020info:eu-repo/semantics/publishedVersio
HACL * : A Verified Modern Cryptographic Library
International audienceHACL* is a verified portable C cryptographic library that implements modern cryptographic primitives such as the ChaCha20 and Salsa20 encryption algorithms, Poly1305 and HMAC message authentication, SHA-256 and SHA-512 hash functions, the Curve25519 elliptic curve, and Ed25519 signatures. HACL* is written in the F* programming language and then compiled to readable C code. The F* source code for each cryptographic primitive is verified for memory safety, mitigations against timing side-channels, and functional correctness with respect to a succinct high-level specification of the primitive derived from its published standard. The translation from F* to C preserves these properties and the generated C code can itself be compiled via the CompCert verified C compiler or mainstream compilers like GCC or CLANG. When compiled with GCC on 64-bit platforms, our primitives are as fast as the fastest pure C implementations in OpenSSL and Libsodium, significantly faster than the reference C code in TweetNaCl, and between 1.1x-5.7x slower than the fastest hand-optimized vectorized assembly code in SUPERCOP. HACL* implements the NaCl cryptographic API and can be used as a drop-in replacement for NaCl libraries like Libsodium and TweetNaCl. HACL * provides the cryptographic components for a new mandatory ciphersuite in TLS 1.3 and is being developed as the main cryptographic provider for the miTLS verified implementation. Primitives from HACL* are also being integrated within Mozilla's NSS cryptographic library. Our results show that writing fast, verified, and usable C cryptographic libraries is now practical
Evaluation and implementation of the Ed25519 digital signature algorithm in rust
Mestrado de dupla diplomação com a UTFPR - Universidade Tecnológica Federal do ParanáCryptography can be classified as secret-key and public-key cryptography. Both have distinct
features and differs in performance, complexity, flexibility and security. Secret-key
cryptography, considering its simplicity and performance, is commonly used for securing
communications. The invention of public-key cryptography made it possible to develop
more flexible cryptographic schemes and algorithms, such as key exchanges and digital
signatures, hence extending the possibilities and the field of cryptography. Cryptographic
implementations are primordial for securing the Internet, and as a consequence, correctness,
security and efficiency are more emphasized. In this sense, this work addresses the
evaluation and the implementation of Ed25519, an instance of the Edwards-curve Digital
Signature Algorithm for digital messages authentication. The implementation lies on
Rust: a safe, modern, high-level and strongly-typed programming language. This work
has two contributions: (i) an Ed25519 implementation in Rust that considers readability,
modularity and ease of use, and (ii) an evaluation of the Ed25519 implementation from a
security/performance perspective. The implementation was comprised by three modules:
field arithmetic, curve arithmetic and the interface. The security perspective presented
essential qualities of cryptographic implementations, such as functional correctness, memory
safety, constant-time operations and usability. The performance evaluation showed
low execution times and proved to be as fast as implementations written in C; Rust’s
RAM consumption showed similar results in comparison to implementations written in
C.A criptografia pode ser classificada em simétrica e assimétrica. Ambos diferem-se com
relação ao desempenho, complexidade, flexibilidade e segurança. A criptografia simétrica
é comumente utilizada para estabelecer comunicações secretas. A criptografia assimétrica
foi capaz de ampliar as primitivas criptográficas ao possibilitar primitivas para assinaturas
digitais e acordo de chaves. Implementações criptográficas são primordiais na proteção
de comunicações e informações. Nesse sentido, a segurança, corretude e eficiência são priorizadas.
Este trabalho aborda a avaliação e implementação do algoritmo de assinaturas
digitais Ed25519, uma instância do Edwards-curve Digital Signature Algorithm. Este
trabalho tem como objetivo realizar a implementação do algoritmo Ed25519 em Rust,
uma linguagem de programação de alto nível, moderna e fortemente tipada, com foco em
memory safety. Dessa forma, as contribuições são: (i) uma implementação do Ed25519
em Rust que suporta legibilidade, modularidade e facilidade de uso e (ii) a avaliação da
implementação em termos de desempenho e segurança. O desenvolvimento envolveu a implementação
de três módulos: aritmética de corpos, aritmética de curvas e interface. Na
perspectiva da segurança, foi possível apresentar atributos essenciais às implementações
criptográficas, tais como correctness, memory safety, usabilidade e operações em tempo
constante. A implementação apresentou tempos de execução aceitáveis e próximos das
implementações em C; além disso, Rust apresentou consumo de memória RAM similar às
implementações em C
Everest: Towards a Verified, Drop-in Replacement of HTTPS
The HTTPS ecosystem is the foundation on which Internet security is built. At the heart of this ecosystem is the Transport Layer Security (TLS) protocol, which in turn uses the X.509 public-key infrastructure and numerous cryptographic constructions and algorithms. Unfortunately, this ecosystem is extremely brittle, with headline-grabbing attacks and emergency patches many times a year. We describe our ongoing efforts in Everest (The Everest VERified End-to-end Secure Transport) a project that aims to build and deploy a verified version of TLS and other components of HTTPS, replacing the current infrastructure with proven, secure software.
Aiming both at full verification and usability, we conduct high-level code-based, game-playing proofs of security on cryptographic implementations that yield efficient, deployable code, at the level of C and assembly. Concretely, we use F*, a dependently typed language for programming, meta-programming, and proving at a high level, while relying on low-level DSLs embedded within F* for programming low-level components when necessary for performance and, sometimes, side-channel resistance. To compose the pieces, we compile all our code to source-like C and assembly, suitable for deployment and integration with existing code bases, as well as audit by independent security experts.
Our main results so far include (1) the design of Low*, a subset of F* designed for C-like imperative programming but with high-level verification support, and KreMLin, a compiler that extracts Low* programs to C; (2) an implementation of the TLS-1.3 record layer in Low*, together with a proof of its concrete cryptographic security; (3) Vale, a new DSL for verified assembly language, and several optimized cryptographic primitives proven functionally correct and side-channel resistant. In an early deployment, all our verified software is integrated and deployed within libcurl, a widely used library of networking protocols
- …