we defined a Coq definition \coqe{Crypto_Scalarmult} mimicking the exact behavior of X25519 in TweetNaCl.

By proving that each functions \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub};

By proving that each functions \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub};

\coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{car25519} are behaving over \coqe{list Z}

\coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519} are behaving over \coqe{list Z}

as their equivalent over \coqe{Z} in \coqe{:GF} (in \Zfield), we prove the

as their equivalent over \coqe{Z} in \coqe{:GF} (in \Zfield), we prove that given the same inputs \coqe{Crypto_Scalarmult} applies the same computation as \coqe{RFC}.

correctness of

% \begin{theorem}

% \label{thm:crypto-rfc}

% \coqe{Crypto_Scalarmult} matches the specification of RFC~7748.

% \end{theorem}

% This is formalized as follows in Coq:

% This is formalized as follows in Coq:

% \begin{lstlisting}[language=Coq]

\begin{lstlisting}[language=Coq]

% Theorem Crypto_Scalarmult_Eq :

Lemma Crypto_Scalarmult_RFC_eq :

% forall (n p:list Z),

forall (n: list Z) (p: list Z),

% Zlength n = 32 ->

Zlength n = 32 ->

% Zlength p = 32 ->

Zlength p = 32 ->

% Forall (fun x : Z, 0 <= x /\ x < 2 ^ 8) n ->

Forall (fun x => 0 <= x /\ x < 2 ^ 8) n ->

% Forall (fun x : Z, 0 <= x /\ x < 2 ^ 8) p ->

Forall (fun x => 0 <= x /\ x < 2 ^ 8) p ->

% ZofList 8 (Crypto_Scalarmult n p) =

Crypto_Scalarmult n p = RFC n p.

% ZCrypto_Scalarmult (ZofList 8 n) (ZofList 8 p).

\end{lstlisting}

% \end{lstlisting}

This proves that TweetNaCl's X25519 implementation respect RFC~7748.

We prove that \coqe{Crypto_Scalarmult} matches the specification of RFC~7748 (\tref{thm:crypto-rfc}).

With the VST we also prove that \coqe{Crypto_Scalarmult} matches the Clight translation of Tweetnacl (\tref{thm:crypto-vst}).

We infer that the implementation of X25519 in TweetNaCl (\TNaCle{crypto_scalarmult}) matches

the specifications of RFC~7748 (\tref{thm:VST-RFC}).