### minor

parent 756d8f98
 ... ... @@ -37,7 +37,8 @@ with it in the proofs (\ref{subsec:curvep2}). correctness. The white tiles are definitions, the orange ones are hypothesis and the green tiles represent major lemmas and theorems. The plan is as follows. % The plan is as follows. % (This is part of the description of the picture). We consider the field $\K$ and formalize the Montgomery curves ($M_{a,b}(\K)$). Then, by using the equivalent Weierstra{\ss} form ($E_{a',b'}(\K)$) from the library of Bartzia and Strub, we prove that $M_{a,b}(\K)$ forms an commutative group. ... ... @@ -51,6 +52,9 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref \label{tikz:ProofHighLevel1} \end{figure} % this is for the flow of the text otherwise someone will again complain of a definition poping out of nowhere. We now turn our attention to the details of the proof of the ladder's correctness. \begin{dfn} Given a field $\K$, using an appropriate choice of coordinates, ... ... @@ -79,8 +83,8 @@ Then, this equation $E(x,y)$ can be reduced into its short Weierstra{\ss} form. In this setting, Bartzia and Strub defined the parametric type \texttt{ec} which represents the points on a specific curve. It is parameterized by a \texttt{K : ecuFieldType}, the type of fields whose characteristic is neither 2 nor 3, and \texttt{E : ecuType}, a record that packs the curve parameters $a$ and $b$ a \texttt{K : ecuFieldType} ---the type of fields whose characteristic is neither 2 nor 3--- and \texttt{E : ecuType} ---a record that packs the curve parameters $a$ and $b$--- along with the proof that $\Delta(a,b) \neq 0$. \begin{lstlisting}[language=Coq] Inductive point := EC_Inf | EC_In of K * K. ... ... @@ -96,16 +100,12 @@ Definition oncurve (p : point) := Inductive ec : Type := EC p of oncurve p. \end{lstlisting} Points on an elliptic curve form an commutative group when equipped with the following structure. Points on an elliptic curve form an abelian group when equipped with the following structure.% \begin{itemize} \item The negation of a point $P = (x,y)$ is defined by reflection over the $x$-axis, \ie $-P = (x, -y)$. \item The addition of two points $P, Q \in E_{a,b}(\K) \setminus \{\Oinf\}$ with $P \neq Q$ and $P \neq -Q$ is defined as the negation of the third intersection point of the line through $P$ and $Q$. In case $P = Q$, we either use the line tangent to $P$ if $P$ is not an inflection point, and define $P + Q = -P = -Q$ otherwise. In case $P = -Q$, we define $P + Q = \Oinf$. \item The point $\Oinf$ acts as the neutral element. Hence, we define $-\Oinf = \Oinf$, $P + \Oinf = P$ and $\Oinf + P = P$. \item The addition of two points $P$ and $Q$ is defined as the negation of the third intersection point of the line passing through $P$ and $Q$, or tangent to $P$ if $P = Q$. \item $\Oinf$ is the neutral element under this law: if 3 points are collinear, their sum is equal to $\Oinf$ \end{itemize} These operations are defined in Coq as follows (where we omit the code for the tangent case): \begin{lstlisting}[language=Coq] ... ... @@ -147,8 +147,8 @@ than the Weierstra{\ss} form. We consider the Montgomery form \cite{MontgomerySp Similar to the definition of \texttt{ec}, we define the parametric type \texttt{mc} which represents the points on a specific Montgomery curve. It is parameterized by a \texttt{K : ecuFieldType}, the type of fields whose characteristic is neither 2 nor 3, and \texttt{M : mcuType}, a record that packs the curve a \texttt{K : ecuFieldType} ---the type of fields whose characteristic is neither 2 nor 3--- and \texttt{M : mcuType} ---a record that packs the curve parameters $a$ and $b$ along with the proofs that $b \neq 0$ and $a^2 \neq 4$. \begin{lstlisting}[language=Coq,belowskip=-0.1 \baselineskip] Record mcuType := ... ... @@ -177,7 +177,7 @@ Definition add (p1 p2 : point K) := (| xs, - s * (xs - x1) - y1 |) end. \end{lstlisting} And again we prove the result is on the curve: % (again with coercion): And again we prove the result is on the curve: \begin{lstlisting}[language=Coq] Lemma addO (p q : mc) : oncurve (add p q). ... ... @@ -185,21 +185,19 @@ Definition addmc (p1 p2 : mc) : mc := MC p1 p2 (addO p1 p2) \end{lstlisting} Remarkably, of all the group properties, associativity is the hardest one to prove for elliptic curves. Instead of reproving this property for Montgomery curves, we transfer it from the Weierstra{\ss} curves with a trick. We define a bijection between a Montgomery curve and its short Weierstra{\ss} form (as in \lref{lemma:bij-ecc}) and prove that it respects the addition as defined on the respective curves. It is then easy to verify all the group laws for Montgomery curves from the Weierstra{\ss} ones. (\lref{lemma:bij-ecc}) and prove that it respects the addition as defined on the respective curves. In this way we get all the group laws for Montgomery curves from the Weierstra{\ss} ones. After we have verified the group properties, it follows that the bijection is a group isomorphism. After having verified the group properties, it follows that the bijection is a group isomorphism. \begin{lemma} \label{lemma:bij-ecc} Let $M_{a,b}$ be a Montgomery curve, define \vspace{-0.3em} $$a' = \frac{3-a^2}{3b^2} \text{\ \ \ \ and\ \ \ \ } b' = \frac{2a^3 - 9a}{27b^3}.$$ then $E_{a',b'}$ is a Weierstra{\ss} curve, and the mapping $\varphi : M_{a,b} \to E_{a',b'}$ defined as: then $E_{a',b'}$ is a Weierstra{\ss} curve, and the mapping $\varphi : M_{a,b} \mapsto E_{a',b'}$ defined as: \vspace{-0.5em} \begin{align*} \varphi(\Oinf_M) & = \Oinf_E \\ \varphi( (x , y) ) & = \left( \frac{x}{b} + \frac{a}{3b} , \frac{y}{b} \right) ... ... @@ -226,13 +224,13 @@ After we have verified the group properties, it follows that the bijection is a \label{subsec:ECC-projective} In a projective plane, points are represented by the triples $(X:Y:Z)$ excluding $(0:0:0)$. Scalar multiples of triples are identified with eachother, \ie Scalar multiples of triples are identified with each other, \ie for all $\lambda \neq 0$, the triples $(X:Y:Z)$ and $(\lambda X:\lambda Y:\lambda Z)$ represent the same point in the projective plane. For $Z\neq 0$, the point $(X:Y:Z)$ corresponds to the point $(X/Z,Y/Z)$ in the affine plane. Likewise, the point $(X,Y)$ in the affine plane corresponds to $(X:Y:1)$ in the projective plane. The points $(X : Y : 0)$ can be considered as points at infinity. % The points $(X : Y : 0)$ can be considered as points at infinity. Using fractions as coordinates, the equation for a Montgomery curve $M_{a,b}$ becomes ... ... @@ -256,11 +254,12 @@ Hypothesis mcu_no_square : We define $\chi$ and $\chi_0$ to return the \xcoord of points on a curve. \begin{dfn} Let $\chi : M_{a,b}(\K) \to \K \cup \{\infty\}$ and $\chi_0 : M_{a,b}(\K) \to \K$ such that \begin{align*} \chi((x,y)) &= x, & \chi(\Oinf) &= \infty, &&\text{and} \\ \chi_0((x,y)) &= x, & \chi_0(\Oinf) &= 0. \end{align*} Let $\chi : M_{a,b}(\K) \mapsto \K \cup \{\infty\}$ and $\chi_0 : M_{a,b}(\K) \mapsto \K$ such that \vspace{-0.5em} \begin{align*} \chi((x,y)) & = x, & \chi(\Oinf) & = \infty, & & \text{and} \\[-0.5ex] \chi_0((x,y)) & = x, & \chi_0(\Oinf) & = 0. \end{align*} \end{dfn} Using projective coordinates we prove the formula for differential addition.% (\lref{lemma:xADD}). ... ... @@ -270,9 +269,10 @@ Using projective coordinates we prove the formula for differential addition.% (\ let $X_1, Z_1, X_2, Z_2, X_4, Z_4 \in \K$, such that $(X_1,Z_1) \neq (0,0)$, $(X_2,Z_2) \neq (0,0)$, $X_4 \neq 0$ and $Z_4 \neq 0$. Define \vspace{-0.5em} \begin{align*} X_3 & = Z_4((X_1 - Z_1)(X_2+Z_2) + (X_1+Z_1)(X_2-Z_2))^2 \\ Z_3 & = X_4((X_1 - Z_1)(X_2+Z_2) - (X_1+Z_1)(X_2-Z_2))^2, X_3 & = Z_4((X_1 - Z_1)(X_2+Z_2) + (X_1+Z_1)(X_2-Z_2))^2 \\[-0.5ex] Z_3 & = X_4((X_1 - Z_1)(X_2+Z_2) - (X_1+Z_1)(X_2-Z_2))^2 \end{align*} then for any point $P_1$ and $P_2$ in $M_{a,b}(\K)$ such that $X_1/Z_1 = \chi(P_1), X_2/Z_2 = \chi(P_2)$, and $X_4/Z_4 = \chi(P_1 - P_2)$, ... ... @@ -550,8 +550,7 @@ We now study the case of the scalar multiplication and show similar proofs. such that $\varphi((x,y)) = ((x,0), (y,0))$. \item[--] $\varphi_t: M_{486662,2}(\F{p}) \mapsto M_{486662,1}(\F{p^2})$\\ such that $\varphi((x,y)) = ((x,0), (0,y))$. \item[--] $\psi: \F{p^2} \mapsto \F{p}$\\ such that $\psi(x,y) = x$. \item[--] $\psi: \F{p^2} \mapsto \F{p}$ such that $\psi(x,y) = x$. \end{itemize} \end{dfn} ... ... @@ -559,15 +558,17 @@ We now study the case of the scalar multiplication and show similar proofs. \label{lemma:proj} For all $n \in \N$, for all point $P\in\F{p}\times\F{p}$ on the curve $M_{486662,1}(\F{p})$ (respectively on the quadratic twist $M_{486662,2}(\F{p})$), we have \vspace{-0.3em} \begin{align*} P &\in M_{486662,1}(\F{p}) & \implies \varphi_c(n \cdot P) &= n \cdot \varphi_c(P), &&\text{and} \\ P &\in M_{486662,2}(\F{p}) & \implies \varphi_t(n \cdot P) &= n \cdot \varphi_t(P). P & \in M_{486662,1}(\F{p}) & \implies \varphi_c(n \cdot P) & = n \cdot \varphi_c(P), & & \text{and} \\ P & \in M_{486662,2}(\F{p}) & \implies \varphi_t(n \cdot P) & = n \cdot \varphi_t(P). \end{align*} \end{lemma} Notice that \vspace{-0.5em} \begin{align*} \forall P \in M_{486662,1}(\F{p}), &&\psi(\chi_0(\varphi_c(P))) &= \chi_0(P), &&\text{and} \\ \forall P \in M_{486662,2}(\F{p}), &&\psi(\chi_0(\varphi_t(P))) &= \chi_0(P). \forall P \in M_{486662,1}(\F{p}), & & \psi(\chi_0(\varphi_c(P))) & = \chi_0(P), & & \text{and} \\ \forall P \in M_{486662,2}(\F{p}), & & \psi(\chi_0(\varphi_t(P))) & = \chi_0(P). \end{align*} In summary, for all $n \in \N$, $n < 2^{255}$, for any point $P\in\F{p}\times\F{p}$ ... ...
 ... ... @@ -244,7 +244,7 @@ the same time. \label{subsec:num-repr-rfc} As described in \sref{subsec:Number-TweetNaCl}, numbers in \TNaCle{gf} (typedef of an array of 16 \TNaCle{long long}) are represented (array of 16 \TNaCle{long long}) are represented in $2^{16}$ and we use a direct mapping to represent that array as a list integers in Coq. However, in order to show the correctness of the basic operations, we need to convert this number to an integer. ... ... @@ -273,8 +273,7 @@ Lemma mult_GF_Zlength : forall (a:list Z) (b:list Z), Zlength a = 16 -> Zlength b = 16 -> (Z16.lst (Low.M a b)) :GF = (Z16.lst a * Z16.lst b) :GF. (Z16.lst (Low.M a b)):GF = (Z16.lst a * Z16.lst b):GF. \end{lstlisting} However for our purpose, simple functional correctness is not enough. ... ...
 ... ... @@ -51,9 +51,9 @@ We define the operation: & ((X_{2 \cdot P}:Z_{2 \cdot P}), (X_{P + Q}:Z_{P + Q})) \end{align*} A pseudocode description of the Montgomery ladder A pseudocode description of the Montgomery ladder is given in Algorithm~\ref{alg:montgomery-ladder}. The main loop iterates over the bits of the scalar $n$. The main loop iterates over the bits of the scalar $n$. The $k^{\text{th}}$ iteration conditionally swaps the arguments $P$ and $Q$ of \texttt{xDBL\&ADD} depending on the value of the $k^{\text{th}}$ bit of $n$. ... ... @@ -64,6 +64,8 @@ $(P_b, P_{1-b})$. By using the differential addition and doubling operations we define the Montgomery ladder computing a \xcoord-only scalar multiplication (see \aref{alg:montgomery-ladder}). % \setlength{\textfloatsep}{1em} \begin{algorithm} \caption{Montgomery ladder for scalar mult.} \label{alg:montgomery-ladder} ... ... @@ -83,7 +85,6 @@ computing a \xcoord-only scalar multiplication (see \aref{alg:montgomery-ladder} \end{algorithmic} \end{algorithm} \subsection{The X25519 key exchange} \label{subsec:X25519-key-exchange} ... ...
 \section{Organization of the proof files} \label{appendix:proof-folders} \subheading{Requirements} \subheading{Requirements.} Our proofs requires the use of \emph{Coq 8.8.2} for the proofs and \emph{Opam 2.0} to manage the dependencies. We are aware that there exists more recent versions of Coq; VST; CompCert etc. however to avoid dealing with backward breaking compatibility we decided to freeze our dependencies. \subheading{Associated files} The archive containing the proof is composed of two folders \textbf{\texttt{packages}} \subheading{Associated files.} The repository containing the proof is composed of two folders \textbf{\texttt{packages}} and \textbf{\texttt{proofs}}. It aims to be used at the same time as an \emph{opam} repository to manage the dependencies of the proof and to provide the code. ... ... @@ -26,38 +26,38 @@ and allows us to use the theorem of quadratic reciprocity. In this folder the reader will find multiple levels of implementation of X25519. \begin{itemize} \item \textbf{\texttt{Libs/}} contains basic libraries and tools to help use reason with lists and decidable procedures. reason with lists and decidable procedures. \item \textbf{\texttt{ListsOp/}} defines operators on list such as \Coqe{ZofList} and related lemmas using \eg \VSTe{Forall}. \Coqe{ZofList} and related lemmas using \eg \VSTe{Forall}. \item \textbf{\texttt{Gen/}} defines a generic Montgomery ladder which can be instantiated with different operations. This ladder is the stub for the following implementations. instantiated with different operations. This ladder is the stub for the following implementations. \item \textbf{\texttt{High/}} contains the theory of Montgomery curves, twists, quadratic extensions and ladder. It also proves the correctness of the ladder over $\F{\p}$. twists, quadratic extensions and ladder. It also proves the correctness of the ladder over $\F{\p}$. \item \textbf{\texttt{Mid/}} provides a list-based implementation of the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder. It makes the link with the theory of Montgomery curves. basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder. It makes the link with the theory of Montgomery curves. \item \textbf{\texttt{Low/}} provides a second list-based implementation of the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder. Those functions are proven to provide the same results as the ones in \texttt{Mid/}, however their implementation are closer to \texttt{C} in order facilitate the proof of equivalence with TweetNaCl code. the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder. Those functions are proven to provide the same results as the ones in \texttt{Mid/}, however their implementation are closer to \texttt{C} in order facilitate the proof of equivalence with TweetNaCl code. \item \textbf{\texttt{rfc/}} provides our rfc formalization. It uses integers for the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots and the ladder. It specifies the decoding/encoding of/to byte arrays (seen as list of integers) as in RFC~7748. It uses integers for the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots and the ladder. It specifies the decoding/encoding of/to byte arrays (seen as list of integers) as in RFC~7748. \end{itemize} \subheading{\texttt{proofs/vst/}} Here the reader will find four folders. \begin{itemize} \item \textbf{\texttt{c}} contains the C Verifiable implementation of TweetNaCl. \texttt{clightgen} will generate the appropriate translation into Clight. \texttt{clightgen} will generate the appropriate translation into Clight. \item \textbf{\texttt{init}} contains basic lemmas and memory manipulation shortcuts to handle the aliasing cases. shortcuts to handle the aliasing cases. \item \textbf{\texttt{spec}} defines as Hoare triple the specification of the functions used in \TNaCle{crypto_scalarmult}. functions used in \TNaCle{crypto_scalarmult}. \item \textbf{\texttt{proofs}} contains the proofs of the above Hoare triples and thus the proof that TweetNaCl code is sound and correct. and thus the proof that TweetNaCl code is sound and correct. \end{itemize}
 ... ... @@ -119,7 +119,7 @@ Fixpoint ZofList {n:Z} (a:list Z) : Z := | h :: q => h + 2^n * ZofList q end. \end{lstlisting} The encoding from integers to bytes is defined in a similar way: The encoding from integers to bytes is defined in a similar way. \begin{dfn} Let \Coqe{ListofZ32} : $\Z \rightarrow \Z \rightarrow \texttt{list}~\Z$, given $n$ and $a$ returns $a$'s little-endian encoding as a list with radix $2^n$. ... ...
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!