Commit 2406eb00 authored by benoit's avatar benoit
Browse files

minor

parent 756d8f98
...@@ -37,7 +37,8 @@ with it in the proofs (\ref{subsec:curvep2}). ...@@ -37,7 +37,8 @@ with it in the proofs (\ref{subsec:curvep2}).
correctness. The white tiles are definitions, the orange ones are hypothesis and correctness. The white tiles are definitions, the orange ones are hypothesis and
the green tiles represent major lemmas and theorems. the green tiles represent major lemmas and theorems.
The plan is as follows. % The plan is as follows.
% (This is part of the description of the picture).
We consider the field $\K$ and formalize the Montgomery curves ($M_{a,b}(\K)$). We consider the field $\K$ and formalize the Montgomery curves ($M_{a,b}(\K)$).
Then, by using the equivalent Weierstra{\ss} form ($E_{a',b'}(\K)$) from the library of Bartzia and Strub, Then, by using the equivalent Weierstra{\ss} form ($E_{a',b'}(\K)$) from the library of Bartzia and Strub,
we prove that $M_{a,b}(\K)$ forms an commutative group. we prove that $M_{a,b}(\K)$ forms an commutative group.
...@@ -51,6 +52,9 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref ...@@ -51,6 +52,9 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref
\label{tikz:ProofHighLevel1} \label{tikz:ProofHighLevel1}
\end{figure} \end{figure}
% this is for the flow of the text otherwise someone will again complain of a definition poping out of nowhere.
We now turn our attention to the details of the proof of the ladder's correctness.
\begin{dfn} \begin{dfn}
Given a field $\K$, Given a field $\K$,
using an appropriate choice of coordinates, using an appropriate choice of coordinates,
...@@ -79,8 +83,8 @@ Then, this equation $E(x,y)$ can be reduced into its short Weierstra{\ss} form. ...@@ -79,8 +83,8 @@ Then, this equation $E(x,y)$ can be reduced into its short Weierstra{\ss} form.
In this setting, Bartzia and Strub defined the parametric type \texttt{ec} which In this setting, Bartzia and Strub defined the parametric type \texttt{ec} which
represents the points on a specific curve. It is parameterized by represents the points on a specific curve. It is parameterized by
a \texttt{K : ecuFieldType}, the type of fields whose characteristic is neither 2 nor 3, a \texttt{K : ecuFieldType} ---the type of fields whose characteristic is neither 2 nor 3---
and \texttt{E : ecuType}, a record that packs the curve parameters $a$ and $b$ and \texttt{E : ecuType} ---a record that packs the curve parameters $a$ and $b$---
along with the proof that $\Delta(a,b) \neq 0$. along with the proof that $\Delta(a,b) \neq 0$.
\begin{lstlisting}[language=Coq] \begin{lstlisting}[language=Coq]
Inductive point := EC_Inf | EC_In of K * K. Inductive point := EC_Inf | EC_In of K * K.
...@@ -96,16 +100,12 @@ Definition oncurve (p : point) := ...@@ -96,16 +100,12 @@ Definition oncurve (p : point) :=
Inductive ec : Type := EC p of oncurve p. Inductive ec : Type := EC p of oncurve p.
\end{lstlisting} \end{lstlisting}
Points on an elliptic curve form an commutative group when equipped with the following structure. Points on an elliptic curve form an abelian group when equipped with the following structure.%
\begin{itemize} \begin{itemize}
\item The negation of a point $P = (x,y)$ is defined by reflection over the $x$-axis, \ie $-P = (x, -y)$. \item The negation of a point $P = (x,y)$ is defined by reflection over the $x$-axis, \ie $-P = (x, -y)$.
\item The addition of two points $P, Q \in E_{a,b}(\K) \setminus \{\Oinf\}$ with $P \neq Q$ and $P \neq -Q$ \item The addition of two points $P$ and $Q$ is defined as the negation of the third intersection point
is defined as the negation of the third intersection point of the line through $P$ and $Q$. of the line passing through $P$ and $Q$, or tangent to $P$ if $P = Q$.
In case $P = Q$, we either use the line tangent to $P$ if $P$ is not an inflection point, \item $\Oinf$ is the neutral element under this law: if 3 points are collinear, their sum is equal to $\Oinf$
and define $P + Q = -P = -Q$ otherwise.
In case $P = -Q$, we define $P + Q = \Oinf$.
\item The point $\Oinf$ acts as the neutral element. Hence, we define $-\Oinf = \Oinf$,
$P + \Oinf = P$ and $\Oinf + P = P$.
\end{itemize} \end{itemize}
These operations are defined in Coq as follows (where we omit the code for the tangent case): These operations are defined in Coq as follows (where we omit the code for the tangent case):
\begin{lstlisting}[language=Coq] \begin{lstlisting}[language=Coq]
...@@ -147,8 +147,8 @@ than the Weierstra{\ss} form. We consider the Montgomery form \cite{MontgomerySp ...@@ -147,8 +147,8 @@ than the Weierstra{\ss} form. We consider the Montgomery form \cite{MontgomerySp
Similar to the definition of \texttt{ec}, we define the parametric type \texttt{mc} which Similar to the definition of \texttt{ec}, we define the parametric type \texttt{mc} which
represents the points on a specific Montgomery curve. represents the points on a specific Montgomery curve.
It is parameterized by It is parameterized by
a \texttt{K : ecuFieldType}, the type of fields whose characteristic is neither a \texttt{K : ecuFieldType} ---the type of fields whose characteristic is neither
2 nor 3, and \texttt{M : mcuType}, a record that packs the curve 2 nor 3--- and \texttt{M : mcuType} ---a record that packs the curve
parameters $a$ and $b$ along with the proofs that $b \neq 0$ and $a^2 \neq 4$. parameters $a$ and $b$ along with the proofs that $b \neq 0$ and $a^2 \neq 4$.
\begin{lstlisting}[language=Coq,belowskip=-0.1 \baselineskip] \begin{lstlisting}[language=Coq,belowskip=-0.1 \baselineskip]
Record mcuType := Record mcuType :=
...@@ -177,7 +177,7 @@ Definition add (p1 p2 : point K) := ...@@ -177,7 +177,7 @@ Definition add (p1 p2 : point K) :=
(| xs, - s * (xs - x1) - y1 |) (| xs, - s * (xs - x1) - y1 |)
end. end.
\end{lstlisting} \end{lstlisting}
And again we prove the result is on the curve: % (again with coercion): And again we prove the result is on the curve:
\begin{lstlisting}[language=Coq] \begin{lstlisting}[language=Coq]
Lemma addO (p q : mc) : oncurve (add p q). Lemma addO (p q : mc) : oncurve (add p q).
...@@ -185,21 +185,19 @@ Definition addmc (p1 p2 : mc) : mc := ...@@ -185,21 +185,19 @@ Definition addmc (p1 p2 : mc) : mc :=
MC p1 p2 (addO p1 p2) MC p1 p2 (addO p1 p2)
\end{lstlisting} \end{lstlisting}
Remarkably, of all the group properties, associativity is the hardest one to prove for elliptic curves.
Instead of reproving this property for Montgomery curves, we transfer it from the Weierstra{\ss} curves
with a trick.
We define a bijection between a Montgomery curve and its short Weierstra{\ss} form We define a bijection between a Montgomery curve and its short Weierstra{\ss} form
(as in \lref{lemma:bij-ecc}) (\lref{lemma:bij-ecc}) and prove that it respects the addition as defined on the
and prove that it respects the addition as defined on the respective curves. respective curves. In this way we get all the group laws for Montgomery curves from the Weierstra{\ss} ones.
It is then easy to verify all the group laws for Montgomery curves from the Weierstra{\ss} ones.
After we have verified the group properties, it follows that the bijection is a group isomorphism. After having verified the group properties, it follows that the bijection is a group isomorphism.
\begin{lemma} \begin{lemma}
\label{lemma:bij-ecc} \label{lemma:bij-ecc}
Let $M_{a,b}$ be a Montgomery curve, define Let $M_{a,b}$ be a Montgomery curve, define
\vspace{-0.3em}
$$a' = \frac{3-a^2}{3b^2} \text{\ \ \ \ and\ \ \ \ } b' = \frac{2a^3 - 9a}{27b^3}.$$ $$a' = \frac{3-a^2}{3b^2} \text{\ \ \ \ and\ \ \ \ } b' = \frac{2a^3 - 9a}{27b^3}.$$
then $E_{a',b'}$ is a Weierstra{\ss} curve, and the mapping then $E_{a',b'}$ is a Weierstra{\ss} curve, and the mapping
$\varphi : M_{a,b} \to E_{a',b'}$ defined as: $\varphi : M_{a,b} \mapsto E_{a',b'}$ defined as:
\vspace{-0.5em}
\begin{align*} \begin{align*}
\varphi(\Oinf_M) & = \Oinf_E \\ \varphi(\Oinf_M) & = \Oinf_E \\
\varphi( (x , y) ) & = \left( \frac{x}{b} + \frac{a}{3b} , \frac{y}{b} \right) \varphi( (x , y) ) & = \left( \frac{x}{b} + \frac{a}{3b} , \frac{y}{b} \right)
...@@ -226,13 +224,13 @@ After we have verified the group properties, it follows that the bijection is a ...@@ -226,13 +224,13 @@ After we have verified the group properties, it follows that the bijection is a
\label{subsec:ECC-projective} \label{subsec:ECC-projective}
In a projective plane, points are represented by the triples $(X:Y:Z)$ excluding $(0:0:0)$. In a projective plane, points are represented by the triples $(X:Y:Z)$ excluding $(0:0:0)$.
Scalar multiples of triples are identified with eachother, \ie Scalar multiples of triples are identified with each other, \ie
for all $\lambda \neq 0$, the triples $(X:Y:Z)$ and $(\lambda X:\lambda Y:\lambda Z)$ represent for all $\lambda \neq 0$, the triples $(X:Y:Z)$ and $(\lambda X:\lambda Y:\lambda Z)$ represent
the same point in the projective plane. the same point in the projective plane.
For $Z\neq 0$, the point $(X:Y:Z)$ corresponds to the For $Z\neq 0$, the point $(X:Y:Z)$ corresponds to the
point $(X/Z,Y/Z)$ in the affine plane. point $(X/Z,Y/Z)$ in the affine plane.
Likewise, the point $(X,Y)$ in the affine plane corresponds to $(X:Y:1)$ in the projective plane. Likewise, the point $(X,Y)$ in the affine plane corresponds to $(X:Y:1)$ in the projective plane.
The points $(X : Y : 0)$ can be considered as points at infinity. % The points $(X : Y : 0)$ can be considered as points at infinity.
Using fractions as coordinates, the equation for a Montgomery curve $M_{a,b}$ Using fractions as coordinates, the equation for a Montgomery curve $M_{a,b}$
becomes becomes
...@@ -256,11 +254,12 @@ Hypothesis mcu_no_square : ...@@ -256,11 +254,12 @@ Hypothesis mcu_no_square :
We define $\chi$ and $\chi_0$ to return the \xcoord of points on a curve. We define $\chi$ and $\chi_0$ to return the \xcoord of points on a curve.
\begin{dfn} \begin{dfn}
Let $\chi : M_{a,b}(\K) \to \K \cup \{\infty\}$ and $\chi_0 : M_{a,b}(\K) \to \K$ such that Let $\chi : M_{a,b}(\K) \mapsto \K \cup \{\infty\}$ and $\chi_0 : M_{a,b}(\K) \mapsto \K$ such that
\begin{align*} \vspace{-0.5em}
\chi((x,y)) &= x, & \chi(\Oinf) &= \infty, &&\text{and} \\ \begin{align*}
\chi_0((x,y)) &= x, & \chi_0(\Oinf) &= 0. \chi((x,y)) & = x, & \chi(\Oinf) & = \infty, & & \text{and} \\[-0.5ex]
\end{align*} \chi_0((x,y)) & = x, & \chi_0(\Oinf) & = 0.
\end{align*}
\end{dfn} \end{dfn}
Using projective coordinates we prove the formula for differential addition.% (\lref{lemma:xADD}). Using projective coordinates we prove the formula for differential addition.% (\lref{lemma:xADD}).
...@@ -270,9 +269,10 @@ Using projective coordinates we prove the formula for differential addition.% (\ ...@@ -270,9 +269,10 @@ Using projective coordinates we prove the formula for differential addition.% (\
let $X_1, Z_1, X_2, Z_2, X_4, Z_4 \in \K$, such that $(X_1,Z_1) \neq (0,0)$, let $X_1, Z_1, X_2, Z_2, X_4, Z_4 \in \K$, such that $(X_1,Z_1) \neq (0,0)$,
$(X_2,Z_2) \neq (0,0)$, $X_4 \neq 0$ and $Z_4 \neq 0$. $(X_2,Z_2) \neq (0,0)$, $X_4 \neq 0$ and $Z_4 \neq 0$.
Define Define
\vspace{-0.5em}
\begin{align*} \begin{align*}
X_3 & = Z_4((X_1 - Z_1)(X_2+Z_2) + (X_1+Z_1)(X_2-Z_2))^2 \\ X_3 & = Z_4((X_1 - Z_1)(X_2+Z_2) + (X_1+Z_1)(X_2-Z_2))^2 \\[-0.5ex]
Z_3 & = X_4((X_1 - Z_1)(X_2+Z_2) - (X_1+Z_1)(X_2-Z_2))^2, Z_3 & = X_4((X_1 - Z_1)(X_2+Z_2) - (X_1+Z_1)(X_2-Z_2))^2
\end{align*} \end{align*}
then for any point $P_1$ and $P_2$ in $M_{a,b}(\K)$ such that then for any point $P_1$ and $P_2$ in $M_{a,b}(\K)$ such that
$X_1/Z_1 = \chi(P_1), X_2/Z_2 = \chi(P_2)$, and $X_4/Z_4 = \chi(P_1 - P_2)$, $X_1/Z_1 = \chi(P_1), X_2/Z_2 = \chi(P_2)$, and $X_4/Z_4 = \chi(P_1 - P_2)$,
...@@ -550,8 +550,7 @@ We now study the case of the scalar multiplication and show similar proofs. ...@@ -550,8 +550,7 @@ We now study the case of the scalar multiplication and show similar proofs.
such that $\varphi((x,y)) = ((x,0), (y,0))$. such that $\varphi((x,y)) = ((x,0), (y,0))$.
\item[--] $\varphi_t: M_{486662,2}(\F{p}) \mapsto M_{486662,1}(\F{p^2})$\\ \item[--] $\varphi_t: M_{486662,2}(\F{p}) \mapsto M_{486662,1}(\F{p^2})$\\
such that $\varphi((x,y)) = ((x,0), (0,y))$. such that $\varphi((x,y)) = ((x,0), (0,y))$.
\item[--] $\psi: \F{p^2} \mapsto \F{p}$\\ \item[--] $\psi: \F{p^2} \mapsto \F{p}$ such that $\psi(x,y) = x$.
such that $\psi(x,y) = x$.
\end{itemize} \end{itemize}
\end{dfn} \end{dfn}
...@@ -559,15 +558,17 @@ We now study the case of the scalar multiplication and show similar proofs. ...@@ -559,15 +558,17 @@ We now study the case of the scalar multiplication and show similar proofs.
\label{lemma:proj} \label{lemma:proj}
For all $n \in \N$, for all point $P\in\F{p}\times\F{p}$ on the curve For all $n \in \N$, for all point $P\in\F{p}\times\F{p}$ on the curve
$M_{486662,1}(\F{p})$ (respectively on the quadratic twist $M_{486662,2}(\F{p})$), we have $M_{486662,1}(\F{p})$ (respectively on the quadratic twist $M_{486662,2}(\F{p})$), we have
\vspace{-0.3em}
\begin{align*} \begin{align*}
P &\in M_{486662,1}(\F{p}) & \implies \varphi_c(n \cdot P) &= n \cdot \varphi_c(P), &&\text{and} \\ P & \in M_{486662,1}(\F{p}) & \implies \varphi_c(n \cdot P) & = n \cdot \varphi_c(P), & & \text{and} \\
P &\in M_{486662,2}(\F{p}) & \implies \varphi_t(n \cdot P) &= n \cdot \varphi_t(P). P & \in M_{486662,2}(\F{p}) & \implies \varphi_t(n \cdot P) & = n \cdot \varphi_t(P).
\end{align*} \end{align*}
\end{lemma} \end{lemma}
Notice that Notice that
\vspace{-0.5em}
\begin{align*} \begin{align*}
\forall P \in M_{486662,1}(\F{p}), &&\psi(\chi_0(\varphi_c(P))) &= \chi_0(P), &&\text{and} \\ \forall P \in M_{486662,1}(\F{p}), & & \psi(\chi_0(\varphi_c(P))) & = \chi_0(P), & & \text{and} \\
\forall P \in M_{486662,2}(\F{p}), &&\psi(\chi_0(\varphi_t(P))) &= \chi_0(P). \forall P \in M_{486662,2}(\F{p}), & & \psi(\chi_0(\varphi_t(P))) & = \chi_0(P).
\end{align*} \end{align*}
In summary, for all $n \in \N$, $n < 2^{255}$, for any point $P\in\F{p}\times\F{p}$ In summary, for all $n \in \N$, $n < 2^{255}$, for any point $P\in\F{p}\times\F{p}$
......
...@@ -244,7 +244,7 @@ the same time. ...@@ -244,7 +244,7 @@ the same time.
\label{subsec:num-repr-rfc} \label{subsec:num-repr-rfc}
As described in \sref{subsec:Number-TweetNaCl}, numbers in \TNaCle{gf} As described in \sref{subsec:Number-TweetNaCl}, numbers in \TNaCle{gf}
(typedef of an array of 16 \TNaCle{long long}) are represented (array of 16 \TNaCle{long long}) are represented
in $2^{16}$ and we use a direct mapping to represent that array as a list in $2^{16}$ and we use a direct mapping to represent that array as a list
integers in Coq. However, in order to show the correctness of the basic operations, integers in Coq. However, in order to show the correctness of the basic operations,
we need to convert this number to an integer. we need to convert this number to an integer.
...@@ -273,8 +273,7 @@ Lemma mult_GF_Zlength : ...@@ -273,8 +273,7 @@ Lemma mult_GF_Zlength :
forall (a:list Z) (b:list Z), forall (a:list Z) (b:list Z),
Zlength a = 16 -> Zlength a = 16 ->
Zlength b = 16 -> Zlength b = 16 ->
(Z16.lst (Low.M a b)) :GF = (Z16.lst (Low.M a b)):GF = (Z16.lst a * Z16.lst b):GF.
(Z16.lst a * Z16.lst b) :GF.
\end{lstlisting} \end{lstlisting}
However for our purpose, simple functional correctness is not enough. However for our purpose, simple functional correctness is not enough.
......
...@@ -51,9 +51,9 @@ We define the operation: ...@@ -51,9 +51,9 @@ We define the operation:
& ((X_{2 \cdot P}:Z_{2 \cdot P}), (X_{P + Q}:Z_{P + Q})) & ((X_{2 \cdot P}:Z_{2 \cdot P}), (X_{P + Q}:Z_{P + Q}))
\end{align*} \end{align*}
A pseudocode description of the Montgomery ladder A pseudocode description of the Montgomery ladder
is given in Algorithm~\ref{alg:montgomery-ladder}. is given in Algorithm~\ref{alg:montgomery-ladder}.
The main loop iterates over the bits of the scalar $n$. The main loop iterates over the bits of the scalar $n$.
The $k^{\text{th}}$ iteration conditionally swaps The $k^{\text{th}}$ iteration conditionally swaps
the arguments $P$ and $Q$ of \texttt{xDBL\&ADD} the arguments $P$ and $Q$ of \texttt{xDBL\&ADD}
depending on the value of the $k^{\text{th}}$ bit of $n$. depending on the value of the $k^{\text{th}}$ bit of $n$.
...@@ -64,6 +64,8 @@ $(P_b, P_{1-b})$. ...@@ -64,6 +64,8 @@ $(P_b, P_{1-b})$.
By using the differential addition and doubling operations we define the Montgomery ladder By using the differential addition and doubling operations we define the Montgomery ladder
computing a \xcoord-only scalar multiplication (see \aref{alg:montgomery-ladder}). computing a \xcoord-only scalar multiplication (see \aref{alg:montgomery-ladder}).
% \setlength{\textfloatsep}{1em}
\begin{algorithm} \begin{algorithm}
\caption{Montgomery ladder for scalar mult.} \caption{Montgomery ladder for scalar mult.}
\label{alg:montgomery-ladder} \label{alg:montgomery-ladder}
...@@ -83,7 +85,6 @@ computing a \xcoord-only scalar multiplication (see \aref{alg:montgomery-ladder} ...@@ -83,7 +85,6 @@ computing a \xcoord-only scalar multiplication (see \aref{alg:montgomery-ladder}
\end{algorithmic} \end{algorithmic}
\end{algorithm} \end{algorithm}
\subsection{The X25519 key exchange} \subsection{The X25519 key exchange}
\label{subsec:X25519-key-exchange} \label{subsec:X25519-key-exchange}
......
\section{Organization of the proof files} \section{Organization of the proof files}
\label{appendix:proof-folders} \label{appendix:proof-folders}
\subheading{Requirements} \subheading{Requirements.}
Our proofs requires the use of \emph{Coq 8.8.2} for the proofs and Our proofs requires the use of \emph{Coq 8.8.2} for the proofs and
\emph{Opam 2.0} to manage the dependencies. We are aware that there exists more \emph{Opam 2.0} to manage the dependencies. We are aware that there exists more
recent versions of Coq; VST; CompCert etc. however to avoid dealing with backward recent versions of Coq; VST; CompCert etc. however to avoid dealing with backward
breaking compatibility we decided to freeze our dependencies. breaking compatibility we decided to freeze our dependencies.
\subheading{Associated files} \subheading{Associated files.}
The archive containing the proof is composed of two folders \textbf{\texttt{packages}} The repository containing the proof is composed of two folders \textbf{\texttt{packages}}
and \textbf{\texttt{proofs}}. and \textbf{\texttt{proofs}}.
It aims to be used at the same time as an \emph{opam} repository to manage It aims to be used at the same time as an \emph{opam} repository to manage
the dependencies of the proof and to provide the code. the dependencies of the proof and to provide the code.
...@@ -26,38 +26,38 @@ and allows us to use the theorem of quadratic reciprocity. ...@@ -26,38 +26,38 @@ and allows us to use the theorem of quadratic reciprocity.
In this folder the reader will find multiple levels of implementation of X25519. In this folder the reader will find multiple levels of implementation of X25519.
\begin{itemize} \begin{itemize}
\item \textbf{\texttt{Libs/}} contains basic libraries and tools to help use \item \textbf{\texttt{Libs/}} contains basic libraries and tools to help use
reason with lists and decidable procedures. reason with lists and decidable procedures.
\item \textbf{\texttt{ListsOp/}} defines operators on list such as \item \textbf{\texttt{ListsOp/}} defines operators on list such as
\Coqe{ZofList} and related lemmas using \eg \VSTe{Forall}. \Coqe{ZofList} and related lemmas using \eg \VSTe{Forall}.
\item \textbf{\texttt{Gen/}} defines a generic Montgomery ladder which can be \item \textbf{\texttt{Gen/}} defines a generic Montgomery ladder which can be
instantiated with different operations. This ladder is the stub for the instantiated with different operations. This ladder is the stub for the
following implementations. following implementations.
\item \textbf{\texttt{High/}} contains the theory of Montgomery curves, \item \textbf{\texttt{High/}} contains the theory of Montgomery curves,
twists, quadratic extensions and ladder. twists, quadratic extensions and ladder.
It also proves the correctness of the ladder over $\F{\p}$. It also proves the correctness of the ladder over $\F{\p}$.
\item \textbf{\texttt{Mid/}} provides a list-based implementation of the \item \textbf{\texttt{Mid/}} provides a list-based implementation of the
basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder. It basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder. It
makes the link with the theory of Montgomery curves. makes the link with the theory of Montgomery curves.
\item \textbf{\texttt{Low/}} provides a second list-based implementation of \item \textbf{\texttt{Low/}} provides a second list-based implementation of
the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder. the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} \ldots~and the ladder.
Those functions are proven to provide the same results as the ones in Those functions are proven to provide the same results as the ones in
\texttt{Mid/}, however their implementation are closer to \texttt{C} in order \texttt{Mid/}, however their implementation are closer to \texttt{C} in order
facilitate the proof of equivalence with TweetNaCl code. facilitate the proof of equivalence with TweetNaCl code.
\item \textbf{\texttt{rfc/}} provides our rfc formalization. \item \textbf{\texttt{rfc/}} provides our rfc formalization.
It uses integers for the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M} It uses integers for the basic operations \TNaCle{A}, \TNaCle{Z}, \TNaCle{M}
\ldots and the ladder. It specifies the decoding/encoding of/to byte \ldots and the ladder. It specifies the decoding/encoding of/to byte
arrays (seen as list of integers) as in RFC~7748. arrays (seen as list of integers) as in RFC~7748.
\end{itemize} \end{itemize}
\subheading{\texttt{proofs/vst/}} \subheading{\texttt{proofs/vst/}}
Here the reader will find four folders. Here the reader will find four folders.
\begin{itemize} \begin{itemize}
\item \textbf{\texttt{c}} contains the C Verifiable implementation of TweetNaCl. \item \textbf{\texttt{c}} contains the C Verifiable implementation of TweetNaCl.
\texttt{clightgen} will generate the appropriate translation into Clight. \texttt{clightgen} will generate the appropriate translation into Clight.
\item \textbf{\texttt{init}} contains basic lemmas and memory manipulation \item \textbf{\texttt{init}} contains basic lemmas and memory manipulation
shortcuts to handle the aliasing cases. shortcuts to handle the aliasing cases.
\item \textbf{\texttt{spec}} defines as Hoare triple the specification of the \item \textbf{\texttt{spec}} defines as Hoare triple the specification of the
functions used in \TNaCle{crypto_scalarmult}. functions used in \TNaCle{crypto_scalarmult}.
\item \textbf{\texttt{proofs}} contains the proofs of the above Hoare triples \item \textbf{\texttt{proofs}} contains the proofs of the above Hoare triples
and thus the proof that TweetNaCl code is sound and correct. and thus the proof that TweetNaCl code is sound and correct.
\end{itemize} \end{itemize}
...@@ -119,7 +119,7 @@ Fixpoint ZofList {n:Z} (a:list Z) : Z := ...@@ -119,7 +119,7 @@ Fixpoint ZofList {n:Z} (a:list Z) : Z :=
| h :: q => h + 2^n * ZofList q | h :: q => h + 2^n * ZofList q
end. end.
\end{lstlisting} \end{lstlisting}
The encoding from integers to bytes is defined in a similar way: The encoding from integers to bytes is defined in a similar way.
\begin{dfn} \begin{dfn}
Let \Coqe{ListofZ32} : $\Z \rightarrow \Z \rightarrow \texttt{list}~\Z$, given Let \Coqe{ListofZ32} : $\Z \rightarrow \Z \rightarrow \texttt{list}~\Z$, given
$n$ and $a$ returns $a$'s little-endian encoding as a list with radix $2^n$. $n$ and $a$ returns $a$'s little-endian encoding as a list with radix $2^n$.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment