Commit 5f0b8548 by Benoit Viguier

### more text

parent 50866c6b
 ... @@ -31,152 +31,3 @@ We provide an example of equivalence of operations over different number ... @@ -31,152 +31,3 @@ We provide an example of equivalence of operations over different number representations (\ref{subsec:num-repr-rfc}). representations (\ref{subsec:num-repr-rfc}). Then, we describe efficient techniques Then, we describe efficient techniques used in some of our more complex proofs (\ref{subsec:inversions-reflections}). used in some of our more complex proofs (\ref{subsec:inversions-reflections}). \subsection{Applying the Verifiable Software Toolchain} \label{subsec:with-VST} \todo{Fix bleeding} We now turn our focus to the formal specification of \TNaCle{crypto_scalarmult}. We use our definition of X25519 from the RFC in the Hoare triple and prove its correctness. \subheading{Specifications.} We show the soundness of TweetNaCl by proving a correspondence between the C version of TweetNaCl and the same code as a pure Coq function. % why "pure" ? % A pure function is a function where the return value is only determined by its % input values, without observable side effects (Side effect are e.g. printing) This defines the equivalence between the Clight representation and our Coq definition of the ladder (\coqe{RFC}). \begin{lstlisting}[language=CoqVST] Definition crypto_scalarmult_spec := DECLARE _crypto_scalarmult_curve25519_tweet WITH v_q: val, v_n: val, v_p: val, c121665:val, sh : share, q : list val, n : list Z, p : list Z (*------------------------------------------*) PRE [ _q OF (tptr tuchar), _n OF (tptr tuchar), _p OF (tptr tuchar) ] PROP (writable_share sh; Forall (fun x => 0 <= x < 2^8) p; Forall (fun x => 0 <= x < 2^8) n; Zlength q = 32; Zlength n = 32; Zlength p = 32) LOCAL(temp _q v_q; temp _n v_n; temp _p v_p; gvar __121665 c121665) SEP (sh [{ v_q }] <<(uch32)-- q; sh [{ v_n }] <<(uch32)-- mVI n; sh [{ v_p }] <<(uch32)-- mVI p; Ews [{ c121665 }] <<(lg16)-- mVI64 c_121665) (*------------------------------------------*) POST [ tint ] PROP (Forall (fun x => 0 <= x < 2^8) (RFC n p); Zlength (RFC n p) = 32) LOCAL(temp ret_temp (Vint Int.zero)) SEP (sh [{ v_q }] <<(uch32)-- mVI (RFC n p); sh [{ v_n }] <<(uch32)-- mVI n; sh [{ v_p }] <<(uch32)-- mVI p; Ews [{ c121665 }] <<(lg16)-- mVI64 c_121665 \end{lstlisting} In this specification we state preconditions like: \begin{itemize} \item[] \VSTe{PRE}: \VSTe{_p OF (tptr tuchar)}\\ The function \TNaCle{crypto_scalarmult} takes as input three pointers to arrays of unsigned bytes (\VSTe{tptr tuchar}) \VSTe{_p}, \VSTe{_q} and \VSTe{_n}. \item[] \VSTe{LOCAL}: \VSTe{temp _p v_p}\\ Each pointer represent an address \VSTe{v_p}, \VSTe{v_q} and \VSTe{v_n}. \item[] \VSTe{SEP}: \VSTe{sh [{ v_p $\!\!\}\!\!]\!\!\!$ <<(uch32)-- mVI p}\\ In the memory share \texttt{sh}, the address \VSTe{v_p} points to a list of integer values \VSTe{mVI p}. \item[] \VSTe{PROP}: \VSTe{Forall (fun x => 0 <= x < 2^8) p}\\ In order to consider all the possible inputs, we assume each element of the list \texttt{p} to be bounded by $0$ included and $2^8$ excluded. \item[] \VSTe{PROP}: \VSTe{Zlength p = 32}\\ We also assume that the length of the list \texttt{p} is 32. This defines the complete representation of \TNaCle{u8[32]}. \end{itemize} As postcondition we have conditions like: \begin{itemize} \item[] \VSTe{POST}: \VSTe{tint}\\ The function \TNaCle{crypto_scalarmult} returns an integer. \item[] \VSTe{LOCAL}: \VSTe{temp ret_temp (Vint Int.zero)}\\ The returned integer has value $0$. \item[] \VSTe{SEP}: \VSTe{sh [{ v_q $\!\!\}\!\!]\!\!\!$ <<(uch32)-- mVI (RFC n p)}\\ In the memory share \texttt{sh}, the address \VSTe{v_q} points to a list of integer values \VSTe{mVI (RFC n p)} where \VSTe{RFC n p} is the result of the \TNaCle{crypto_scalarmult} of \VSTe{n} and \VSTe{p}. \item[] \VSTe{PROP}: \VSTe{Forall (fun x => 0 <= x < 2^8) (RFC n p)}\\ \VSTe{PROP}: \VSTe{Zlength (RFC n p) = 32}\\ We show that the computation for \VSTe{RFC} fits in \TNaCle{u8[32]}. \end{itemize} computes the same result as \VSTe{RFC} in Coq provided that inputs are within their respective bounds: arrays of 32 bytes. The correctness of this specification is formally proven in Coq with \coqe{Theorem body_crypto_scalarmult}. \todo{Fix bleeding} This specification (proven with VST) shows that \TNaCle{crypto_scalarmult} in C % The Verifiable Software Toolchain uses a strongest postcondition strategy. % The user must first write a formal specification of the function he wants to verify in Coq. % This should be as close as possible to the C implementation behavior. % This will simplify the proof and help with stepping through the Clight version of the software. % With the range of inputs defined, VST mechanically steps through each instruction % and ask the user to verify auxiliary goals such as array bound access, or absence of overflows/underflows. % We call this specification a low level specification. A user will then have an easier % time to prove that his low level specification matches a simpler higher level one. % In order to further speed-up the verification process, it has to be know that to % prove the specification \TNaCle{crypto_scalarmult}, a user only need the specification of e.g. \TNaCle{M}. % This provide with multiple advantages: the verification by the Coq kernel can be done % in parallel and multiple users can work on proving different functions at the same time. % For the sake of completeness we proved all intermediate functions. \subheading{Memory aliasing.} % The semicolon in the \VSTe{SEP} parts of the Hoare triples represents the \emph{separating conjunction} (often written as a star), which means that the memory shares of \texttt{q}, \texttt{n} and \texttt{p} do not overlap. In other words, we only prove correctness of \TNaCle{crypto_scalarmult} when it is called without aliasing. But for other TweetNaCl functions, like the multiplication function \texttt{M(o,a,b)}, we cannot ignore aliasing, as it is called in the ladder in an aliased manner. In the VST, a simple specification of this function will assume that the pointer arguments point to non-overlapping space in memory. When called with three memory fragments (\texttt{o, a, b}), the three of them will be consumed. However assuming this naive specification when \texttt{M(o,a,a)} is called (squaring), the first two memory areas (\texttt{o, a}) are consumed and the VST will expect a third memory section (\texttt{a}) which does not \emph{exist} anymore. Examples of such cases are illustrated in \fref{tikz:MemSame}. \begin{figure}[h]% \centering% \include{tikz/memory_same_sh}% \caption{Aliasing and Separation Logic}% \label{tikz:MemSame}% \end{figure} As a result, a function must either have multiple specifications or specify which aliasing case is being used. The first option would require us to do very similar proofs multiple times for a same function. We chose the second approach: for functions with 3 arguments, named hereafter \texttt{o, a, b}, we define an additional parameter $k$ with values in $\{0,1,2,3\}$: \begin{itemize} \item if $k=0$ then \texttt{o} and \texttt{a} are aliased. \item if $k=1$ then \texttt{o} and \texttt{b} are aliased. \item if $k=2$ then \texttt{a} and \texttt{b} are aliased. \item else there is no aliasing. \end{itemize} In the proof of our specification, we do a case analysis over $k$ when needed. This solution does not cover all cases (\eg all arguments are aliased) but it is enough for our needs.
paper/4.1-VST.tex 0 → 100644
 \subsection{Applying the Verifiable Software Toolchain} \label{subsec:with-VST} \begin{sloppypar} We now turn our focus to the formal specification of \TNaCle{crypto_scalarmult}. We use our definition of X25519 from the RFC in the Hoare triple and prove its correctness. \end{sloppypar} \subheading{Specifications.} We show the soundness of TweetNaCl by proving a correspondence between the C version of TweetNaCl and the same code as a pure Coq function. % why "pure" ? % A pure function is a function where the return value is only determined by its % input values, without observable side effects (Side effect are e.g. printing) This defines the equivalence between the Clight representation and our Coq definition of the ladder (\coqe{RFC}). \begin{lstlisting}[language=CoqVST] Definition crypto_scalarmult_spec := DECLARE _crypto_scalarmult_curve25519_tweet WITH v_q: val, v_n: val, v_p: val, c121665:val, sh : share, q : list val, n : list Z, p : list Z (*------------------------------------------*) PRE [ _q OF (tptr tuchar), _n OF (tptr tuchar), _p OF (tptr tuchar) ] PROP (writable_share sh; Forall (fun x => 0 <= x < 2^8) p; Forall (fun x => 0 <= x < 2^8) n; Zlength q = 32; Zlength n = 32; Zlength p = 32) LOCAL(temp _q v_q; temp _n v_n; temp _p v_p; gvar __121665 c121665) SEP (sh [{ v_q }] <<(uch32)-- q; sh [{ v_n }] <<(uch32)-- mVI n; sh [{ v_p }] <<(uch32)-- mVI p; Ews [{ c121665 }] <<(lg16)-- mVI64 c_121665) (*------------------------------------------*) POST [ tint ] PROP (Forall (fun x => 0 <= x < 2^8) (RFC n p); Zlength (RFC n p) = 32) LOCAL(temp ret_temp (Vint Int.zero)) SEP (sh [{ v_q }] <<(uch32)-- mVI (RFC n p); sh [{ v_n }] <<(uch32)-- mVI n; sh [{ v_p }] <<(uch32)-- mVI p; Ews [{ c121665 }] <<(lg16)-- mVI64 c_121665 \end{lstlisting} In this specification we state preconditions like: \begin{itemize} \item[] \VSTe{PRE}: \VSTe{_p OF (tptr tuchar)}\\ The function \TNaCle{crypto_scalarmult} takes as input three pointers to arrays of unsigned bytes (\VSTe{tptr tuchar}) \VSTe{_p}, \VSTe{_q} and \VSTe{_n}. \item[] \VSTe{LOCAL}: \VSTe{temp _p v_p}\\ Each pointer represent an address \VSTe{v_p}, \VSTe{v_q} and \VSTe{v_n}. \item[] \VSTe{SEP}: \VSTe{sh [{ v_p $\!\!\}\!\!]\!\!\!$ <<(uch32)-- mVI p}\\ In the memory share \texttt{sh}, the address \VSTe{v_p} points to a list of integer values \VSTe{mVI p}. \item[] \VSTe{PROP}: \VSTe{Forall (fun x => 0 <= x < 2^8) p}\\ In order to consider all the possible inputs, we assume each element of the list \texttt{p} to be bounded by $0$ included and $2^8$ excluded. \item[] \VSTe{PROP}: \VSTe{Zlength p = 32}\\ We also assume that the length of the list \texttt{p} is 32. This defines the complete representation of \TNaCle{u8[32]}. \end{itemize} As postcondition we have conditions like: \begin{itemize} \item[] \VSTe{POST}: \VSTe{tint}\\ The function \TNaCle{crypto_scalarmult} returns an integer. \item[] \VSTe{LOCAL}: \VSTe{temp ret_temp (Vint Int.zero)}\\ The returned integer has value $0$. \item[] \VSTe{SEP}: \VSTe{sh [{ v_q $\!\!\}\!\!]\!\!\!$ <<(uch32)-- mVI (RFC n p)}\\ In the memory share \texttt{sh}, the address \VSTe{v_q} points to a list of integer values \VSTe{mVI (RFC n p)} where \VSTe{RFC n p} is the result of the \TNaCle{crypto_scalarmult} of \VSTe{n} and \VSTe{p}. \item[] \VSTe{PROP}: \VSTe{Forall (fun x => 0 <= x < 2^8) (RFC n p)}\\ \VSTe{PROP}: \VSTe{Zlength (RFC n p) = 32}\\ We show that the computation for \VSTe{RFC} fits in \TNaCle{u8[32]}. \end{itemize} computes the same result as \VSTe{RFC} in Coq provided that inputs are within their respective bounds: arrays of 32 bytes. The correctness of this specification is formally proven in Coq with \coqe{Theorem body_crypto_scalarmult}. \begin{sloppypar} This specification (proven with VST) shows that \TNaCle{crypto_scalarmult} in C \end{sloppypar} % The Verifiable Software Toolchain uses a strongest postcondition strategy. % The user must first write a formal specification of the function he wants to verify in Coq. % This should be as close as possible to the C implementation behavior. % This will simplify the proof and help with stepping through the Clight version of the software. % With the range of inputs defined, VST mechanically steps through each instruction % and ask the user to verify auxiliary goals such as array bound access, or absence of overflows/underflows. % We call this specification a low level specification. A user will then have an easier % time to prove that his low level specification matches a simpler higher level one. % In order to further speed-up the verification process, it has to be know that to % prove the specification \TNaCle{crypto_scalarmult}, a user only need the specification of e.g. \TNaCle{M}. % This provide with multiple advantages: the verification by the Coq kernel can be done % in parallel and multiple users can work on proving different functions at the same time. % For the sake of completeness we proved all intermediate functions. \subheading{Memory aliasing.} % The semicolon in the \VSTe{SEP} parts of the Hoare triples represents the \emph{separating conjunction} (often written as a star), which means that the memory shares of \texttt{q}, \texttt{n} and \texttt{p} do not overlap. In other words, we only prove correctness of \TNaCle{crypto_scalarmult} when it is called without aliasing. But for other TweetNaCl functions, like the multiplication function \texttt{M(o,a,b)}, we cannot ignore aliasing, as it is called in the ladder in an aliased manner. In the VST, a simple specification of this function will assume that the pointer arguments point to non-overlapping space in memory. When called with three memory fragments (\texttt{o, a, b}), the three of them will be consumed. However assuming this naive specification when \texttt{M(o,a,a)} is called (squaring), the first two memory areas (\texttt{o, a}) are consumed and the VST will expect a third memory section (\texttt{a}) which does not \emph{exist} anymore. Examples of such cases are illustrated in \fref{tikz:MemSame}. \begin{figure}[h]% \centering% \include{tikz/memory_same_sh}% \caption{Aliasing and Separation Logic}% \label{tikz:MemSame}% \end{figure} As a result, a function must either have multiple specifications or specify which aliasing case is being used. The first option would require us to do very similar proofs multiple times for a same function. We chose the second approach: for functions with 3 arguments, named hereafter \texttt{o, a, b}, we define an additional parameter $k$ with values in $\{0,1,2,3\}$: \begin{itemize} \item if $k=0$ then \texttt{o} and \texttt{a} are aliased. \item if $k=1$ then \texttt{o} and \texttt{b} are aliased. \item if $k=2$ then \texttt{a} and \texttt{b} are aliased. \item else there is no aliasing. \end{itemize} In the proof of our specification, we do a case analysis over $k$ when needed. This solution does not cover all cases (\eg all arguments are aliased) but it is enough for our needs.
 \subsection{Reflections, inversions and packing} Then using Reflections'' techniques (chapter 15 in \cite{CpdtJFR}), we prove \label{subsec:inversions-reflections} the functional correctness of the inversion over \Zfield. We now turn our attention to the multiplicative inverse in $\Zfield$ and techniques to improve the verification speed of complex formulas. \subheading{Inversion in \Zfield.} We define a Coq version of the inversion mimicking the behavior of \TNaCle{inv25519} (see below) over \Coqe{list Z}. \begin{lstlisting}[language=Ctweetnacl] sv inv25519(gf o,const gf i) { gf c; int a; set25519(c,i); for(a=253;a>=0;a--) { S(c,c); if(a!=2&&a!=4) M(c,c,i); } FOR(a,16) o[a]=c[a]; } \end{lstlisting} We specify this with 2 functions: a recursive \Coqe{pow_fn_rev} to simulate the \texttt{for} loop and a simple \Coqe{step_pow} containing the body. \begin{lstlisting}[language=Coq] Definition step_pow (a:Z) (c:list Z) (g:list Z) : list Z := let c := Sq c in if a <>? 2 && a <>? 4 then M c g else c. Function pow_fn_rev (a:Z) (b:Z) (c: list Z) (g: list Z) {measure Z.to_nat a} : (list Z) := if a <=? 0 then c else let prev := pow_fn_rev (a - 1) b c g in step_pow (b - a) prev g. \end{lstlisting} This \Coqe{Function} requires a proof of termination. It is done by proving the well-foundedness of the decreasing argument: \Coqe{measure Z.to_nat a}. Calling \Coqe{pow_fn_rev} 254 times allows us to reproduce the same behavior as the Clight definition. \begin{lstlisting}[language=Coq] Definition Inv25519 (x:list Z) : list Z := pow_fn_rev 254 254 x x. \end{lstlisting} Similarly we define the same function over $\Z$. \begin{lstlisting}[language=Coq] Definition step_pow_Z (a:Z) (c:Z) (g:Z) : Z := let c := c * c in if a <>? 2 && a <>? 4 then c * g else c. Function pow_fn_rev_Z (a:Z) (b:Z) (c:Z) (g: Z) {measure Z.to_nat a} : Z := if (a <=? 0) then c else let prev := pow_fn_rev_Z (a - 1) b c g in step_pow_Z (b - a) prev g. Definition Inv25519_Z (x:Z) : Z := pow_fn_rev_Z 254 254 x x. \end{lstlisting} By using \lref{lemma:mult_correct}, we prove their equivalence in $\Zfield$. \begin{lemma} \label{lemma:Inv_equivalence} The function \coqe{Inv25519} over list of integers computes the same result at \coqe{Inv25519_Z} over integers in \Zfield. \end{lemma} This is formalized in Coq as follows: \begin{lstlisting}[language=Coq] Lemma Inv25519_Z_GF : forall (g:list Z), length g = 16 -> (Z16.lst (Inv25519 g)) :GF = (Inv25519_Z (Z16.lst g)) :GF. \end{lstlisting} In TweetNaCl, \TNaCle{inv25519} computes an inverse in $\Zfield$. It uses Fermat's little theorem by raising to the power of $2^{255}-21$ with a square-and-multiply algorithm. The binary representation of $p-2$ implies that every step does a multiplications except for bits 2 and 4. To prove the correctness of the result we could use multiple strategies such as: \begin{itemize} \item Proving it is a special case of square-and-multiply algorithm applied to $2^{255}-21$. \item Unrolling the for loop step-by-step and applying the equalities $x^a \times x^b = x^{(a+b)}$ and $(x^a)^2 = x^{(2 \times a)}$. We prove that the resulting exponent is $2^{255}-21$. \end{itemize} We use the second method because it is simpler. However, it requires us to apply the unrolling and exponentiation formulas 255 times. This could be automated in Coq with tacticals such as \Coqe{repeat}, but it generates a proof object which will take a long time to verify. \subheading{Reflections.} In order to speed up the verification we use a technique called Reflection''. It provides us with flexibility, \eg we don't need to know the number of times nor the order in which the lemmas needs to be applied (chapter 15 in \cite{CpdtJFR}). The idea is to \emph{reflect} the goal into a decidable environment. We show that for a property $P$, we can define a decidable Boolean property $P_{bool}$ such that if $P_{bool}$ is \Coqe{true} then $P$ holds. $$\text{\textit{reify\_P}} : P_{bool} = \text{\textit{true}} \implies P$$ By applying \textit{reify\_P} on $P$ our goal becomes $P_{bool} = true$. We then compute the result of $P_{bool}$. If the decision goes well we are left with the tautology $\text{\textit{true}} = \text{\textit{true}}$. With this technique we prove the functional correctness of the inversion over \Zfield. \begin{lemma} \begin{lemma} \label{cor:inv_comput_field} \label{cor:inv_comput_field} \Coqe{Inv25519} computes an inverse in \Zfield. \Coqe{Inv25519} computes an inverse in \Zfield. ... @@ -122,49 +12,21 @@ Corollary Inv25519_Zpow_GF : forall (g:list Z), ... @@ -122,49 +12,21 @@ Corollary Inv25519_Zpow_GF : forall (g:list Z), (pow (Z16.lst g) (2^255-21)) :GF. (pow (Z16.lst g) (2^255-21)) :GF. \end{lstlisting} \end{lstlisting} This reflection technique is also used where proofs requires some computing \begin{sloppypar} over a small and finite domain of variables to test e.g. for all $i$ such that $0 \le i < 16$. Using reflection we prove that we can split the for loop in \TNaCle{pack25519} into two parts. \begin{lstlisting}[language=Ctweetnacl] for(i=1;i<15;i++) { m[i]=t[i]-0xffff-((m[i-1]>>16)&1); m[i-1]&=0xffff; } \end{lstlisting} The first loop computes the subtraction, and the second applies the carries. \begin{lstlisting}[language=Ctweetnacl] for(i=1;i<15;i++) { m[i]=t[i]-0xffff } for(i=1;i<15;i++) { m[i]=m[i]-((m[i-1]>>16)&1); m[i-1]&=0xffff; } \end{lstlisting} This loop separation allows simpler proofs. The first loop is seen as the subtraction of \p. The resulting number represented in $\Zfield$ is invariant with the iteration of the second loop. This result in the proof that \TNaCle{pack25519} reduces modulo $\p$ and returns a number in base $2^8$. \begin{lstlisting}[language=Coq] Lemma Pack25519_mod_25519 : forall (l:list Z), Zlength l = 16 -> Forall (fun x => -2^62 < x < 2^62) l -> ZofList 8 (Pack25519 l) = (Z16.lst l) mod (2^255-19). \end{lstlisting} By using each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub}; By using each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub}; \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519}; \coqe{montgomery_rec}, \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519}; we defined a Coq definition \coqe{Crypto_Scalarmult} mimicking the exact behavior of X25519 in TweetNaCl. \coqe{montgomery_rec}, we defined in Coq \coqe{Crypto_Scalarmult} and with VST proved it mimicks the exact behavior of X25519 in TweetNaCl. \end{sloppypar} \begin{sloppypar} By proving that each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub}; \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519} behave over \coqe{list Z} as their equivalent over \coqe{Z} with \coqe{:GF} (in \Zfield), we prove that given the same inputs \coqe{Crypto_Scalarmult} performs the same computation as \coqe{RFC}. \end{sloppypar} By proving that each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub}; \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519} behave over \coqe{list Z} as their equivalent over \coqe{Z} with \coqe{:GF} (in \Zfield), we prove that given the same inputs \coqe{Crypto_Scalarmult} performs the same computation as \coqe{RFC}. % This is formalized as follows in Coq: % This is formalized as follows in Coq: \begin{lstlisting}[language=Coq] \begin{lstlisting}[language=Coq] Lemma Crypto_Scalarmult_RFC_eq : Lemma Crypto_Scalarmult_RFC_eq : ... @@ -177,3 +39,183 @@ Lemma Crypto_Scalarmult_RFC_eq : ... @@ -177,3 +39,183 @@ Lemma Crypto_Scalarmult_RFC_eq : \end{lstlisting} \end{lstlisting} This proves that TweetNaCl's X25519 implementation respect RFC~7748. This proves that TweetNaCl's X25519 implementation respect RFC~7748. % \subsection{Reflections, inversions and packing} % \label{subsec:inversions-reflections} % % We now turn our attention to the multiplicative inverse in $\Zfield$ and techniques % to improve the verification speed of complex formulas. % % \subheading{Inversion in \Zfield.} % We define a Coq version of the inversion mimicking % the behavior of \TNaCle{inv25519} (see below) over \Coqe{list Z}. % \begin{lstlisting}[language=Ctweetnacl] % sv inv25519(gf o,const gf i) % { % gf c; % int a; % set25519(c,i); % for(a=253;a>=0;a--) { % S(c,c); % if(a!=2&&a!=4) M(c,c,i); % } % FOR(a,16) o[a]=c[a]; % } % \end{lstlisting} % We specify this with 2 functions: a recursive \Coqe{pow_fn_rev} % to simulate the \texttt{for} loop and a simple \Coqe{step_pow} containing the body. % \begin{lstlisting}[language=Coq] % Definition step_pow (a:Z) % (c:list Z) (g:list Z) : list Z := % let c := Sq c in % if a <>? 2 && a <>? 4 % then M c g % else c. % % Function pow_fn_rev (a:Z) (b:Z) % (c: list Z) (g: list Z) % {measure Z.to_nat a} : (list Z) := % if a <=? 0 % then c % else % let prev := pow_fn_rev (a - 1) b c g in % step_pow (b - a) prev g. % \end{lstlisting} % This \Coqe{Function} requires a proof of termination. It is done by proving the % well-foundedness of the decreasing argument: \Coqe{measure Z.to_nat a}. Calling % \Coqe{pow_fn_rev} 254 times allows us to reproduce the same behavior as the Clight definition. % \begin{lstlisting}[language=Coq] % Definition Inv25519 (x:list Z) : list Z := % pow_fn_rev 254 254 x x. % \end{lstlisting} % Similarly we define the same function over $\Z$. % \begin{lstlisting}[language=Coq] % Definition step_pow_Z (a:Z) (c:Z) (g:Z) : Z := % let c := c * c in % if a <>? 2 && a <>? 4 % then c * g % else c. % % Function pow_fn_rev_Z (a:Z) (b:Z) (c:Z) (g: Z) % {measure Z.to_nat a} : Z := % if (a <=? 0) % then c % else % let prev := pow_fn_rev_Z (a - 1) b c g in % step_pow_Z (b - a) prev g. % % Definition Inv25519_Z (x:Z) : Z := % pow_fn_rev_Z 254 254 x x. % \end{lstlisting} % By using \lref{lemma:mult_correct}, we prove their equivalence in $\Zfield$. % \begin{lemma} % \label{lemma:Inv_equivalence} % The function \coqe{Inv25519} over list of integers computes the same % result at \coqe{Inv25519_Z} over integers in \Zfield. % \end{lemma} % This is formalized in Coq as follows: % \begin{lstlisting}[language=Coq] % Lemma Inv25519_Z_GF : forall (g:list Z), % length g = 16 -> % (Z16.lst (Inv25519 g)) :GF = % (Inv25519_Z (Z16.lst g)) :GF. % \end{lstlisting} % % In TweetNaCl, \TNaCle{inv25519} computes an inverse in $\Zfield$. % It uses Fermat's little theorem by raising to the power of $2^{255}-21$ with a % square-and-multiply algorithm. The binary representation % of $p-2$ implies that every step does a multiplications except for bits 2 and 4. % To prove the correctness of the result we could use multiple strategies such as: % \begin{itemize} % \item Proving it is a special case of square-and-multiply algorithm applied to $2^{255}-21$. % \item Unrolling the for loop step-by-step and applying the equalities % $x^a \times x^b = x^{(a+b)}$ and $(x^a)^2 = x^{(2 \times a)}$. We prove that % the resulting exponent is $2^{255}-21$. % \end{itemize} % We use the second method because it is simpler. However, it requires us to % apply the unrolling and exponentiation formulas 255 times. This could be automated % in Coq with tacticals such as \Coqe{repeat}, but it generates a proof object which % will take a long time to verify. % % \subheading{Reflections.} % In order to speed up the verification we use a % technique called Reflection''. It provides us with flexibility, \eg we don't % need to know the number of times nor the order in which the lemmas needs to be % applied (chapter 15 in \cite{CpdtJFR}). % % The idea is to \emph{reflect} the goal into a decidable environment. % We show that for a property $P$, we can define a decidable Boolean property % $P_{bool}$ such that if $P_{bool}$ is \Coqe{true} then $P$ holds. % $$\text{\textit{reify\_P}} : P_{bool} = \text{\textit{true}} \implies P$$ % By applying \textit{reify\_P} on $P$ our goal becomes $P_{bool} = true$. % We then compute the result of $P_{bool}$. If the decision goes well we are % left with the tautology $\text{\textit{true}} = \text{\textit{true}}$. % % With this technique we prove the functional correctness of the inversion over \Zfield. % \begin{lemma} % \label{cor:inv_comput_field} % \Coqe{Inv25519} computes an inverse in \Zfield. % \end{lemma} % This statement is formalized as % \begin{lstlisting}[language=Coq] % Corollary Inv25519_Zpow_GF : forall (g:list Z), % length g = 16 -> % Z16.lst (Inv25519 g) :GF = % (pow (Z16.lst g) (2^255-21)) :GF. % \end{lstlisting} % % This reflection technique is also used where proofs requires some computing % over a small and finite domain of variables to test e.g. for all $i$ such that % $0 \le i < 16$. % Using reflection we prove that we can split the for loop in \TNaCle{pack25519} % into two parts. % \begin{lstlisting}[language=Ctweetnacl] % for(i=1;i<15;i++) { % m[i]=t[i]-0xffff-((m[i-1]>>16)&1); % m[i-1]&=0xffff; % } % \end{lstlisting} % The first loop computes the subtraction, and the second applies the carries. % \begin{lstlisting}[language=Ctweetnacl] % for(i=1;i<15;i++) { % m[i]=t[i]-0xffff % } % % for(i=1;i<15;i++) {