Commit 68f0e50f authored by benoit's avatar benoit
Browse files

more answers

parent 040287a7
all: tweetverif.pdf csf-supplementary/previous.pdf
SOURCES= code-tweetnacl.tex collection.bib conclusion.tex coq.tex highlevel.tex intro.tex lowlevel.tex preliminaries.tex proofs.tex rfc.tex t.bib tweetverif.tex tweetnacl.diff
PREVIOUS= csf-supplementary/previous.tex csf-supplementary/usenix-*.tex csf-supplementary/tweetverif-USENIX.pdf csf-supplementary/tweetverif-SP.pdf
tweetverif.pdf: $(SOURCES)
pdflatex tweetverif.tex
......@@ -8,7 +9,7 @@ tweetverif.pdf: $(SOURCES)
pdflatex tweetverif.tex
pdflatex tweetverif.tex
csf-supplementary/previous.pdf:
csf-supplementary/previous.pdf: $(PREVIOUS)
make -C csf-supplementary
tweetnacl.diff:
......
......@@ -2,10 +2,10 @@
\begin{tabular}{rrp{.6\textwidth}}
\toprule
Review recommendation & 3.& Major revision \\
Writing quality & 3.& Adequate \\
Reviewer interest & 2.& I might go to a talk about this \\
Reviewer expertise & 3.& Knowledgeable \\
Review recommendation & 3. & Major revision \\
Writing quality & 3. & Adequate \\
Reviewer interest & 2. & I might go to a talk about this \\
Reviewer expertise & 3. & Knowledgeable \\
\bottomrule
\end{tabular}
......@@ -128,8 +128,10 @@ Here are a few linear comments:
This statement should probably be made more precise, it is quite unclear to me what you mean exactly.
\end{itemize}
\begin{answer}
Typo fixed (the satisfy/satisfies actually refers to the semantics of a program in this sentence).
We rephrased the second statement to (hopefully) clarify what we mean.
\begin{itemize}
\item[$-$] Typo fixed (the satisfy/satisfies actually refers to the semantics of a program in this sentence).
\item[$-$]We rephrased the second statement to (hopefully) clarify what we mean.
\end{itemize}
\end{answer}
\begin{itemize}
......@@ -148,8 +150,11 @@ Here are a few linear comments:
"depending of the value of the kth bit" $\rightarrow$ unclear what k is at this point
\end{itemize}
\begin{answer}
Regarding Definition 2.3 see our answer above. Typo fixed.
We updated the text to clarify what we mean by the $k$th bit.
\begin{itemize}
\item[$-$] Regarding Definition 2.3 see our answer above.
\item[$-$] Typo fixed.
\item[$-$] We updated the text to clarify what we mean by the $k$th bit.
\end{itemize}
\end{answer}
\begin{itemize}
......@@ -170,11 +175,12 @@ Here are a few linear comments:
\end{itemize}
\begin{answer}
\begin{itemize}
\item \todo{address other comments}
\item The paper introducing separation logic describes it as \emph{``an extension of Hoare logic''}.
See \url{https://www.cs.cmu.edu/~jcr/seplogic.pdf}.
\item \todo{address other comments}
\item[$-$] While the Odd Order theorem is shinier for the complexity of the work, it may not be as well known as the Four Color theorem. This lack of exposition makes its proof less impressive to readers not familiar with the subject.
\item[$-$] We fixed the hyphenation.
\item[$-$] The Hoare logic is not a known subject for most cryptographers not familiar with formal methods. In our opinion, the Hoare-Sec rule is the easiest rule with material (as opposed to Hoare-Skip) to understand by its composition nature and as it also relates to how instructions are read in the source code of a program.
\item[$-$] The Separation Logic was introduced by their authors \emph{``an extension of Hoare logic''}. See See \url{https://www.cs.cmu.edu/~jcr/seplogic.pdf}.
\end{itemize}
\end{answer}
\begin{itemize}
......@@ -182,16 +188,16 @@ Here are a few linear comments:
"'To implement (...)" $\rightarrow$ I am very confused by this. The whole paragraph is an unannounced quote, it would need context/explanation.
\end{itemize}
\begin{answer}
\todo{Fix, comment here.}
Fixed, we added an introduction sentence.
\end{answer}
\begin{itemize}
\item \textbf{page 6, column 1:}\\
In ListofZn\_fp $\rightarrow$ The use of fuel might deserve a comment. Don't you end up having to prove at some point that you can always compute ahead of time an overapproximation of the fuel needed? Wouldn't it have been simple to use the strong recursion principle of naturals to define the function?
\end{itemize}
\begin{answer}
In our case the fuel is used to garantee to have as an output a list of 32 elements. This allows to prove that for all List of 32 bytes, ListofZn\_fp (ZofList L) = L. With this lemma at hand we can later simplify some of the expressions.
\end{answer}
\begin{answer}
In our case the fuel is used to garantee to have as an output a list of 32 elements. This allows us to prove that for all List of 32 bytes, ListofZn\_fp (ZofList L) = L. With this lemma at hand we can later simplify some of the expressions.
\end{answer}
\begin{itemize}
\item \textbf{page 6, column 2:}\\
......@@ -199,7 +205,8 @@ Here are a few linear comments:
Specification: I think explaining the structure of a VST statement would be necessary to help an unfamiliar reader understand this specification.
\end{itemize}
\begin{answer}
\todo{Answer}
We rephrased this paragraph to avoid misleading the reader on the translations done.\\
\todo{add some more text before "In this specification we state preconditions like:" ?}
\end{answer}
\begin{itemize}
......@@ -207,11 +214,16 @@ Here are a few linear comments:
Discussion on memory aliasing is great, I would have liked more of this kind through the paper.\\
Figure 2: I had to fish back a little for the definition of "sh", but "Ews" has really never been defined I believe.\\
"Improving speed" $\rightarrow$ of what? This whole paragraph is quite hard to read. In particular be careful that it is not obvious to the reader whether you are speeding up the verification process or the runtime of the implementation. In particular it was unclear to me what you were referring to by saying "Optimizations of such definitions".\\
The following paragraph also is a bit cryptic. I assume you are saying that identifying finely the dependencies between definitions allow for parallelizing the work? Arguably, simply admitting temporarily yon the fly any specification needed achieves the same.\\
The following paragraph also is a bit cryptic. I assume you are saying that identifying finely the dependencies between definitions allow for parallelizing the work? Arguably, simply admitting temporarily on the fly any specification needed achieves the same.\\
"Numbers in gf" $\rightarrow$ Please remind the reader what "gf" is. Good section overall
\end{itemize}
\begin{answer}
\todo{Answer}
\begin{itemize}
\item[$-$] We added a description of "Ews" in the precondition paragraph, this should clarify the global memory share name.
\item[$-$] We clarified that we improve the speed of the verification effort. ``Optimization of such definition'' refers to the will of some developers to use for example a fancy recursive definition of a function.
\item[$-$] In order to verify a file, Coq need the compiled proof of dependencies. However in the case of VST it is possible to split the specification from the proof, as a result the proof of the full scalar multiplication does not require the proof of the the multiplication in \F{p}, only its specification.
\item[$-$] We reminded the reader that "gf" is a C type.
\end{itemize}
\end{answer}
\begin{itemize}
......@@ -220,7 +232,10 @@ Here are a few linear comments:
Figure 3: Please comment generously this figure, it looks great but it is frustrating to try to decipher it without help.
\end{itemize}
\begin{answer}
\todo{Answer}
\begin{itemize}
\item[$-$] We removed the reflection mention, more explanations would require too many implementation details.
\item[$-$] We added a paragraph to describe the content of Figure 3.
\end{itemize}
\end{answer}
\begin{itemize}
......@@ -237,7 +252,8 @@ Here are a few linear comments:
Figure 4: this one is the apex: it would deserve a full column of explanations
\end{itemize}
\begin{answer}
\todo{How much explanation did we actually add here?}
In addition to Figure 4, we added a full paragraph providing the red line of the proof of this theorem.
We hope to provide suficiant insights of the dependencies between lemmas to arrive into the final theorem.
\end{answer}
\begin{itemize}
......@@ -259,7 +275,7 @@ Here are a few linear comments:
\item Please provide high level explanations to your three Figures describing the infrastructure.
\end{itemize}
\begin{answer}
\todo{We added such high-level descriptions.}
We added high-level description of Figures 1, 3 and 4. They should help the reader to follow the line of the proof.
\end{answer}
\begin{itemize}
\item Please reduce slightly the width of the technical material covered, and use the gained space to provide a bit more context to the one covered
......
......@@ -100,6 +100,9 @@ I enjoyed Section 5 and I believe it is one of the more important (and reusable)
\item Rewrite section 5 to focus on proof structure and a few well-chosen lemmas/definitions
\end{itemize}
\begin{answer}
\todo{Say what we did here}
By including a descriptions to figures 3 and 4, we provide a better readding experience of the subsequent proofs.
The reader is not faced anymore with a list of lemmas and theorem but can understand why they arrive in such order.
In addition to those paragraphs we reduced the technical material provided; these two modifications results in
improved readability of the full section.
\end{answer}
......@@ -3,10 +3,10 @@
\begin{tabular}{rrp{.6\textwidth}}
\toprule
Review recommendation & 1.& Reject \\
Writing quality & 2.& Needs improvement \\
Reviewer interest & 1.& I am not interested in this paper \\
Reviewer expertise & 2.& Some familiarity \\
Review recommendation & 1. & Reject \\
Writing quality & 2. & Needs improvement \\
Reviewer interest & 1. & I am not interested in this paper \\
Reviewer expertise & 2. & Some familiarity \\
\bottomrule
\end{tabular}
......
......@@ -3,10 +3,10 @@
\begin{tabular}{rrp{.6\textwidth}}
\toprule
Review recommendation & 2.& Reject and resubmit \\
Writing quality & 2.& Needs improvement \\
Reviewer interest & 2.& I might go to a talk about this \\
Reviewer expertise & 3.& Knowledgeable \\
Review recommendation & 2. & Reject and resubmit \\
Writing quality & 2. & Needs improvement \\
Reviewer interest & 2. & I might go to a talk about this \\
Reviewer expertise & 3. & Knowledgeable \\
\bottomrule
\end{tabular}
......@@ -60,4 +60,6 @@ Security audience (e.g., walking step-by-step through proofs, with no text
explaining why this is important or interesting). I also find bits of the text
somewhat rushed (e.g., paragraph from RFC with no context).
\todo{Should add some reply here somewhere}
\begin{answer}
\todo{Should add some reply here somewhere}
\end{answer}
......@@ -3,10 +3,10 @@
\begin{tabular}{rrp{.6\textwidth}}
\toprule
Review recommendation & 4.& Minor revision \\
Writing quality & 4.& Well-written \\
Reviewer interest & 2.& I might go to a talk about this \\
Reviewer expertise & 2.& Some familiarity \\
Review recommendation & 4. & Minor revision \\
Writing quality & 4. & Well-written \\
Reviewer interest & 2. & I might go to a talk about this \\
Reviewer expertise & 2. & Some familiarity \\
\bottomrule
\end{tabular}
......@@ -55,5 +55,7 @@ If the paper was proposing a new technique which could be applied more generally
\item Describe which parts of the contributions could possibly be applied more generally.
\end{itemize}
\begin{answer}
\todo{Should add some reply here somewhere}
\end{answer}
\todo{Should add some reply here somewhere}
......@@ -242,7 +242,8 @@ the same time.
\subsection{Number representation and C implementation}
\label{subsec:num-repr-rfc}
As described in \sref{subsec:Number-TweetNaCl}, numbers in \TNaCle{gf} are represented
As described in \sref{subsec:Number-TweetNaCl}, numbers in \TNaCle{gf}
(typedef of an array of 16 \TNaCle{long long}) are represented
in $2^{16}$ and we use a direct mapping to represent that array as a list
integers in Coq. However, in order to show the correctness of the basic operations,
we need to convert this number to an integer.
......@@ -296,33 +297,28 @@ Lemma M_bound_Zlength :
\end{lstlisting}
Using reflection (chapter 15 in \cite{CpdtJFR}), we prove
the functional correctness of the multiplicative inverse over \Zfield.
\begin{lemma}
\label{cor:inv_comput_field}
\Coqe{Inv25519} computes an inverse in \Zfield.
\end{lemma}
This statement is formalized as
\begin{lstlisting}[language=Coq]
Corollary Inv25519_Zpow_GF : forall (g:list Z),
length g = 16 ->
Z16.lst (Inv25519 g) :GF =
(pow (Z16.lst g) (2^255-21)) :GF.
\end{lstlisting}
% We prove the functional correctness of the multiplicative inverse over \Zfield,
% formalized as
% \begin{lstlisting}[language=Coq]
% Corollary Inv25519_Zpow_GF : forall (g:list Z),
% length g = 16 ->
% Z16.lst (Inv25519 g) :GF =
% (pow (Z16.lst g) (2^255-21)) :GF.
% \end{lstlisting}
\begin{sloppypar}
By using each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub};
\coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519};
\coqe{montgomery_rec}, we defined in Coq \coqe{Crypto_Scalarmult} and with VST
proved it matches the exact behavior of X25519 in TweetNaCl.
By using each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub};
\coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519};
\coqe{montgomery_rec}, we defined in Coq \coqe{Crypto_Scalarmult} and with VST
proved it matches the exact behavior of X25519 in TweetNaCl.
\end{sloppypar}
\begin{sloppypar}
By proving that each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq};
\coqe{Low.Zub}; \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519};
\coqe{Inv25519}; \coqe{car25519} behave over \coqe{list Z} as their equivalent
over \coqe{Z} with \coqe{:GF} (in \Zfield), we prove that given the same inputs
\coqe{Crypto_Scalarmult} performs the same computation as \coqe{RFC}.
By proving that each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq};
\coqe{Low.Zub}; \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519};
\coqe{Inv25519}; \coqe{car25519} behave over \coqe{list Z} as their equivalent
over \coqe{Z} with \coqe{:GF} (in \Zfield), we prove that given the same inputs
\coqe{Crypto_Scalarmult} performs the same computation as \coqe{RFC}.
\end{sloppypar}
% This is formalized as follows in Coq:
......
......@@ -94,6 +94,7 @@ Later in our proof we use a simpler description of the ladder
(\coqe{montgomery_rec}) which follows strictly \aref{alg:montgomery-ladder}
and prove those ladder equivalent.
RFC 7748 describes the calculations done in X25519 as follows:
\emph{``To implement the X25519(k, u) [...] functions (where k is
the scalar and u is the u-coordinate), first decode k and u and then
perform the following procedure, which is taken from [curve25519] and
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment