Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Benoit Viguier
coqveriftweetnacl
Commits
6fb70d4c
Commit
6fb70d4c
authored
Aug 14, 2019
by
Benoit Viguier
Browse files
low level finished (hopefully)
parent
5270d4e3
Changes
8
Hide whitespace changes
Inline
Sidebyside
paper/tweetnacl.tex
→
paper/
code
tweetnacl.tex
View file @
6fb70d4c
File moved
paper/coq.tex
View file @
6fb70d4c
~
\\
~
\\
~
\\
\subsection
{
Coq definitions
}
\label
{
appendix:coq
}
\subsubsection
{
Montgomery Ladder
}
\label
{
subsubsec:coqladder
}
~
Generic definition of the ladder:
\begin{lstlisting}
[language=Coq]
...
...
@@ 77,9 +80,123 @@ match t with
end.
\end{lstlisting}
\subsubsection
{
ZCrypto
\_
Scalarmult
}
\label
{
subsubsec:ZCryptoScalarmult
}
~
Instanciation of the Class
\Coqe
{
Ops
}
with operations over
\Z
and modulo
\p
.
\begin{lstlisting}
[language=Coq]
Definition modP (x:Z) : Z :=
Z.modulo x (Z.pow 2 255  19).
(* Encapsulate in a module. *)
Module Mid.
(* shift to the right by n bits *)
Definition getCarry (n:Z) (m:Z) : Z :=
Z.shiftr m n.
(* logical and with n ones *)
Definition getResidue (n:Z) (m:Z) : Z :=
Z.land n (Z.ones n).
Definition car25519 (n:Z) : Z :=
38 * getCarry 256 n + getResidue 256 n.
(* The carry operation is invariant under modulo *)
Lemma Zcar25519
_
correct:
forall (n:Z), n:GF = (Mid.car25519 n) :GF.
(* Define Mid.A, Mid.M ... *)
Definition A a b := Z.add a b.
Definition M a b :=
car25519 (car25519 (Z.mul a b)).
Definition Zub a b := Z.sub a b.
Definition Sq a := M a a.
Definition C
_
0 := 0.
Definition C
_
1 := 1.
Definition C
_
121665 := 121665.
Definition Sel25519 (b p q:Z) :=
if (Z.eqb b 0) then p else q.
Definition getbit (i:Z) (a: Z) :=
if (Z.ltb a 0) then
0
else if (Z.ltb i 0) then
Z.land a 1
else
Z.land (Z.shiftr a i) 1.
End Mid.
(* Packing is applying a modulo p *)
Definition ZPack25519 n :=
Z.modulo n (Z.pow 2 255  19).
(* And with 255 ones *)
(* unset last 3 bits *)
(* set bit 254 *)
Definition Zclamp (n : Z) : Z :=
(Z.lor
(Z.land n (Z.land (Z.ones 255) (8)))
(Z.shiftl 64 (31 * 8))).
(* x
^{
p  2
}
*)
Definition ZInv25519 (x:Z) : Z :=
Z.pow x (Z.pow 2 255  21).
(* instanciate over Z *)
Instance Z
_
Ops : (Ops Z Z modP) :=
{}
.
Proof.
apply Mid.A. (* instanciate + *)
apply Mid.M. (* instanciate * *)
apply Mid.Zub. (* instanciate  *)
apply Mid.Sq. (* instanciate x
^
2 *)
apply Mid.C
_
0. (* instanciate Const 0 *)
apply Mid.C
_
1. (* instanciate Const 1 *)
apply Mid.C
_
121665. (* instanciate (a2)/4 *)
apply Mid.Sel25519. (* instanciate CSWAP *)
apply Mid.getbit. (* instanciate ith bit *)
Defined.
(* instanciate montgomery
_
rec with Z
_
Ops *)
Definition ZCrypto
_
Scalarmult n p :=
let t := montgomery
_
rec
255 (* iterate 255 times *)
(Zclamp n) (* clamped n *)
1 (* x
_
2 *)
(ZUnpack25519 p) (* x
_
3 *)
0 (* z
_
2 *)
1 (* z
_
3 *)
0 (* dummy *)
0 (* dummy *)
(ZUnpack25519 p) (* x
_
1 *) in
let a := get
_
a t in
let c := get
_
c t in
ZPack25519 (Z.mul a (ZInv25519 c)).
\end{lstlisting}
\subsubsection
{
CSM
}
\label
{
subsubsec:CryptoScalarmult
}
~
\begin{lstlisting}
[language=Coq]
Definition Crypto
_
Scalarmult n p :=
let t := montgomery
_
rec
255 (* iterate 255 times *)
(clamp n) (* clamped n *)
Low.C
_
1 (* x
_
2 *)
(Unpack25519 p) (* x
_
3 *)
Low.C
_
0 (* z
_
2 *)
Low.C
_
1 (* z
_
3 *)
Low.C
_
0 (* dummy *)
Low.C
_
0 (* dummy *)
(Unpack25519 p) (* x
_
1 *) in
let a := get
_
a t in
let c := get
_
c t in
Pack25519 (Low.M a (Inv25519 c)).
Definition CSM := Crypto
_
Scalarmult.
\end{lstlisting}
\subsubsection
{
Equivalence between For Loops
}
\label
{
subsubsec:for
}
~
\begin{lstlisting}
[language=Coq]
Variable T: Type.
Variable g: nat > T > T.
...
...
paper/files.tex
0 → 100644
View file @
6fb70d4c
\subsection
{
Content of the proof files
}
\label
{
appendix:prooffiles
}
We provide below the location of the most important definitions and lemmas of our proofs.
\subsubsection
{
Definitions
}
~
\begin{table}
[h]
\begin{tabular}
{
l  l  l
}
Definition
&
File
&
Description
\\
\hline
% \coqe{} & \texttt{} & \\
\end{tabular}
\end{table}
\subsubsection
{
Lemmas and Theorems
}
~
\begin{table}
[h]
\begin{tabular}
{
l  l  l
}
Definition
&
File
&
Description
\\
\hline
\end{tabular}
\end{table}
% \subsection{Files}
%
% \begin{table}
% \begin{tabular}{ l  l }
% File & Content \\
% \hline
% \texttt{Gen/ABCDEF\_eq.v} & ... \\
% \texttt{Gen/ABCDEF.v} & ... \\
% \texttt{Gen/abstract\_fn\_rev\_abcdef.v} & ... \\
% \texttt{Gen/abstract\_fn\_rev\_eq.v} & ... \\
% \texttt{Gen/abstract\_fn\_rev.v} & ... \\
% \texttt{Gen/abstract\_rec\_rev\_abcdef.v} & ... \\
% \texttt{Gen/abstract\_rec\_rev\_eq.v} & ... \\
% \texttt{Gen/abstract\_rec\_rev.v} & ... \\
% \texttt{Gen/abstract\_rec.v} & ... \\
% \texttt{Gen/AMZubSqSel\_List.v} & ... \\
% \texttt{Gen/AMZubSqSel\_Prop.v} & ... \\
% \texttt{Gen/AMZubSqSel.v} & ... \\
% \texttt{Gen/Get\_abcdef.v} & ... \\
% \texttt{Gen/montgomery\_rec\_eq.v} & ... \\
% \texttt{Gen/montgomery\_rec.v} & ... \\
% \texttt{Gen/montgomery\_step\_gen.v} & ... \\
% \texttt{Gen/rec\_f\_extr.v} & ... \\
% \texttt{Gen/step\_gen.v} & ... \\
% \texttt{High/curve25519\_Fp2.v} & ... \\
% \texttt{High/curve25519\_Fp\_incl\_Fp2.v} & ... \\
% \texttt{High/curve25519\_Fp\_twist25519\_Fp\_eq.v} & ... \\
% \texttt{High/curve25519\_Fp.v} & ... \\
% \texttt{High/curve25519\_twist25519\_Fp\_incl\_Fp2.v} & ... \\
% \texttt{High/fermat.v} & ... \\
% \texttt{High/GRing\_tools.v} & ... \\
% \texttt{High/ladder.v} & ... \\
% \texttt{High/mcgroup.v} & ... \\
% \texttt{High/mc.v} & ... \\
% \texttt{High/montgomery.v} & ... \\
% \texttt{High/opt\_ladder\_extr.v} & ... \\
% \texttt{High/opt\_ladder.v} & ... \\
% \texttt{High/prime\_and\_legendre.v} & ... \\
% \texttt{High/prime\_cert.v} & ... \\
% \texttt{High/prime\_ssrprime.v} & ... \\
% \texttt{High/twist25519\_Fp\_incl\_Fp2.v} & ... \\
% \texttt{High/twist25519\_Fp.v} & ... \\
% \texttt{High/Zmodp2\_rules.v} & ... \\
% \texttt{High/Zmodp2.v} & ... \\
% \texttt{High/Zmodp\_Ring.v} & ... \\
% \texttt{High/Zmodp.v} & ... \\
% \texttt{Libs/Bound\_Decidable.v} & ... \\
% \texttt{Libs/Decidable.v} & ... \\
% \texttt{Libs/Export.v} & ... \\
% \texttt{Libs/Expr\_Decidable.v} & ... \\
% \texttt{Libs/Forall\_extended.v} & ... \\
% \texttt{Libs/Formula\_Decidable.v} & ... \\
% \texttt{Libs/Fun\_Decidable.v} & ... \\
% \texttt{Libs/HeadTailRec.v} & ... \\
% \texttt{Libs/LibTactics\_Rennes.v} & ... \\
% \texttt{Libs/LibTactics\_SF.v} & ... \\
% \texttt{Libs/LibTactics.v} & ... \\
% \texttt{Libs/List\_Decidable.v} & ... \\
% \texttt{Libs/List\_ext\_Decidable.v} & ... \\
% \texttt{Libs/List\_Ltac.v} & ... \\
% \texttt{Libs/Lists\_extended.v} & ... \\
% \texttt{Libs/Logic\_extended.v} & ... \\
% \texttt{Libs/Relations.v} & ... \\
% \texttt{Libs/Term\_Decidable.v} & ... \\
% \texttt{Libs/ZArith\_extended.v} & ... \\
% \texttt{ListsOp/Export.v} & ... \\
% \texttt{ListsOp/Forall\_ZofList.v} & ... \\
% \texttt{ListsOp/Forall\_ZopList.v} & ... \\
% \texttt{ListsOp/LogicalList.v} & ... \\
% \texttt{ListsOp/Zipp.v} & ... \\
% \texttt{ListsOp/ZofList.v} & ... \\
% \texttt{ListsOp/ZunopList.v} & ... \\
% \texttt{Low/AMZubSqSel\_Correct.v} & ... \\
% \texttt{Low/A.v} & ... \\
% \texttt{Low/BackCarry.v} & ... \\
% \texttt{Low/Binary\_select.v} & ... \\
% \texttt{Low/Car25519\_bounds.v} & ... \\
% \texttt{Low/Car25519.v} & ... \\
% \texttt{Low/Carry\_n.v} & ... \\
% \texttt{Low/Carry.v} & ... \\
% \texttt{Low/Constant.v} & ... \\
% \texttt{Low/Crypto\_Scalarmult\_lemmas\_List\_List16.v} & ... \\
% \texttt{Low/Crypto\_Scalarmult\_lemmas.v} & ... \\
% \texttt{Low/Crypto\_Scalarmult\_lemmas\_Z\_List16.v} & ... \\
% \texttt{Low/Crypto\_Scalarmult.v} & ... \\
% \texttt{Low/Crypto\_Scalarmult\_.v} & ... \\
% \texttt{Low/Export.v} & ... \\
% \texttt{Low/Get\_abcdef.v} & ... \\
% \texttt{Low/GetBit\_pack25519.v} & ... \\
% \texttt{Low/GetBit.v} & ... \\
% \texttt{Low/Inner\_M1.v} & ... \\
% \texttt{Low/Inv25519\_gen.v} & ... \\
% \texttt{Low/Inv25519.v} & ... \\
% \texttt{Low/List16.v} & ... \\
% \texttt{Low/M\_low\_level\_compute.v} & ... \\
% \texttt{Low/M.v} & ... \\
% \texttt{Low/Outer\_M1.v} & ... \\
% \texttt{Low/Pack25519.v} & ... \\
% \texttt{Low/Pack.v} & ... \\
% \texttt{Low/Prep\_n.v} & ... \\
% \texttt{Low/Reduce\_by\_P\_aux.v} & ... \\
% \texttt{Low/Reduce\_by\_P\_compose\_1b.v} & ... \\
% \texttt{Low/Reduce\_by\_P\_compose\_1.v} & ... \\
% \texttt{Low/Reduce\_by\_P\_compose\_2b.v} & ... \\
% \texttt{Low/Reduce\_by\_P\_compose\_2.v} & ... \\
% \texttt{Low/Reduce\_by\_P\_compose\_step.v} & ... \\
% \texttt{Low/Reduce\_by\_P\_compose.v} & ... \\
% \texttt{Low/Reduce\_by\_P.v} & ... \\
% \texttt{Low/ScalarMult\_gen\_small.v} & ... \\
% \texttt{Low/ScalarMult\_rev\_fn\_gen.v} & ... \\
% \texttt{Low/ScalarMult\_rev.v} & ... \\
% \texttt{Low/Sel25519.v} & ... \\
% \texttt{Low/S.v} & ... \\
% \texttt{Low/Unpack25519.v} & ... \\
% \texttt{Low/Z.v} & ... \\
% \texttt{Mid/AMZubSqSel.v} & ... \\
% \texttt{Mid/Car25519.v} & ... \\
% \texttt{Mid/Crypto\_Scalarmult\_Fp.v} & ... \\
% \texttt{Mid/Crypto\_Scalarmult\_Mod.v} & ... \\
% \texttt{Mid/Crypto\_Scalarmult.v} & ... \\
% \texttt{Mid/Export.v} & ... \\
% \texttt{Mid/GetBit\_bitn.v} & ... \\
% \texttt{Mid/GetBit.v} & ... \\
% \texttt{Mid/Instances.v} & ... \\
% \texttt{Mid/Inv25519.v} & ... \\
% \texttt{Mid/MinusList.v} & ... \\
% \texttt{Mid/M\_low\_level.v} & ... \\
% \texttt{Mid/Mod.v} & ... \\
% \texttt{Mid/M.v} & ... \\
% \texttt{Mid/Pack25519.v} & ... \\
% \texttt{Mid/Prep\_n.v} & ... \\
% \texttt{Mid/Reduce.v} & ... \\
% \texttt{Mid/ScalMult.v} & ... \\
% \texttt{Mid/SubList.v} & ... \\
% \texttt{Mid/SumList.v} & ... \\
% \texttt{Mid/Unpack25519.v} & ... \\
% \texttt{Mid/ZCarry.v} & ... \\
% \end{tabular}
% \end{table}
%
% \begin{table}
% \begin{tabular}{ l  l }
% File & Content \\
% \hline
% \texttt{c/tweetnaclVerifiableC.v} & \\
% \texttt{init/init\_tweetnacl.v} & \\
% \texttt{init/missing\_lemmae.v} & \\
% \texttt{proofs/split\_array\_lemmas.v} & \\
% \texttt{proofs/verif\_A.v} & \\
% \texttt{proofs/verif\_car25519\_compute.v} & \\
% \texttt{proofs/verif\_car25519.v} & \\
% \texttt{proofs/verif\_crypto\_scalarmult\_lemmas.v} & \\
% \texttt{proofs/verif\_crypto\_scalarmult.v} & \\
% \texttt{proofs/verif\_inv25519.v} & \\
% \texttt{proofs/verif\_M\_compute\_pre.v} & \\
% \texttt{proofs/verif\_M\_compute.v} & \\
% \texttt{proofs/verif\_M\_lemmas.v} & \\
% \texttt{proofs/verif\_M.v} & \\
% \texttt{proofs/verif\_pack25519\_lemmas.v} & \\
% \texttt{proofs/verif\_pack25519.v} & \\
% \texttt{proofs/verif\_sel25519.v} & \\
% \texttt{proofs/verif\_set25519.v} & \\
% \texttt{proofs/verif\_S.v} & \\
% \texttt{proofs/verif\_unpack25519.v} & \\
% \texttt{proofs/verif\_Z.v} & \\
% \texttt{spec/spec\_A.v} & \\
% \texttt{spec/spec\_car25519.v} & \\
% \texttt{spec/spec\_crypto\_scalarmult.v} & \\
% \texttt{spec/spec\_inv25519.v} & \\
% \texttt{spec/spec\_M.v} & \\
% \texttt{spec/spec\_pack25519.v} & \\
% \texttt{spec/spec\_sel25519.v} & \\
% \texttt{spec/spec\_set25519.v} & \\
% \texttt{spec/spec\_S.v} & \\
% \texttt{spec/spec\_unpack25519.v} & \\
% \texttt{spec/spec\_Z.v} & \\
% \end{tabular}
% \end{table}
paper/highlevel.tex
View file @
6fb70d4c
...
...
@@ 205,7 +205,7 @@ With those coordinates we prove the following lemmas for the addition of two poi
such that
$
\chi
_
0
(
\Oinf
)
=
0
$
and
$
\chi
_
0
((
x,y
))
=
x
$
.
\end{dfn}
\begin{lemma}
\label
{
lemma

add
}
\label
{
lemma
:
add
}
Let
$
M
_{
a,b
}
(
\K
)
$
be a Montgomery curve such that
$
a
^
2

4
$
is not a square, and
let
$
X
_
1
, Z
_
1
, X
_
2
, Z
_
2
, X
_
3
, Z
_
3
\in
\K
$
, such that
$
(
X
_
1
,Z
_
1
)
\neq
(
0
,
0
)
$
,
$
(
X
_
2
,Z
_
2
)
\neq
(
0
,
0
)
$
,
$
X
_
4
\neq
0
$
and
$
Z
_
4
\neq
0
$
.
Define
...
...
@@ 250,7 +250,7 @@ then for any point $P_1$ and $P_2$ on $M_{a,b}(\K)$ such that $X_1/Z_1 = \chi(P_
With those coordinates we also prove a similar lemma for point doubling.
\begin{lemma}
\label
{
lemma

double
}
\label
{
lemma
:
double
}
Let
$
M
_{
a,b
}
(
\K
)
$
be a Montgomery curve such that
$
a
^
2

4
$
is not a square, and
let
$
X
_
1
, Z
_
1
, X
_
2
, Z
_
2
, X
_
3
, Z
_
3
\in
\K
$
, such that
$
(
X
_
1
,Z
_
1
)
\neq
(
0
,
0
)
$
. Define
\begin{align*}
...
...
@@ 274,7 +274,7 @@ we have $X_3/Z_3 = \chi(2P_1)$.
% (p \+ p)#x = inf_div x3 z3.
% \end{lstlisting}
With these two lemmas (
\ref
{
lemma

add
}
and
\ref
{
lemma

double
}
), we have the basic
With these two lemmas (
\ref
{
lemma
:
add
}
and
\ref
{
lemma
:
double
}
), we have the basic
tools to compute efficiently additions and point doubling on projective coordinates.
\subsubsection
{
Scalar Multiplication Algorithms
}
...
...
@@ 292,12 +292,12 @@ it provides slightly more computations and an extra variable, we can prevent suc
See
\aref
{
alg:montgomeryladder
}
.
\begin{lemma}
\label
{
lemma

montgomeryladder
}
\label
{
lemma
:
montgomeryladder
}
\aref
{
alg:montgomeryladder
}
is correct,
\ie
it respects its output conditions given the input conditions.
\end{lemma}
In Curve25519 we are only interested in the
$
x
$
coordinate of points, using
Lemmas
\ref
{
lemma

add
}
and
\ref
{
lemma

double
}
, and replacing the if statements
Lemmas
\ref
{
lemma
:
add
}
and
\ref
{
lemma
:
double
}
, and replacing the if statements
with conditional swapping we can define a ladder similar to the one used in TweetNaCl.
See
\aref
{
alg:montgomerydoubleadd
}
...
...
@@ 340,14 +340,14 @@ See \aref{alg:montgomerydoubleadd}
\end{algorithm}
\begin{lemma}
\label
{
lemma

montgomerydoubleadd
}
\label
{
lemma
:
montgomerydoubleadd
}
\aref
{
alg:montgomerydoubleadd
}
is correct,
\ie
it respects its output
conditions given the input conditions.
\end{lemma}
%% here we have \chi and \chi_0 ...
We formalized this lemma (
\ref
{
lemma

montgomerydoubleadd
}
):
We formalized this lemma (
\ref
{
lemma
:
montgomerydoubleadd
}
):
\begin{lstlisting}
[language=Coq]
Lemma opt
_
montgomery
_
x :
forall (n m : nat) (x : K),
...
...
@@ 365,7 +365,7 @@ Also \Oinf\ is the neutral element over $M_{a,b}(\K)$, we have:
$$
\forall
P, P
+
\Oinf\
=
P
$$
thus we derive the following lemma.
% \begin{lemma}
% \label{lemma

montgomerydoubleadd}
% \label{lemma
:
montgomerydoubleadd}
% Algorithm \ref{montgomerydoubleadd} is correct even if $x=0$, \ie it respects its output conditions given the input conditions or $x=0$.
% \end{lemma}
\begin{lstlisting}
[language=Coq]
...
...
paper/lowlevel.tex
View file @
6fb70d4c
...
...
@@ 14,10 +14,11 @@ Our functional specification in Coq matches the specifications of RFC~7748~\cite
\end{theorem}
We first describe the global structure of our proof (
\ref
{
subsec:proofstructure
}
).
Then we introduce our specification
(
\ref
{}
)
, we specify the Hoare triple and prove it
Then we introduce our specification, we specify the Hoare triple and prove it
correct with VST (
\tref
{
thm:VST
}
).
Then we discuss techniques used to prove equivalence of operations between
different number representations (
\ref
{}
), proving the equivalence with the RFC (
\tref
{
thm:RFC
}
).
different number representations,
proving the equivalence with the RFC (
\tref
{
thm:RFC
}
).
...
...
@@ 93,7 +94,7 @@ This guarantees us the correctness of the implementation.
TweetNaCl implements X25519 with numbers represented as arrays.
RFC~7748 defines X25519 over field elements. In order to simplify our proofs,
we define
generic
operations used in the ladder over generic types
we define operations used in the ladder over generic types
\coqe
{
T
}
and
\coqe
{
T'
}
. Those types are later instanciated as natural number,
integers, field elements, list of integers...
The generic definition of the ladder (
\coqe
{
montgomery
_
rec
}
) and its match with
...
...
@@ 104,17 +105,38 @@ of \texttt{CSWAP}:
original paper. Implementations are free to use any correct formulas.''
}
~
\cite
{
rfc7748
}
.
We later prove our lader correct in that respect (
\sref
{
sec:maths
}
).
\coqe
{
montgomery
_
rec
}
only computes the ladder steps, we define
\coqe
{
montgomery
_
rec
}
only computes the ladder steps.
While the inversion; the packing; the unpacking (setting bit 255 to
\texttt
{
0
}
)
and clamping are not defined in a generic manner, we show their equivalence
between the different representations.
\todo
{
more stuff on list, and numbers, add code into appendix.
}
Appendix~
\ref
{
subsubsec:ZCryptoScalarmult
}
show the instantiation of our ladder
over Intergers (type
\coqe
{
Z
}
). We call it
\coqe
{
ZCrypto
_
Scalarmult
}
.
The modulo reduction is applied in
\coqe
{
ZPack25519
}
translating every
underlying operations as over
\Zfield
. As a result this specification can be
interpreted as the formalization of X25519 in RFC~7748.
In appendix~
\ref
{
subsubsec:CryptoScalarmult
}
, we show the the formalization of
\TNaCle
{
crypto
_
scalarmult
}
over lists of integers. We define it as
\Coqe
{
Crypto
_
Scalarmult
}
or
\Coqe
{
CSM
}
. For the sake of space and simplicity we
do not display the definitions of each underlying functions.
The location of the definitions are listed in Appendix~
\ref
{
appendix:prooffiles
}
.
\subsection
{
With the Verifiable Software Toolchain
}
\label
{
subsec:withVST
}
We now turn our focus to the specification of the Hoare triple with our
specifications of
\TNaCle
{
crypto
_
scalarmult
}
over list of integers and proving
its correctness.
\subheading
{
Specifications.
}
We show the soundness of TweetNaCl by proving the following specification matches a pure Coq function.
% why "pure" ?
This defines the equivalence between the Clight representation and a Coq definition of the ladder.
We show the soundness of TweetNaCl by proving the following specification matches
a pure Coq function.
% why "pure" ?
% A pure function is a function where the return value is only determined by its
% input values, without observable side effects (Side effect are e.g. printing)
This defines the equivalence between the Clight representation and our Coq
definition of the ladder (
\coqe
{
CSM
}
).
\begin{lstlisting}
[language=CoqVST]
Definition crypto
_
scalarmult
_
spec :=
...
...
@@ 187,30 +209,33 @@ As Postcondition we have:
This specification shows that
\TNaCle
{
crypto
_
scalarmult
}
in C computes the same
result as
\VSTe
{
CSM
}
in Coq provided that inputs are within their respective
bounds: arrays of 32 bytes.
The location of the proof of this Hoare triple can be found in Appendix~
\ref
{
appendix:prooffiles
}
.
The Verifiable Software Toolchain uses a strongest postcondition strategy.
The user must first write a formal specification of the function he wants to verify in Coq.
This should be as close as possible to the C implementation behavior.
This will simplify the proof and help with stepping through the CLight version of the software.
With the range of inputs defined, VST mechanically steps through each instruction
and ask the user to verify auxiliary goals such as array bound access, or absence of overflows/underflows.
We call this specification a low level specification. A user will then have an easier
time to prove that his low level specification matches a simpler higher level one.
In order to further speedup the verification process, it has to be know that to
prove the specification
\TNaCle
{
crypto
_
scalarmult
}
, a user only need the specification of e.g.
\TNaCle
{
M
}
.
This provide with multiple advantages: the verification by the Coq kernel can be done
in parallel and multiple users can work on proving different functions at the same time.
For the sake of completeness we proved all intermediate functions.
% We now bring the attention of the reader to details of verifications using the VST.
\subheading
{
Memory aliasing.
}
VST implementation of separation logic is similar to a consumerproducer problem.
A simple specification of
\texttt
{
M(o,a,b)
}
will assume three distinct memory share.
When called with three memory share (
\texttt
{
o, a, b
}
), the three of them will be consumed.
However assuming this naive specification when
\texttt
{
M(o,a,a)
}
is called (squaring),
the first two memory shares (
\texttt
{
o, a
}
) are consumed and VST will expect a third
memory share where the last
\texttt
{
a
}
is pointing at which does not
\textit
{
exist
}
anymore.
%% BLABLA about VST. Does not belong here.
% The Verifiable Software Toolchain uses a strongest postcondition strategy.
% The user must first write a formal specification of the function he wants to verify in Coq.
% This should be as close as possible to the C implementation behavior.
% This will simplify the proof and help with stepping through the CLight version of the software.
% With the range of inputs defined, VST mechanically steps through each instruction
% and ask the user to verify auxiliary goals such as array bound access, or absence of overflows/underflows.
% We call this specification a low level specification. A user will then have an easier
% time to prove that his low level specification matches a simpler higher level one.
% In order to further speedup the verification process, it has to be know that to
% prove the specification \TNaCle{crypto_scalarmult}, a user only need the specification of e.g. \TNaCle{M}.
% This provide with multiple advantages: the verification by the Coq kernel can be done
% in parallel and multiple users can work on proving different functions at the same time.
% For the sake of completeness we proved all intermediate functions.
\subheading
{
Memory aliasing.
}
In the VST, a simple specification of
\texttt
{
M(o,a,b)
}
will assume three
distinct memory share. When called with three memory share (
\texttt
{
o, a, b
}
),
the three of them will be consumed. However assuming this naive specification
when
\texttt
{
M(o,a,a)
}
is called (squaring), the first two memory shares (
\texttt
{
o, a
}
)
are consumed and VST will expect a third memory share (
\texttt
{
a
}
) which does not
\textit
{
exist
}
anymore.
Examples of such cases are illustrated in
\fref
{
tikz:MemSame
}
.
\begin{figure}
[h]
\centering
...
...
@@ 219,10 +244,10 @@ Examples of such cases are illustrated in \fref{tikz:MemSame}.
\label
{
tikz:MemSame
}
\end{figure}
A
single
function must either have multiple specifications or specify which
aliasing se
t up
is being used.
The first option would require us to prove
specification
s multiple times for a same function.
We chose the second approach:
for functions with 3 arguments, named here
after
\texttt
{
o, a, b
}
,
A
s a result, a
function must either have multiple specifications or specify which
aliasing
ca
se is being used.
The first option would require us to do very similar proof
s multiple times for a same function.
We chose the second approach:
for functions with 3 arguments, named hereafter
\texttt
{
o, a, b
}
,
we define an additional parameter
$
k
$
with values in
$
\{
0
,
1
,
2
,
3
\}
$
:
\begin{itemize}
\item
if
$
k
=
0
$
then
\texttt
{
o
}
and
\texttt
{
a
}
are aliased.
...
...
@@ 230,9 +255,9 @@ we define an additional parameter $k$ with values in $\{0,1,2,3\}$:
\item
if
$
k
=
2
$
then
\texttt
{
a
}
and
\texttt
{
b
}
are aliased.
\item
else there is no aliasing.
\end{itemize}
In the proof of our specification, we
then
do a case analysis over
$
k
$
when needed.
This solution does not cover all cases (e.g. all arguments are aliased)
but it
is enough for our needs.
In the proof of our specification, we do a case analysis over
$
k
$
when needed.
This solution does not cover all cases (e.g. all arguments are aliased)
but it
is enough for our needs.
\subheading
{
Verifying
\texttt
{
for
}
loops.
}
Final state of
\texttt
{
for
}
loops are usually computed by simple recursive functions.
...
...
@@ 269,12 +294,7 @@ and without returns the same result.
We formalized this result in a generic way in Appendix~
\ref
{
subsubsec:for
}
.
Using this formalization, we prove that the 255 steps of the Montgomery ladder
in C provide the same computations are the one defined in
\aref
{
alg:montgomerydoubleadd
}
.
in C provide the same computations as in
\coqe
{
CSM
}
.
\subsection
{
Number Representation and C Implementation
}
...
...
@@ 282,10 +302,11 @@ As described in \sref{subsec:NumberTweetNaCl}, numbers in \TNaCle{gf} are repre
in base
$
2
^{
16
}$
and we use a direct mapping to represent that array as a list
integers in Coq. However in order to show the correctness of the basic operations,
we need to convert this number as a full integer.
\begin{definition}
Let
\Coqe
{
ZofList
}
:
$
\Z
\rightarrow
\texttt
{
list
}
\Z
\rightarrow
\Z
$
, a parameterized map by
$
n
$
between a list
$
l
$
and its
it's little endian representation with a radix
$
2
^
n
$
.
\end{definition}
\begin{dfn}
Let
\Coqe
{
ZofList
}
:
$
\Z
\rightarrow
\texttt
{
list
}
\Z
\rightarrow
\Z
$
,
a parameterized map by
$
n
$
between a list
$
l
$
and its little endian representation
with a radix
$
2
^
n
$
.
\end{dfn}
We define it in Coq as:
\begin{lstlisting}
[language=Coq]
Fixpoint ZofList
{
n:Z
}
(a:list Z) : Z :=
...
...
@@ 298,58 +319,83 @@ We define a notation where $n$ is $16$.
\begin{lstlisting}
[language=Coq]
Notation "Z16.lst A" := (ZofList 16 A).
\end{lstlisting}
We also define a notation to do the modulo, projecting any numbers
in
$
\Zfield
$
.
To facilitate working
in
\Zfield
, we define the
\coqe
{
:GF
}
notation
.
\begin{lstlisting}
[language=Coq]
Notation "A :GF" := (A mod (2
^
25519)).
\end{lstlisting}
% Remark that this representation is different from \Coqe{Zmodp}.
However the equivalence between operations over
$
\Zfield
$
and
$
\F
{
p
}$
is easily proven.
Later in
\sref
{
sec:maths
}
, we formally define
\F
{
\p
}
.
Equivalence between operations under
\coqe
{
:GF
}
and in
\F
{
\p
}
are easily proven.
Using these two definitions, we proved intermediates lemmas such as the correctness of the
multiplication
\Coqe
{
M
}
where
\Coqe
{
M
}
replicate the computations and steps done in C.
multiplication
\Coqe
{
Low.M
M
}
where
\Coqe
{
Low.
M
}
replicate the computations and steps done in C.
\begin{lemma}
For all list of integers
\texttt
{
a
}
and
\texttt
{
b
}
of length 16 representing
$
A
$
and
$
B
$
in
$
\Zfield
$
, the number represented in
$
\Zfield
$
by the list
\Coqe
{
(M a b)
}
is equal to
$
A
\times
B
\bmod
\p
$
.
\label
{
lemma:mult
_
correct
}
\Coqe
{
Low.M
}
implements correctly the multiplication over
\Zfield
.
\end{lemma}
And seen in Coq as follows:
\begin{Coq
}
\begin{
lstlisting}
[language=
Coq
]
Lemma mult
_
GF
_
Zlength :
forall (a:list Z) (b:list Z),
Zlength a = 16 >
Zlength b = 16 >
(Z16.lst (M a b)) :GF =
(Z16.lst (
Low.
M a b)) :GF =
(Z16.lst a * Z16.lst b) :GF.
\end{Coq}
\end{lstlisting}
However for our purpose, simple functional correctness is not enough.
We also need to define the bounds under which the operation is correct,
allowing us to chain them, guaranting us the absence of overflow.
\begin{lemma}
\label
{
lemma:mult
_
bounded
}
if all the values of the input arrays are constrained between
$

2
^{
26
}$
and
$
2
^{
26
}$
,
then the output of
\coqe
{
Low.M
}
will be constrained between
$

38
$
and
$
2
^{
16
}
+
38
$
.
\end{lemma}
And seen in Coq as follows:
\begin{lstlisting}
[language=Coq]
Lemma M
_
bound
_
Zlength :
forall (a:list Z) (b:list Z),
Zlength a = 16 >
Zlength b = 16 >
Forall (fun x => 2
^
26 < x < 2
^
26) a >
Forall (fun x => 2
^
26 < x < 2
^
26) b >
Forall (fun x => 38 <= x < 2
^
16 + 38) (Low.M a b).
\end{lstlisting}
\subsection
{
Inversions, Reflections and Packing
}
We now turn our attention to the inversion in
\Zfield
and techniques to
increase the verifications speed of complex formulas.