### low level finished (hopefully)

parent 5270d4e3
 ~\\ ~\\ ~\\ \subsection{Coq definitions} \label{appendix:coq} \subsubsection{Montgomery Ladder} \label{subsubsec:coq-ladder} ~ Generic definition of the ladder: \begin{lstlisting}[language=Coq] ... ... @@ -77,9 +80,123 @@ match t with end. \end{lstlisting} \subsubsection{ZCrypto\_Scalarmult} \label{subsubsec:ZCryptoScalarmult} ~ Instanciation of the Class \Coqe{Ops} with operations over \Z and modulo \p. \begin{lstlisting}[language=Coq] Definition modP (x:Z) : Z := Z.modulo x (Z.pow 2 255 - 19). (* Encapsulate in a module. *) Module Mid. (* shift to the right by n bits *) Definition getCarry (n:Z) (m:Z) : Z := Z.shiftr m n. (* logical and with n ones *) Definition getResidue (n:Z) (m:Z) : Z := Z.land n (Z.ones n). Definition car25519 (n:Z) : Z := 38 * getCarry 256 n + getResidue 256 n. (* The carry operation is invariant under modulo *) Lemma Zcar25519_correct: forall (n:Z), n:GF = (Mid.car25519 n) :GF. (* Define Mid.A, Mid.M ... *) Definition A a b := Z.add a b. Definition M a b := car25519 (car25519 (Z.mul a b)). Definition Zub a b := Z.sub a b. Definition Sq a := M a a. Definition C_0 := 0. Definition C_1 := 1. Definition C_121665 := 121665. Definition Sel25519 (b p q:Z) := if (Z.eqb b 0) then p else q. Definition getbit (i:Z) (a: Z) := if (Z.ltb a 0) then 0 else if (Z.ltb i 0) then Z.land a 1 else Z.land (Z.shiftr a i) 1. End Mid. (* Packing is applying a modulo p *) Definition ZPack25519 n := Z.modulo n (Z.pow 2 255 - 19). (* And with 255 ones *) (* unset last 3 bits *) (* set bit 254 *) Definition Zclamp (n : Z) : Z := (Z.lor (Z.land n (Z.land (Z.ones 255) (-8))) (Z.shiftl 64 (31 * 8))). (* x^{p - 2} *) Definition ZInv25519 (x:Z) : Z := Z.pow x (Z.pow 2 255 - 21). (* instanciate over Z *) Instance Z_Ops : (Ops Z Z modP) := {}. Proof. apply Mid.A. (* instanciate + *) apply Mid.M. (* instanciate * *) apply Mid.Zub. (* instanciate - *) apply Mid.Sq. (* instanciate x^2 *) apply Mid.C_0. (* instanciate Const 0 *) apply Mid.C_1. (* instanciate Const 1 *) apply Mid.C_121665. (* instanciate (a-2)/4 *) apply Mid.Sel25519. (* instanciate CSWAP *) apply Mid.getbit. (* instanciate ith bit *) Defined. (* instanciate montgomery_rec with Z_Ops *) Definition ZCrypto_Scalarmult n p := let t := montgomery_rec 255 (* iterate 255 times *) (Zclamp n) (* clamped n *) 1 (* x_2 *) (ZUnpack25519 p) (* x_3 *) 0 (* z_2 *) 1 (* z_3 *) 0 (* dummy *) 0 (* dummy *) (ZUnpack25519 p) (* x_1 *) in let a := get_a t in let c := get_c t in ZPack25519 (Z.mul a (ZInv25519 c)). \end{lstlisting} \subsubsection{CSM} \label{subsubsec:CryptoScalarmult} ~ \begin{lstlisting}[language=Coq] Definition Crypto_Scalarmult n p := let t := montgomery_rec 255 (* iterate 255 times *) (clamp n) (* clamped n *) Low.C_1 (* x_2 *) (Unpack25519 p) (* x_3 *) Low.C_0 (* z_2 *) Low.C_1 (* z_3 *) Low.C_0 (* dummy *) Low.C_0 (* dummy *) (Unpack25519 p) (* x_1 *) in let a := get_a t in let c := get_c t in Pack25519 (Low.M a (Inv25519 c)). Definition CSM := Crypto_Scalarmult. \end{lstlisting} \subsubsection{Equivalence between For Loops} \label{subsubsec:for} ~ \begin{lstlisting}[language=Coq] Variable T: Type. Variable g: nat -> T -> T. ... ...
paper/files.tex 0 → 100644
 \subsection{Content of the proof files} \label{appendix:proof-files} We provide below the location of the most important definitions and lemmas of our proofs. \subsubsection{Definitions} ~ \begin{table}[h] \begin{tabular}{ l | l | l } Definition & File & Description \\ \hline % \coqe{} & \texttt{} & \\ \end{tabular} \end{table} \subsubsection{Lemmas and Theorems} ~ \begin{table}[h] \begin{tabular}{ l | l | l } Definition & File & Description \\ \hline \end{tabular} \end{table} % \subsection{Files} % % \begin{table} % \begin{tabular}{ l | l } % File & Content \\ % \hline % \texttt{Gen/ABCDEF\_eq.v} & ... \\ % \texttt{Gen/ABCDEF.v} & ... \\ % \texttt{Gen/abstract\_fn\_rev\_abcdef.v} & ... \\ % \texttt{Gen/abstract\_fn\_rev\_eq.v} & ... \\ % \texttt{Gen/abstract\_fn\_rev.v} & ... \\ % \texttt{Gen/abstract\_rec\_rev\_abcdef.v} & ... \\ % \texttt{Gen/abstract\_rec\_rev\_eq.v} & ... \\ % \texttt{Gen/abstract\_rec\_rev.v} & ... \\ % \texttt{Gen/abstract\_rec.v} & ... \\ % \texttt{Gen/AMZubSqSel\_List.v} & ... \\ % \texttt{Gen/AMZubSqSel\_Prop.v} & ... \\ % \texttt{Gen/AMZubSqSel.v} & ... \\ % \texttt{Gen/Get\_abcdef.v} & ... \\ % \texttt{Gen/montgomery\_rec\_eq.v} & ... \\ % \texttt{Gen/montgomery\_rec.v} & ... \\ % \texttt{Gen/montgomery\_step\_gen.v} & ... \\ % \texttt{Gen/rec\_f\_extr.v} & ... \\ % \texttt{Gen/step\_gen.v} & ... \\ % \texttt{High/curve25519\_Fp2.v} & ... \\ % \texttt{High/curve25519\_Fp\_incl\_Fp2.v} & ... \\ % \texttt{High/curve25519\_Fp\_twist25519\_Fp\_eq.v} & ... \\ % \texttt{High/curve25519\_Fp.v} & ... \\ % \texttt{High/curve25519\_twist25519\_Fp\_incl\_Fp2.v} & ... \\ % \texttt{High/fermat.v} & ... \\ % \texttt{High/GRing\_tools.v} & ... \\ % \texttt{High/ladder.v} & ... \\ % \texttt{High/mcgroup.v} & ... \\ % \texttt{High/mc.v} & ... \\ % \texttt{High/montgomery.v} & ... \\ % \texttt{High/opt\_ladder\_extr.v} & ... \\ % \texttt{High/opt\_ladder.v} & ... \\ % \texttt{High/prime\_and\_legendre.v} & ... \\ % \texttt{High/prime\_cert.v} & ... \\ % \texttt{High/prime\_ssrprime.v} & ... \\ % \texttt{High/twist25519\_Fp\_incl\_Fp2.v} & ... \\ % \texttt{High/twist25519\_Fp.v} & ... \\ % \texttt{High/Zmodp2\_rules.v} & ... \\ % \texttt{High/Zmodp2.v} & ... \\ % \texttt{High/Zmodp\_Ring.v} & ... \\ % \texttt{High/Zmodp.v} & ... \\ % \texttt{Libs/Bound\_Decidable.v} & ... \\ % \texttt{Libs/Decidable.v} & ... \\ % \texttt{Libs/Export.v} & ... \\ % \texttt{Libs/Expr\_Decidable.v} & ... \\ % \texttt{Libs/Forall\_extended.v} & ... \\ % \texttt{Libs/Formula\_Decidable.v} & ... \\ % \texttt{Libs/Fun\_Decidable.v} & ... \\ % \texttt{Libs/HeadTailRec.v} & ... \\ % \texttt{Libs/LibTactics\_Rennes.v} & ... \\ % \texttt{Libs/LibTactics\_SF.v} & ... \\ % \texttt{Libs/LibTactics.v} & ... \\ % \texttt{Libs/List\_Decidable.v} & ... \\ % \texttt{Libs/List\_ext\_Decidable.v} & ... \\ % \texttt{Libs/List\_Ltac.v} & ... \\ % \texttt{Libs/Lists\_extended.v} & ... \\ % \texttt{Libs/Logic\_extended.v} & ... \\ % \texttt{Libs/Relations.v} & ... \\ % \texttt{Libs/Term\_Decidable.v} & ... \\ % \texttt{Libs/ZArith\_extended.v} & ... \\ % \texttt{ListsOp/Export.v} & ... \\ % \texttt{ListsOp/Forall\_ZofList.v} & ... \\ % \texttt{ListsOp/Forall\_ZopList.v} & ... \\ % \texttt{ListsOp/LogicalList.v} & ... \\ % \texttt{ListsOp/Zipp.v} & ... \\ % \texttt{ListsOp/ZofList.v} & ... \\ % \texttt{ListsOp/ZunopList.v} & ... \\ % \texttt{Low/AMZubSqSel\_Correct.v} & ... \\ % \texttt{Low/A.v} & ... \\ % \texttt{Low/BackCarry.v} & ... \\ % \texttt{Low/Binary\_select.v} & ... \\ % \texttt{Low/Car25519\_bounds.v} & ... \\ % \texttt{Low/Car25519.v} & ... \\ % \texttt{Low/Carry\_n.v} & ... \\ % \texttt{Low/Carry.v} & ... \\ % \texttt{Low/Constant.v} & ... \\ % \texttt{Low/Crypto\_Scalarmult\_lemmas\_List\_List16.v} & ... \\ % \texttt{Low/Crypto\_Scalarmult\_lemmas.v} & ... \\ % \texttt{Low/Crypto\_Scalarmult\_lemmas\_Z\_List16.v} & ... \\ % \texttt{Low/Crypto\_Scalarmult.v} & ... \\ % \texttt{Low/Crypto\_Scalarmult\_.v} & ... \\ % \texttt{Low/Export.v} & ... \\ % \texttt{Low/Get\_abcdef.v} & ... \\ % \texttt{Low/GetBit\_pack25519.v} & ... \\ % \texttt{Low/GetBit.v} & ... \\ % \texttt{Low/Inner\_M1.v} & ... \\ % \texttt{Low/Inv25519\_gen.v} & ... \\ % \texttt{Low/Inv25519.v} & ... \\ % \texttt{Low/List16.v} & ... \\ % \texttt{Low/M\_low\_level\_compute.v} & ... \\ % \texttt{Low/M.v} & ... \\ % \texttt{Low/Outer\_M1.v} & ... \\ % \texttt{Low/Pack25519.v} & ... \\ % \texttt{Low/Pack.v} & ... \\ % \texttt{Low/Prep\_n.v} & ... \\ % \texttt{Low/Reduce\_by\_P\_aux.v} & ... \\ % \texttt{Low/Reduce\_by\_P\_compose\_1b.v} & ... \\ % \texttt{Low/Reduce\_by\_P\_compose\_1.v} & ... \\ % \texttt{Low/Reduce\_by\_P\_compose\_2b.v} & ... \\ % \texttt{Low/Reduce\_by\_P\_compose\_2.v} & ... \\ % \texttt{Low/Reduce\_by\_P\_compose\_step.v} & ... \\ % \texttt{Low/Reduce\_by\_P\_compose.v} & ... \\ % \texttt{Low/Reduce\_by\_P.v} & ... \\ % \texttt{Low/ScalarMult\_gen\_small.v} & ... \\ % \texttt{Low/ScalarMult\_rev\_fn\_gen.v} & ... \\ % \texttt{Low/ScalarMult\_rev.v} & ... \\ % \texttt{Low/Sel25519.v} & ... \\ % \texttt{Low/S.v} & ... \\ % \texttt{Low/Unpack25519.v} & ... \\ % \texttt{Low/Z.v} & ... \\ % \texttt{Mid/AMZubSqSel.v} & ... \\ % \texttt{Mid/Car25519.v} & ... \\ % \texttt{Mid/Crypto\_Scalarmult\_Fp.v} & ... \\ % \texttt{Mid/Crypto\_Scalarmult\_Mod.v} & ... \\ % \texttt{Mid/Crypto\_Scalarmult.v} & ... \\ % \texttt{Mid/Export.v} & ... \\ % \texttt{Mid/GetBit\_bitn.v} & ... \\ % \texttt{Mid/GetBit.v} & ... \\ % \texttt{Mid/Instances.v} & ... \\ % \texttt{Mid/Inv25519.v} & ... \\ % \texttt{Mid/MinusList.v} & ... \\ % \texttt{Mid/M\_low\_level.v} & ... \\ % \texttt{Mid/Mod.v} & ... \\ % \texttt{Mid/M.v} & ... \\ % \texttt{Mid/Pack25519.v} & ... \\ % \texttt{Mid/Prep\_n.v} & ... \\ % \texttt{Mid/Reduce.v} & ... \\ % \texttt{Mid/ScalMult.v} & ... \\ % \texttt{Mid/SubList.v} & ... \\ % \texttt{Mid/SumList.v} & ... \\ % \texttt{Mid/Unpack25519.v} & ... \\ % \texttt{Mid/ZCarry.v} & ... \\ % \end{tabular} % \end{table} % % \begin{table} % \begin{tabular}{ l | l } % File & Content \\ % \hline % \texttt{c/tweetnaclVerifiableC.v} & \\ % \texttt{init/init\_tweetnacl.v} & \\ % \texttt{init/missing\_lemmae.v} & \\ % \texttt{proofs/split\_array\_lemmas.v} & \\ % \texttt{proofs/verif\_A.v} & \\ % \texttt{proofs/verif\_car25519\_compute.v} & \\ % \texttt{proofs/verif\_car25519.v} & \\ % \texttt{proofs/verif\_crypto\_scalarmult\_lemmas.v} & \\ % \texttt{proofs/verif\_crypto\_scalarmult.v} & \\ % \texttt{proofs/verif\_inv25519.v} & \\ % \texttt{proofs/verif\_M\_compute\_pre.v} & \\ % \texttt{proofs/verif\_M\_compute.v} & \\ % \texttt{proofs/verif\_M\_lemmas.v} & \\ % \texttt{proofs/verif\_M.v} & \\ % \texttt{proofs/verif\_pack25519\_lemmas.v} & \\ % \texttt{proofs/verif\_pack25519.v} & \\ % \texttt{proofs/verif\_sel25519.v} & \\ % \texttt{proofs/verif\_set25519.v} & \\ % \texttt{proofs/verif\_S.v} & \\ % \texttt{proofs/verif\_unpack25519.v} & \\ % \texttt{proofs/verif\_Z.v} & \\ % \texttt{spec/spec\_A.v} & \\ % \texttt{spec/spec\_car25519.v} & \\ % \texttt{spec/spec\_crypto\_scalarmult.v} & \\ % \texttt{spec/spec\_inv25519.v} & \\ % \texttt{spec/spec\_M.v} & \\ % \texttt{spec/spec\_pack25519.v} & \\ % \texttt{spec/spec\_sel25519.v} & \\ % \texttt{spec/spec\_set25519.v} & \\ % \texttt{spec/spec\_S.v} & \\ % \texttt{spec/spec\_unpack25519.v} & \\ % \texttt{spec/spec\_Z.v} & \\ % \end{tabular} % \end{table}
 ... ... @@ -205,7 +205,7 @@ With those coordinates we prove the following lemmas for the addition of two poi such that $\chi_0(\Oinf) = 0$ and $\chi_0((x,y)) = x$. \end{dfn} \begin{lemma} \label{lemma-add} \label{lemma:add} Let $M_{a,b}(\K)$ be a Montgomery curve such that $a^2-4$ is not a square, and let $X_1, Z_1, X_2, Z_2, X_3, Z_3 \in \K$, such that $(X_1,Z_1) \neq (0,0)$, $(X_2,Z_2) \neq (0,0)$, $X_4 \neq 0$ and $Z_4 \neq 0$. Define ... ... @@ -250,7 +250,7 @@ then for any point $P_1$ and $P_2$ on $M_{a,b}(\K)$ such that $X_1/Z_1 = \chi(P_ With those coordinates we also prove a similar lemma for point doubling. \begin{lemma} \label{lemma-double} \label{lemma:double} Let$M_{a,b}(\K)$be a Montgomery curve such that$a^2-4$is not a square, and let$X_1, Z_1, X_2, Z_2, X_3, Z_3 \in \K$, such that$(X_1,Z_1) \neq (0,0). Define \begin{align*} ... ... @@ -274,7 +274,7 @@ we haveX_3/Z_3 = \chi(2P_1)$. % (p \+ p)#x = inf_div x3 z3. % \end{lstlisting} With these two lemmas (\ref{lemma-add} and \ref{lemma-double}), we have the basic With these two lemmas (\ref{lemma:add} and \ref{lemma:double}), we have the basic tools to compute efficiently additions and point doubling on projective coordinates. \subsubsection{Scalar Multiplication Algorithms} ... ... @@ -292,12 +292,12 @@ it provides slightly more computations and an extra variable, we can prevent suc See \aref{alg:montgomery-ladder}. \begin{lemma} \label{lemma-montgomery-ladder} \label{lemma:montgomery-ladder} \aref{alg:montgomery-ladder} is correct, \ie it respects its output conditions given the input conditions. \end{lemma} In Curve25519 we are only interested in the$x$coordinate of points, using Lemmas \ref{lemma-add} and \ref{lemma-double}, and replacing the if statements Lemmas \ref{lemma:add} and \ref{lemma:double}, and replacing the if statements with conditional swapping we can define a ladder similar to the one used in TweetNaCl. See \aref{alg:montgomery-double-add} ... ... @@ -340,14 +340,14 @@ See \aref{alg:montgomery-double-add} \end{algorithm} \begin{lemma} \label{lemma-montgomery-double-add} \label{lemma:montgomery-double-add} \aref{alg:montgomery-double-add} is correct, \ie it respects its output conditions given the input conditions. \end{lemma} %% here we have \chi and \chi_0 ... We formalized this lemma (\ref{lemma-montgomery-double-add}): We formalized this lemma (\ref{lemma:montgomery-double-add}): \begin{lstlisting}[language=Coq] Lemma opt_montgomery_x : forall (n m : nat) (x : K), ... ... @@ -365,7 +365,7 @@ Also \Oinf\ is the neutral element over$M_{a,b}(\K)$, we have: $$\forall P, P + \Oinf\ = P$$ thus we derive the following lemma. % \begin{lemma} % \label{lemma-montgomery-double-add} % \label{lemma:montgomery-double-add} % Algorithm \ref{montgomery-double-add} is correct even if$x=0$, \ie it respects its output conditions given the input conditions or$x=0$. % \end{lemma} \begin{lstlisting}[language=Coq] ... ...  ... ... @@ -14,10 +14,11 @@ Our functional specification in Coq matches the specifications of RFC~7748~\cite \end{theorem} We first describe the global structure of our proof (\ref{subsec:proof-structure}). Then we introduce our specification (\ref{}), we specify the Hoare triple and prove it Then we introduce our specification, we specify the Hoare triple and prove it correct with VST (\tref{thm:VST}). Then we discuss techniques used to prove equivalence of operations between different number representations (\ref{}), proving the equivalence with the RFC (\tref{thm:RFC}). different number representations, proving the equivalence with the RFC (\tref{thm:RFC}). ... ... @@ -93,7 +94,7 @@ This guarantees us the correctness of the implementation. TweetNaCl implements X25519 with numbers represented as arrays. RFC~7748 defines X25519 over field elements. In order to simplify our proofs, we define generic operations used in the ladder over generic types we define operations used in the ladder over generic types \coqe{T} and \coqe{T'}. Those types are later instanciated as natural number, integers, field elements, list of integers... The generic definition of the ladder (\coqe{montgomery_rec}) and its match with ... ... @@ -104,17 +105,38 @@ of \texttt{CSWAP}: original paper. Implementations are free to use any correct formulas.''}~\cite{rfc7748}. We later prove our lader correct in that respect (\sref{sec:maths}). \coqe{montgomery_rec} only computes the ladder steps, we define \coqe{montgomery_rec} only computes the ladder steps. While the inversion; the packing; the unpacking (setting bit 255 to \texttt{0}) and clamping are not defined in a generic manner, we show their equivalence between the different representations. \todo{more stuff on list, and numbers, add code into appendix.} Appendix~\ref{subsubsec:ZCryptoScalarmult} show the instantiation of our ladder over Intergers (type \coqe{Z}). We call it \coqe{ZCrypto_Scalarmult}. The modulo reduction is applied in \coqe{ZPack25519} translating every underlying operations as over \Zfield. As a result this specification can be interpreted as the formalization of X25519 in RFC~7748. In appendix~\ref{subsubsec:CryptoScalarmult}, we show the the formalization of \TNaCle{crypto_scalarmult} over lists of integers. We define it as \Coqe{Crypto_Scalarmult} or \Coqe{CSM}. For the sake of space and simplicity we do not display the definitions of each underlying functions. The location of the definitions are listed in Appendix~\ref{appendix:proof-files}. \subsection{With the Verifiable Software Toolchain} \label{subsec:with-VST} We now turn our focus to the specification of the Hoare triple with our specifications of \TNaCle{crypto_scalarmult} over list of integers and proving its correctness. \subheading{Specifications.} We show the soundness of TweetNaCl by proving the following specification matches a pure Coq function. % why "pure" ? This defines the equivalence between the Clight representation and a Coq definition of the ladder. We show the soundness of TweetNaCl by proving the following specification matches a pure Coq function. % why "pure" ? % A pure function is a function where the return value is only determined by its % input values, without observable side effects (Side effect are e.g. printing) This defines the equivalence between the Clight representation and our Coq definition of the ladder (\coqe{CSM}). \begin{lstlisting}[language=CoqVST] Definition crypto_scalarmult_spec := ... ... @@ -187,30 +209,33 @@ As Post-condition we have: This specification shows that \TNaCle{crypto_scalarmult} in C computes the same result as \VSTe{CSM} in Coq provided that inputs are within their respective bounds: arrays of 32 bytes. The location of the proof of this Hoare triple can be found in Appendix~\ref{appendix:proof-files}. The Verifiable Software Toolchain uses a strongest postcondition strategy. The user must first write a formal specification of the function he wants to verify in Coq. This should be as close as possible to the C implementation behavior. This will simplify the proof and help with stepping through the CLight version of the software. With the range of inputs defined, VST mechanically steps through each instruction and ask the user to verify auxiliary goals such as array bound access, or absence of overflows/underflows. We call this specification a low level specification. A user will then have an easier time to prove that his low level specification matches a simpler higher level one. In order to further speed-up the verification process, it has to be know that to prove the specification \TNaCle{crypto_scalarmult}, a user only need the specification of e.g. \TNaCle{M}. This provide with multiple advantages: the verification by the Coq kernel can be done in parallel and multiple users can work on proving different functions at the same time. For the sake of completeness we proved all intermediate functions. % We now bring the attention of the reader to details of verifications using the VST. \subheading{Memory aliasing.} VST implementation of separation logic is similar to a consumer-producer problem. A simple specification of \texttt{M(o,a,b)} will assume three distinct memory share. When called with three memory share (\texttt{o, a, b}), the three of them will be consumed. However assuming this naive specification when \texttt{M(o,a,a)} is called (squaring), the first two memory shares (\texttt{o, a}) are consumed and VST will expect a third memory share where the last \texttt{a} is pointing at which does not \textit{exist} anymore. %% BLABLA about VST. Does not belong here. % The Verifiable Software Toolchain uses a strongest postcondition strategy. % The user must first write a formal specification of the function he wants to verify in Coq. % This should be as close as possible to the C implementation behavior. % This will simplify the proof and help with stepping through the CLight version of the software. % With the range of inputs defined, VST mechanically steps through each instruction % and ask the user to verify auxiliary goals such as array bound access, or absence of overflows/underflows. % We call this specification a low level specification. A user will then have an easier % time to prove that his low level specification matches a simpler higher level one. % In order to further speed-up the verification process, it has to be know that to % prove the specification \TNaCle{crypto_scalarmult}, a user only need the specification of e.g. \TNaCle{M}. % This provide with multiple advantages: the verification by the Coq kernel can be done % in parallel and multiple users can work on proving different functions at the same time. % For the sake of completeness we proved all intermediate functions. \subheading{Memory aliasing.} In the VST, a simple specification of \texttt{M(o,a,b)} will assume three distinct memory share. When called with three memory share (\texttt{o, a, b}), the three of them will be consumed. However assuming this naive specification when \texttt{M(o,a,a)} is called (squaring), the first two memory shares (\texttt{o, a}) are consumed and VST will expect a third memory share (\texttt{a}) which does not \textit{exist} anymore. Examples of such cases are illustrated in \fref{tikz:MemSame}. \begin{figure}[h] \centering ... ... @@ -219,10 +244,10 @@ Examples of such cases are illustrated in \fref{tikz:MemSame}. \label{tikz:MemSame} \end{figure} A single function must either have multiple specifications or specify which aliasing set up is being used. The first option would require us to prove specifications multiple times for a same function. We chose the second approach: for functions with 3 arguments, named here after \texttt{o, a, b}, As a result, a function must either have multiple specifications or specify which aliasing case is being used. The first option would require us to do very similar proofs multiple times for a same function. We chose the second approach: for functions with 3 arguments, named hereafter \texttt{o, a, b}, we define an additional parameter$k$with values in$\{0,1,2,3\}$: \begin{itemize} \item if$k=0$then \texttt{o} and \texttt{a} are aliased. ... ... @@ -230,9 +255,9 @@ we define an additional parameter$k$with values in$\{0,1,2,3\}$: \item if$k=2$then \texttt{a} and \texttt{b} are aliased. \item else there is no aliasing. \end{itemize} In the proof of our specification, we then do a case analysis over$k$when needed. This solution does not cover all cases (e.g. all arguments are aliased) but it is enough for our needs. In the proof of our specification, we do a case analysis over$k$when needed. This solution does not cover all cases (e.g. all arguments are aliased) but it is enough for our needs. \subheading{Verifying \texttt{for} loops.} Final state of \texttt{for} loops are usually computed by simple recursive functions. ... ... @@ -269,12 +294,7 @@ and without returns the same result. We formalized this result in a generic way in Appendix~\ref{subsubsec:for}. Using this formalization, we prove that the 255 steps of the Montgomery ladder in C provide the same computations are the one defined in \aref{alg:montgomery-double-add}. in C provide the same computations as in \coqe{CSM}. \subsection{Number Representation and C Implementation} ... ... @@ -282,10 +302,11 @@ As described in \sref{subsec:Number-TweetNaCl}, numbers in \TNaCle{gf} are repre in base$2^{16}$and we use a direct mapping to represent that array as a list integers in Coq. However in order to show the correctness of the basic operations, we need to convert this number as a full integer. \begin{definition} Let \Coqe{ZofList} :$\Z \rightarrow \texttt{list} \Z \rightarrow \Z$, a parameterized map by$n$between a list$l$and its it's little endian representation with a radix$2^n$. \end{definition} \begin{dfn} Let \Coqe{ZofList} :$\Z \rightarrow \texttt{list} \Z \rightarrow \Z$, a parameterized map by$n$between a list$l$and its little endian representation with a radix$2^n$. \end{dfn} We define it in Coq as: \begin{lstlisting}[language=Coq] Fixpoint ZofList {n:Z} (a:list Z) : Z := ... ... @@ -298,58 +319,83 @@ We define a notation where$n$is$16$. \begin{lstlisting}[language=Coq] Notation "Z16.lst A" := (ZofList 16 A). \end{lstlisting} We also define a notation to do the modulo, projecting any numbers in$\Zfield$. To facilitate working in \Zfield, we define the \coqe{:GF} notation. \begin{lstlisting}[language=Coq] Notation "A :GF" := (A mod (2^255-19)). \end{lstlisting} % Remark that this representation is different from \Coqe{Zmodp}. However the equivalence between operations over$\Zfield$and$\F{p}$is easily proven. Later in \sref{sec:maths}, we formally define \F{\p}. Equivalence between operations under \coqe{:GF} and in \F{\p} are easily proven. Using these two definitions, we proved intermediates lemmas such as the correctness of the multiplication \Coqe{M} where \Coqe{M} replicate the computations and steps done in C. multiplication \Coqe{Low.MM} where \Coqe{Low.M} replicate the computations and steps done in C. \begin{lemma} For all list of integers \texttt{a} and \texttt{b} of length 16 representing$A$and$B$in$\Zfield$, the number represented in$\Zfield$by the list \Coqe{(M a b)} is equal to$A \times B \bmod \p$. \label{lemma:mult_correct} \Coqe{Low.M} implements correctly the multiplication over \Zfield. \end{lemma} And seen in Coq as follows: \begin{Coq} \begin{lstlisting}[language=Coq] Lemma mult_GF_Zlength : forall (a:list Z) (b:list Z), Zlength a = 16 -> Zlength b = 16 -> (Z16.lst (M a b)) :GF = (Z16.lst (Low.M a b)) :GF = (Z16.lst a * Z16.lst b) :GF. \end{Coq} \end{lstlisting} However for our purpose, simple functional correctness is not enough. We also need to define the bounds under which the operation is correct, allowing us to chain them, guaranting us the absence of overflow. \begin{lemma} \label{lemma:mult_bounded} if all the values of the input arrays are constrained between$-2^{26}$and$2^{26}$, then the output of \coqe{Low.M} will be constrained between$-38$and$2^{16} + 38\$. \end{lemma} And seen in Coq as follows: \begin{lstlisting}[language=Coq] Lemma M_bound_Zlength : forall (a:list Z) (b:list Z), Zlength a = 16 -> Zlength b = 16 -> Forall (fun x => -2^26 < x < 2^26) a -> Forall (fun x => -2^26 < x < 2^26) b -> Forall (fun x => -38 <= x < 2^16 + 38) (Low.M a b). \end{lstlisting} \subsection{Inversions, Reflections and Packing} We now turn our attention to the inversion in \Zfield and techniques to increase the verifications speed of complex formulas.