9.75 pages

readings/2_Implementation.tex

@@ -296,7 +296,7 @@ in Coq (for the sake of simplicity we do not display the conversion in the theor
 For all $n \in \N, n < 2^{255}$ and where the bits 1, 2, 5 248, 249, 250
 are cleared and bit 6 is set, for all $P \in E(\F{p^2})$,
 for all $p \in \F{p}$ such that $P.x = p$,
-there exists $Q \in E(\F{p^2})$ such that $Q = nP$, $Q.x = q$ and $q$ = \VSTe{CSM} $n$ $p$.
+there exists $Q \in E(\F{p^2})$ such that $Q = nP$ where $Q.x = q$ and $q$ = \VSTe{CSM} $n$ $p$.
 \end{theorem}
 A more complete description in Coq of Theorem \ref{CSM-correct} with the associated conversions
 is as follow:

readings/4_NumberAndImplementation.tex

-\section{Linking C and Coq}
+\section{Linking C and Reflections}
 
 In this section we describe techniques used to prove the equivalence between the
 Clight description of TweetNaCl and Coq functions producing similar behaviors.
@@ -8,27 +8,38 @@ Clight description of TweetNaCl and Coq functions producing similar behaviors.
 As described in Section \ref{sec:impl}, numbers in \TNaCle{gf} are represented
 in base $2^{16}$ and we can use a direct mapping to represent that array as a list
 integers in Coq. However in order to show the correctness of the basic operations,
-we need to convert this number as a full integer. For this reason we define
-\Coqe{ZofList : Z -> list Z -> Z}:
-\begin{Coq}
+we need to convert this number as a full integer.
+\begin{definition}
+Let \Coqe{ZofList} : $\Z \rightarrow \texttt{list} \Z \rightarrow \Z$, a parametrized map by $n$ betwen a list $l$ and its
+it's little endian representation with a base $2^n$.
+\end{definition}
+We define it in Coq as:
+\begin{lstlisting}[language=Coq]
 Fixpoint ZofList {n:Z} (a:list Z) : Z :=
   match a with
   | [] => 0
   | h :: q => h + (pow 2 n) * ZofList q
   end.
+\end{lstlisting}
+We define a notation where $n$ is $16$.
+\begin{lstlisting}[language=Coq]
 Notation "Z16.lst A" := (ZofList 16 A).
-\end{Coq}
-It converts any list of integer from a base $2^n$ to an single integer. In our
-case we define a notation where $n$ is $16$.
-
-The following Coq notation is defined to convert any integer to its representant
-in \Zfield.
-\begin{Coq}
+\end{lstlisting}
+We also define a notation to do the modulo, projecting any numbers in $\Zfield$.
+\begin{lstlisting}[language=Coq]
 Notation "A :GF" := (A mod (2^255-19)).
-\end{Coq}
+\end{lstlisting}
+Remark that this representation is different from \Coqe{Zmodp}.
+However the equivalence between operations over $\Zfield$ and $\F{p}$ is easily proven.
 
-Using these two definitions, we proved lemmas such as the correctness of the
-multiplication \Coqe{M}:
+Using these two definitions, we proved intermediates lemmas such as the correctness of the
+multiplication \Coqe{M} where \Coqe{M} replicate the computations and steps done in C.
+\begin{lemma}
+For all list of integers \texttt{a} and \texttt{b} of length 16 representing
+$A$ and $B$ in $\Zfield$, the number represented in $\Zfield$ by the list \Coqe{(M a b)}
+is equal to $A \times B \bmod \p$.
+\end{lemma}
+And seen in Coq as follows:
 \begin{Coq}
 Lemma mult_GF_Zlength :
   forall (a:list Z) (b:list Z),
@@ -38,14 +49,10 @@ Lemma mult_GF_Zlength :
    (Z16.lst a * Z16.lst b) :GF.
 \end{Coq}
 
-For all list of integers \texttt{a} and \texttt{b} of length 16 representing
-$A$ and $B$ in \Zfield, the number represented in \Zfield by the list \Coqe{(M a b)}
-is equal to $A \times B \bmod 2^{255}-19$.
+\subsection{Inversions in \Zfield}
 
 In a similar fashion we can define a Coq version of the inversion mimicking
-the behavior of \TNaCle{inv25519} over \Coqe{list Z}. \Coqe{step_pow} contains
-the body of the for loop.
-
+the behavior of \TNaCle{inv25519} over \Coqe{list Z}.
 \begin{lstlisting}[language=Ctweetnacl]
 sv inv25519(gf o,const gf a)
 {
@@ -59,18 +66,15 @@ sv inv25519(gf o,const gf a)
   FOR(i,16) o[i]=c[i];
 }
 \end{lstlisting}
-
-\begin{Coq}
+We specify this with 2 functions: a recursive \Coqe{pow_fn_rev} to to simulate the for loop and a simple
+\Coqe{step_pow} containing the body. Note the off by one for the loop.
+\begin{lstlisting}[language=Coq]
 Definition step_pow (a:Z) (c g:list Z) : list Z :=
   let c := Sq c in
     if a <>? 1 && a <>? 3
     then M c g
     else c.
-\end{Coq}
 
-\Coqe{pow_fn_rev} is responsible of the iteration of the loop by making
-recursive calls.
-\begin{Coq}
 Function pow_fn_rev (a:Z) (b:Z) (c g: list Z)
   {measure Z.to_nat a} : (list Z) :=
   if a <=? 0
@@ -78,23 +82,46 @@ Function pow_fn_rev (a:Z) (b:Z) (c g: list Z)
     else
       let prev := pow_fn_rev (a - 1) b c g in
         step_pow (b - 1 - a) prev g.
-\end{Coq}
-
-% This \Coqe{Function} requires a proof of termination. It is done by proving the
-% Well-foundness of the decreasing argument: \Coqe{measure Z.to_nat a}.
+\end{lstlisting}
 
-Calling \Coqe{pow_fn_rev} 254 times allows us to reproduce the same behavior as
-the Clight definition.
-\begin{Coq}
+This \Coqe{Function} requires a proof of termination. It is done by proving the
+Well-foundness of the decreasing argument: \Coqe{measure Z.to_nat a}. Calling
+\Coqe{pow_fn_rev} 254 times allows us to reproduce the same behavior as the \texttt{Clight} definition.
+\begin{lstlisting}[language=Coq]
 Definition Inv25519 (x:list Z) : list Z :=
   pow_fn_rev 254 254 x x.
-\end{Coq}
+\end{lstlisting}
+Similarily we define the same function over $\Z$.
+\begin{lstlisting}[language=Coq]
+Definition step_pow_Z (a:Z) (c:Z) (g:Z) : Z :=
+  let c := c * c in
+  if a <>? 1 && a <>? 3
+    then c * g
+    else c.
 
-\subsection{Inversions and Reflections}
+Function pow_fn_rev_Z (a:Z) (b:Z) (c:Z) (g: Z)
+  {measure Z.to_nat a} : Z :=
+  if (a <=? 0)
+    then c
+    else
+      let prev := pow_fn_rev_Z (a - 1) b c g in
+        step_pow_Z (b - 1 - a) prev g.
 
-In TweetNaCl, \TNaCle{inv25519} computes an inverse in \Zfield. It uses the
-Fermat's little theorem by the exponentiation to $2^{255}-21$. To prove the
-correctness of the result we can use multiple strategy such as:
+Definition Inv25519_Z (x:Z) : Z :=
+  pow_fn_rev_Z 254 254 x x.
+\end{lstlisting}
+And prove their equivalence in $\Zfield$.
+\begin{lstlisting}[language=Coq]
+Lemma Inv25519_Z_GF : forall (g:list Z),
+  length g = 16 ->
+  (Z16.lst (Inv25519 g)) :GF =
+  (Inv25519_Z (Z16.lst g)) :GF.
+\end{lstlisting}
+In TweetNaCl, \TNaCle{inv25519} computes an inverse in $\Zfield$. It uses the
+Fermat's little theorem by doing an exponentiation to $2^{255}-21$.
+This is done by applying a square-and-multiply algorithm. The binary representation
+of $p-2$ implies to always do a multiplications aside for bit 2 and 4, thus the if case.
+To prove the correctness of the result we can use multiple strategies such as:
 \begin{itemize}
   \item Proving it is special case of square-and-multiply algorithm applied to
   a specific number and then show that this number is indeed $2^{255}-21$.
@@ -102,94 +129,44 @@ correctness of the result we can use multiple strategy such as:
   $x^a \times x^b = x^{(a+b)}$ and $(x^a)^2 = x^{(2 \times a)}$. We can prove that
   the resulting exponent is $2^{255}-21$.
 \end{itemize}
-
-We choose the second method. The only drawback is that it requires to apply the
-unrolling and exponentiation lemmas 255 times. This can be automated in Coq with
-tacticals such as \Coqe{repeat}, but it generates a big proof object which
+We use the second method for the benefits of simplicity. However it requires to
+apply the unrolling and exponentiation formulas 255 times. This can be automated
+in Coq with tacticals such as \Coqe{repeat}, but it generates a proof object which
 will take a long time to verify.
 
-\subsubsection{Speeding up with Reflections}
+\subsection{Speeding up with Reflections}
 
 In order to speed up the verification, we use a technique called reflection.
-It provides us with flexibility such as we don't need to know the  number of
-times the lemmas needs to be applied.
+It provides us with flexibility such as we don't need to know the number of
+times nor the order in which the lemmas needs to be applied (chapter 15 in \cite{CpdtJFR}).
 
 The idea is to \textit{reflect} the goal into a decidable environment.
-In our case, we show that for a property $P$, we can define a decidable
-boolean property $P_{bool}$ such that if $P_{bool}$ is \Coqe{true} then $P$ holds.
-$$P_{bool} = true \implies P$$
-
-With VST we proved that \TNaCle{inv25519} in \texttt{Clight} is equivalent to its Coq
-functional definition \Coqe{Inv25519}. We also proved that \Coqe{Inv25519}
-over \Coqe{list Z} is equivalent to applying
-\Coqe{Inv25519_Z} over \Coqe{Z}
-
-% With VST we proved that \TNaCle{inv25519} in \texttt{Clight} is equivalent to its Coq
-% functional definition \Coqe{Inv25519}. We also proved that \Coqe{pow_fn_rev}
-% over \Coqe{list Z} is equivalent to applying
-% \Coqe{pow_fn_rev_Z} over \Coqe{Z}
-
-\begin{Coq}
-Lemma Inv25519_Z_GF :
-  forall (g:list Z),
-  length g = 16 ->
-  (Z16.lst (Inv25519 g)) :GF =
-  (Inv25519_Z (Z16.lst g)) :GF.
-\end{Coq}
-
-% \begin{Coq}
-% Lemma pow_fn_rev_Z_GF :
-%   forall (a:Z) (b:Z) (c:list Z) (g:list Z),
-%   Zlength c = 16 ->
-%   Zlength g = 16 ->
-%   (Z16.lst (pow_fn_rev a b c g)) :GF =
-%   (pow_fn_rev_Z a b (Z16.lst c) (Z16.lst g)) :GF .
-% \end{Coq}
-
-where \Coqe{Inv25519_Z} reproduces the same pattern as \Coqe{Inv25519}.
-
-\begin{Coq}
-Definition Inv25519_Z (x:Z) : Z :=
-  pow_fn_rev_Z 254 254 x x.
-\end{Coq}
-
-\Coqe{pow_fn_rev_Z} mimicks \Coqe{pow_fn_rev} over \Coqe{Z} instead of
-\Coqe{list Z}. The structure is the same:
-the application \Coqe{step_pow_Z} and the loop itself \Coqe{pow_fn_rev_Z}
-
-\begin{Coq}
-Definition step_pow_Z (a:Z) (c:Z) (g:Z) : Z :=
-  let c := c * c in
-  if a <>? 1 && a <>? 3
-    then c * g
-    else c.
-
-Function pow_fn_rev_Z (a:Z) (b:Z) (c:Z) (g: Z)
-  {measure Z.to_nat a} : Z :=
-  if (a <=? 0)
-    then c
-    else
-      let prev := pow_fn_rev_Z (a - 1) b c g in
-        step_pow_Z (b - 1 - a) prev g.
-\end{Coq}
-%
-% In line with the definition of \Coqe{Inv25519}, we define the inversion modulo
-% $2^{255}-19$ as an instance of \Coqe{pow_fn_rev_Z} where \Coqe{a} and \Coqe{b} are 254.
-
-\subsubsection{A Simple Domain Specific Language}
+We show that for a property $P$, we can define a decidable boolean property
+$P_{bool}$ such that if $P_{bool}$ is \Coqe{true} then $P$ holds.
+$$reify\_P : P_{bool} = true \implies P$$
+By applying $reify\_P$ on $P$ our goal become $P_{bool} = true$.
+We can then compute the result of $P_{bool}$. If the decision goes well we are
+left with the tautology $true = true$.
 
 To prove that the \Coqe{Inv25519_Z} is computing $x^{2^{255}-21}$,
-we define a Domain Specific Language:
-\begin{Coq}
+we define a Domain Specific Language.
+\begin{definition}
+Let \Coqe{expr_inv} denote an expression which can be either a term;
+a multiplication of expressions; a squaring of an expression or a power of an expression.
+And Let \Coqe{formula_inv} denote an equality between two expressions.
+\end{definition}
+\begin{lstlisting}[language=Coq]
 Inductive expr_inv :=
   | R_inv : expr_inv
   | M_inv : expr_inv -> expr_inv -> expr_inv
   | S_inv : expr_inv -> expr_inv
   | P_inv : expr_inv -> positive -> expr_inv.
-\end{Coq}
-An expression can be either a term, a multiplication, a squaring or a power.
-This is denoted as follow:
-\begin{Coq}
+
+Inductive formula_inv :=
+  | Eq_inv : expr_inv -> expr_inv -> formula_inv.
+\end{lstlisting}
+The denote functions are defined as follows:
+\begin{lstlisting}[language=Coq]
 Fixpoint e_inv_denote (m:expr_inv) : Z :=
   match m with
   | R_inv     =>
@@ -201,37 +178,13 @@ Fixpoint e_inv_denote (m:expr_inv) : Z :=
   | P_inv x p =>
     pow (e_inv_denote x) (Z.pos p)
   end.
-\end{Coq}
-
-We defined \Coqe{step_inv} and \Coqe{pow_inv} to mirror the behavior of
-\Coqe{step_pow_Z} and respectively \Coqe{pow_fn_rev_Z} over our new domain.
-
-\begin{Coq}
-Lemma step_inv_step_pow_eq :
-  forall (a:Z) (c:expr_inv) (g:expr_inv),
-  e_inv_denote (step_inv a c g) =
-  step_pow_Z a (e_inv_denote c) (e_inv_denote g).
-\end{Coq}
-\begin{Coq}
-Lemma pow_inv_pow_fn_rev_eq :
-  forall (a:Z) (b:Z) (c:expr_inv) (g:expr_inv),
-  e_inv_denote (pow_inv a b c g) =
-  pow_fn_rev_Z a b (e_inv_denote c) (e_inv_denote g).
-\end{Coq}
 
-We also define what is a formula in our language: a simple equality.
-\begin{Coq}
-Inductive formula_inv :=
-  | Eq_inv : expr_inv -> expr_inv -> formula_inv.
-\end{Coq}
-This is denoted as follow:
-\begin{Coq}
 Definition f_inv_denote (t : formula_inv) : Prop :=
   match t with
   | Eq_inv x y => e_inv_denote x = e_inv_denote y
   end.
-\end{Coq}
-With such Domain Specific Language we have the equivalence between:
+\end{lstlisting}
+With such Domain Specific Language we have the equality between:
 \begin{lstlisting}[backgroundcolor=\color{white}]
 f_inv_denote
  (Eq_inv (M_inv R_inv (S_inv R_inv))
@@ -239,22 +192,48 @@ f_inv_denote
   = (x * x^2 = x^3)
 \end{lstlisting}
 
-\subsubsection{Deciding formulas}
+We define \Coqe{step_inv} and \Coqe{pow_inv} to mirror the behavior of
+\Coqe{step_pow_Z} and respectively \Coqe{pow_fn_rev_Z} over our DSL and
+we prove their equality.
+\begin{lstlisting}[language=Coq]
+Lemma step_inv_step_pow_eq :
+  forall (a:Z) (c:expr_inv) (g:expr_inv),
+  e_inv_denote (step_inv a c g) =
+  step_pow_Z a (e_inv_denote c) (e_inv_denote g).
+
+Lemma pow_inv_pow_fn_rev_eq :
+  forall (a:Z) (b:Z) (c:expr_inv) (g:expr_inv),
+  e_inv_denote (pow_inv a b c g) =
+  pow_fn_rev_Z a b (e_inv_denote c) (e_inv_denote g).
+\end{lstlisting}
+We can then derive the following lemma.
+\begin{lemma}
+\label{reify}
+With an appropriate choice of variables,
+\Coqe{pow_inv} denotes \Coqe{Inv25519_Z}.
+\end{lemma}
 
 In order to prove formulas in \Coqe{formula_inv},
-we define a decidable procedure.
-We first compute the power of each side of the formula and then check their
-equality.
+we have the following a decidable procedure.
+We define \Coqe{pow_expr_inv}, a function which returns the power of an expression.
+We can then compare the two values and decide over their equality.
 \begin{Coq}
 Fixpoint pow_expr_inv (t:expr_inv) : Z :=
   match t with
   | R_inv   => 1
+  (* power of a term is 1. *)
   | M_inv x y =>
     (pow_expr_inv x) + (pow_expr_inv y)
+  (* power of a multiplication is
+     the sum of the exponents. *)
   | S_inv x =>
     2 * (pow_expr_inv x)
+  (* power of a squaring is the double
+     of the exponent. *)
   | P_inv x p =>
     (Z.pos p) * (pow_expr_inv x)
+  (* power of a power is the multiplication
+     of the exponents. *)
   end.
 
 Definition decide_e_inv (l1 l2:expr_inv) : bool :=
@@ -265,20 +244,24 @@ Definition decide_f_inv (f:formula_inv) : bool :=
   | Eq_inv x y => decide_e_inv x y
   end.
 \end{Coq}
-We proved that our procedure is correct: for all formulas in \Coqe{formula_inv}, if
-\Coqe{decide_f_inv} returns \Coqe{true}, then the denoted equality is correct.
+We prove our decision procedure correct.
+\begin{lemma}
+\label{decide}
+For all formulas $f$, if the decision over $f$ returns \Coqe{true},
+then the denoted equality by $f$ is true.
+\end{lemma}
+Which can be formalized as:
 \begin{Coq}
 Lemma decide_formula_inv_impl :
   forall (f:formula_inv),
   decide_f_inv f = true ->
   f_inv_denote f.
 \end{Coq}
-
-By reification to our Domain Specific Language and then by applying
-\texttt{decide\_formula\_inv\_impl} and computing \texttt{decide\_f\_inv},
-we proved that \Coqe{Inv25519} is indeed computing an inverse in
-modulo $2^{255}-19$.
-
+By reification to over DSL (lemma \ref{reify}) and by applying our decision (lemma \ref{decide}).
+we proved the following theorem.
+\begin{theorem}
+\Coqe{Inv25519_Z} computes an inverse in \Zfield.
+\end{theorem}
 \begin{Coq}
 Theorem Inv25519_Z_correct :
   forall (x:Z),
@@ -287,7 +270,9 @@ Theorem Inv25519_Z_correct :
 
 From \Coqe{Inv25519_Z_correct} and \Coqe{Inv25519_Z_GF}, we conclude the
 functionnal correctness of the inversion over \Zfield.
-
+\begin{corollary}
+\Coqe{Inv25519} computes an inverse in \Zfield.
+\end{corollary}
 \begin{Coq}
 Corollary Inv25519_Zpow_GF :
   forall (g:list Z),
@@ -296,18 +281,19 @@ Corollary Inv25519_Zpow_GF :
   (pow (Z16.lst g) (2^255-21)) :GF.
 \end{Coq}
 
-\subsubsection{Packing and other applications}
+\subsection{Packing and other applications of reflection}
 
-Reflection can also be used where proofs requires computing and a small and
+We prove the functional correctness of \Coqe{Inv25519} with reflections.
+This technique can also be used where proofs requires some computing or a small and
 finite domain of variable to test e.g. for all $i$ such that $0 \le i < 16$.
-Using reflections we proved that we can split the for loop in \TNaCle{pack25519} into two parts.
+Using reflection we prove that we can split the for loop in \TNaCle{pack25519} into two parts.
 \begin{lstlisting}[language=Ctweetnacl]
 for(i=1;i<15;i++) {
   m[i]=t[i]-0xffff-((m[i-1]>>16)&1);
   m[i-1]&=0xffff;
 }
 \end{lstlisting}
-The first is computing the substraction while the second is applying the carrying.
+The first loop is computing the substraction while the second is applying the carrying.
 \begin{lstlisting}[language=Ctweetnacl]
 for(i=1;i<15;i++) {
   m[i]=t[i]-0xffff
@@ -318,8 +304,8 @@ for(i=1;i<15;i++) {
 }
 \end{lstlisting}
 This loop separation allows simpler proofs. The first loop is seen as the substraction of a number in \Zfield.
-We then proved than with the iteration of the second loop, the number represented in \Zfield stays the same.
-This lead to the proof that \TNaCle{pack25519} is effectively reducing mod $2^{255}-19$ and returning a number in base $2^8$.
+We then prove that with the iteration of the second loop, the number represented in \Zfield stays the same.
+This leads to the proof that \TNaCle{pack25519} is effectively reducing mod $\p$ and returning a number in base $2^8$.
 
 \begin{Coq}
 Lemma Pack25519_mod_25519 :