### Typos

parent 77c23112
 ... ... @@ -34,14 +34,14 @@ with it in the proofs (\ref{subsec:curvep2}). \label{subsec:ECC} \fref{tikz:ProofHighLevel1} presents the structure of the proof of the ladder's correctness. The white tiles are definitions, the orange ones are hypothesis and correctness. The white tiles are definitions, the orange ones are hypotheses and the green tiles represent major lemmas and theorems. % The plan is as follows. % (This is part of the description of the picture). We consider the field $\K$ and formalize the Montgomery curves ($M_{a,b}(\K)$). Then, by using the equivalent Weierstra{\ss} form ($E_{a',b'}(\K)$) from the library of Bartzia and Strub, we prove that $M_{a,b}(\K)$ forms an commutative group. we prove that $M_{a,b}(\K)$ forms a commutative group. Under the hypothesis that $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref{thm:montgomery-ladder-correct}). ... ... @@ -49,7 +49,7 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref \centering \include{tikz/highlevel1} % \vspace{-0.5cm} \caption{Overview of the proof of Montgomery ladder's correctness} \caption{Overview of the proof of Montgomery ladder's correctness.} \label{tikz:ProofHighLevel1} \end{figure} ... ... @@ -79,7 +79,7 @@ Then, this equation $E(x,y)$ can be reduced into its short Weierstra{\ss} form. The \textit{elliptic curve} $E_{a,b}$ is defined by the equation $$y^2 = x^3 + ax + b.$$ $E_{a,b}(\K)$ is the set of all points $(x,y) \in \K^2$ satisfying the $E_{a,b}$ along with an additional formal point $\Oinf$, at infinity''. Such a curve does not have any singularity. along with an additional formal point $\Oinf$, at infinity''. Such a curve does not have any singularities. \end{dfn} In this setting, Bartzia and Strub defined the parametric type \texttt{ec} which ... ...
 ... ... @@ -310,7 +310,7 @@ Lemma M_bound_Zlength : \begin{sloppypar} By using each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub}; \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519}; \coqe{montgomery_rec}, we defined in Coq \coqe{Crypto_Scalarmult} and with VST \coqe{montgomery_rec}, we defined \coqe{Crypto_Scalarmult} in Coq and with VST proved it matches the exact behavior of X25519 in TweetNaCl. \end{sloppypar} ... ...
 ... ... @@ -281,7 +281,7 @@ Separation logic is an extension of Hoare logic which allows reasoning about pointers and memory manipulation. %This logic enforces strict conditions on the memory shared such as being disjoint. %Separation logic requires memory regions of different function arguments to be disjoint. Reasoning in separation logic assumes that certain memory regions are non-overlapping Reasoning in separation logic assumes that certain memory regions are non-overlapping. We discuss this limitation further in \sref{subsec:with-VST}. The Verified Software Toolchain (VST)~\cite{cao2018vst-floyd} is a framework ... ...
 ... ... @@ -84,15 +84,15 @@ match m with end. \end{lstlisting} The comments in the ladder represent the text from the RFC which The comments in the ladder represent the text from the RFC, which our formalization matches perfectly. In order to optimize the number of calls to \texttt{CSWAP} (defined in \sref{cswap}) the RFC uses an additional variable to decide whether a conditional swap is required or not. Later in our proof we use a simpler description of the ladder (\coqe{montgomery_rec}) which follows strictly \aref{alg:montgomery-ladder} and prove those ladder equivalent. (\coqe{montgomery_rec}), which strictly follows \aref{alg:montgomery-ladder}, and prove those ladders equivalent. RFC 7748 describes the calculations done in X25519 as follows: \emph{To implement the X25519(k, u) [...] functions (where k is ... ... @@ -102,7 +102,7 @@ RFC 7748 describes the calculations done in X25519 as follows: in GF(p), i.e., they are performed modulo p.''}~\cite{rfc7748} Operations used in the Montgomery ladder of \coqe{RFC} are performed on integers (See Appendix~\ref{subsubsec:RFC-Coq}). integers (see Appendix~\ref{subsubsec:RFC-Coq}). The reduction modulo $\p$ is deferred to the very end as part of the \coqe{ZPack25519} operation. ... ... @@ -110,7 +110,7 @@ We now turn our attention to the decoding and encoding of the byte arrays. We define the little-endian projection to integers as follows. \begin{dfn} Let \Coqe{ZofList} : $\Z \rightarrow \texttt{list}~\Z \rightarrow \Z$, a function which given $n$ and a list $l$ returns its little endian decoding with radix $2^n$. a function which given $n$ and a list $l$ returns its little-endian decoding with radix $2^n$. \end{dfn} % \begin{lstlisting}[language=Coq,belowskip=1pt] % Fixpoint ZofList {n:Z} (a:list Z) : Z := ... ... @@ -119,7 +119,7 @@ We define the little-endian projection to integers as follows. % | h :: q => h + 2^n * ZofList q % end. % \end{lstlisting} Similarly, we define the projection from an integers to a little-endian list. Similarly, we define the projection from integers to little-endian lists. \begin{dfn} Let \Coqe{ListofZ32} : $\Z \rightarrow \Z \rightarrow \texttt{list}~\Z$, given $n$ and $a$ returns $a$'s little-endian encoding as a list with radix $2^n$. ... ...
 ... ... @@ -31,8 +31,8 @@ The Netherlands} \and \IEEEauthorblockN{Timmy Weerwag} \IEEEauthorblockA{Radboud University,\\ The Netherlands} \IEEEauthorblockA{Radboud University \&\\ Open University\\of the Netherlands} \and \IEEEauthorblockN{Freek Wiedijk} \IEEEauthorblockA{Radboud University,\\ ... ...
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!