Commit ac359637 authored by Timmy Weerwag's avatar Timmy Weerwag
Browse files

Typos

parent 77c23112
...@@ -34,14 +34,14 @@ with it in the proofs (\ref{subsec:curvep2}). ...@@ -34,14 +34,14 @@ with it in the proofs (\ref{subsec:curvep2}).
\label{subsec:ECC} \label{subsec:ECC}
\fref{tikz:ProofHighLevel1} presents the structure of the proof of the ladder's \fref{tikz:ProofHighLevel1} presents the structure of the proof of the ladder's
correctness. The white tiles are definitions, the orange ones are hypothesis and correctness. The white tiles are definitions, the orange ones are hypotheses and
the green tiles represent major lemmas and theorems. the green tiles represent major lemmas and theorems.
% The plan is as follows. % The plan is as follows.
% (This is part of the description of the picture). % (This is part of the description of the picture).
We consider the field $\K$ and formalize the Montgomery curves ($M_{a,b}(\K)$). We consider the field $\K$ and formalize the Montgomery curves ($M_{a,b}(\K)$).
Then, by using the equivalent Weierstra{\ss} form ($E_{a',b'}(\K)$) from the library of Bartzia and Strub, Then, by using the equivalent Weierstra{\ss} form ($E_{a',b'}(\K)$) from the library of Bartzia and Strub,
we prove that $M_{a,b}(\K)$ forms an commutative group. we prove that $M_{a,b}(\K)$ forms a commutative group.
Under the hypothesis that Under the hypothesis that
$a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref{thm:montgomery-ladder-correct}). $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref{thm:montgomery-ladder-correct}).
...@@ -49,7 +49,7 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref ...@@ -49,7 +49,7 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref
\centering \centering
\include{tikz/highlevel1} \include{tikz/highlevel1}
% \vspace{-0.5cm} % \vspace{-0.5cm}
\caption{Overview of the proof of Montgomery ladder's correctness} \caption{Overview of the proof of Montgomery ladder's correctness.}
\label{tikz:ProofHighLevel1} \label{tikz:ProofHighLevel1}
\end{figure} \end{figure}
...@@ -79,7 +79,7 @@ Then, this equation $E(x,y)$ can be reduced into its short Weierstra{\ss} form. ...@@ -79,7 +79,7 @@ Then, this equation $E(x,y)$ can be reduced into its short Weierstra{\ss} form.
The \textit{elliptic curve} $E_{a,b}$ is defined by the equation The \textit{elliptic curve} $E_{a,b}$ is defined by the equation
$$y^2 = x^3 + ax + b.$$ $$y^2 = x^3 + ax + b.$$
$E_{a,b}(\K)$ is the set of all points $(x,y) \in \K^2$ satisfying the $E_{a,b}$ $E_{a,b}(\K)$ is the set of all points $(x,y) \in \K^2$ satisfying the $E_{a,b}$
along with an additional formal point $\Oinf$, ``at infinity''. Such a curve does not have any singularity. along with an additional formal point $\Oinf$, ``at infinity''. Such a curve does not have any singularities.
\end{dfn} \end{dfn}
In this setting, Bartzia and Strub defined the parametric type \texttt{ec} which In this setting, Bartzia and Strub defined the parametric type \texttt{ec} which
......
...@@ -310,7 +310,7 @@ Lemma M_bound_Zlength : ...@@ -310,7 +310,7 @@ Lemma M_bound_Zlength :
\begin{sloppypar} \begin{sloppypar}
By using each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub}; By using each function \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{Low.Zub};
\coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519}; \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{Inv25519}; \coqe{car25519};
\coqe{montgomery_rec}, we defined in Coq \coqe{Crypto_Scalarmult} and with VST \coqe{montgomery_rec}, we defined \coqe{Crypto_Scalarmult} in Coq and with VST
proved it matches the exact behavior of X25519 in TweetNaCl. proved it matches the exact behavior of X25519 in TweetNaCl.
\end{sloppypar} \end{sloppypar}
......
...@@ -281,7 +281,7 @@ Separation logic is an extension of Hoare logic which allows reasoning about ...@@ -281,7 +281,7 @@ Separation logic is an extension of Hoare logic which allows reasoning about
pointers and memory manipulation. pointers and memory manipulation.
%This logic enforces strict conditions on the memory shared such as being disjoint. %This logic enforces strict conditions on the memory shared such as being disjoint.
%Separation logic requires memory regions of different function arguments to be disjoint. %Separation logic requires memory regions of different function arguments to be disjoint.
Reasoning in separation logic assumes that certain memory regions are non-overlapping Reasoning in separation logic assumes that certain memory regions are non-overlapping.
We discuss this limitation further in \sref{subsec:with-VST}. We discuss this limitation further in \sref{subsec:with-VST}.
The Verified Software Toolchain (VST)~\cite{cao2018vst-floyd} is a framework The Verified Software Toolchain (VST)~\cite{cao2018vst-floyd} is a framework
......
...@@ -84,15 +84,15 @@ match m with ...@@ -84,15 +84,15 @@ match m with
end. end.
\end{lstlisting} \end{lstlisting}
The comments in the ladder represent the text from the RFC which The comments in the ladder represent the text from the RFC, which
our formalization matches perfectly. In order to optimize the our formalization matches perfectly. In order to optimize the
number of calls to \texttt{CSWAP} (defined in \sref{cswap}) number of calls to \texttt{CSWAP} (defined in \sref{cswap})
the RFC uses an additional variable to decide whether a conditional swap the RFC uses an additional variable to decide whether a conditional swap
is required or not. is required or not.
Later in our proof we use a simpler description of the ladder Later in our proof we use a simpler description of the ladder
(\coqe{montgomery_rec}) which follows strictly \aref{alg:montgomery-ladder} (\coqe{montgomery_rec}), which strictly follows \aref{alg:montgomery-ladder},
and prove those ladder equivalent. and prove those ladders equivalent.
RFC 7748 describes the calculations done in X25519 as follows: RFC 7748 describes the calculations done in X25519 as follows:
\emph{``To implement the X25519(k, u) [...] functions (where k is \emph{``To implement the X25519(k, u) [...] functions (where k is
...@@ -102,7 +102,7 @@ RFC 7748 describes the calculations done in X25519 as follows: ...@@ -102,7 +102,7 @@ RFC 7748 describes the calculations done in X25519 as follows:
in GF(p), i.e., they are performed modulo p.''}~\cite{rfc7748} in GF(p), i.e., they are performed modulo p.''}~\cite{rfc7748}
Operations used in the Montgomery ladder of \coqe{RFC} are performed on Operations used in the Montgomery ladder of \coqe{RFC} are performed on
integers (See Appendix~\ref{subsubsec:RFC-Coq}). integers (see Appendix~\ref{subsubsec:RFC-Coq}).
The reduction modulo $\p$ is deferred to the very end as part of the The reduction modulo $\p$ is deferred to the very end as part of the
\coqe{ZPack25519} operation. \coqe{ZPack25519} operation.
...@@ -110,7 +110,7 @@ We now turn our attention to the decoding and encoding of the byte arrays. ...@@ -110,7 +110,7 @@ We now turn our attention to the decoding and encoding of the byte arrays.
We define the little-endian projection to integers as follows. We define the little-endian projection to integers as follows.
\begin{dfn} \begin{dfn}
Let \Coqe{ZofList} : $\Z \rightarrow \texttt{list}~\Z \rightarrow \Z$, Let \Coqe{ZofList} : $\Z \rightarrow \texttt{list}~\Z \rightarrow \Z$,
a function which given $n$ and a list $l$ returns its little endian decoding with radix $2^n$. a function which given $n$ and a list $l$ returns its little-endian decoding with radix $2^n$.
\end{dfn} \end{dfn}
% \begin{lstlisting}[language=Coq,belowskip=1pt] % \begin{lstlisting}[language=Coq,belowskip=1pt]
% Fixpoint ZofList {n:Z} (a:list Z) : Z := % Fixpoint ZofList {n:Z} (a:list Z) : Z :=
...@@ -119,7 +119,7 @@ We define the little-endian projection to integers as follows. ...@@ -119,7 +119,7 @@ We define the little-endian projection to integers as follows.
% | h :: q => h + 2^n * ZofList q % | h :: q => h + 2^n * ZofList q
% end. % end.
% \end{lstlisting} % \end{lstlisting}
Similarly, we define the projection from an integers to a little-endian list. Similarly, we define the projection from integers to little-endian lists.
\begin{dfn} \begin{dfn}
Let \Coqe{ListofZ32} : $\Z \rightarrow \Z \rightarrow \texttt{list}~\Z$, given Let \Coqe{ListofZ32} : $\Z \rightarrow \Z \rightarrow \texttt{list}~\Z$, given
$n$ and $a$ returns $a$'s little-endian encoding as a list with radix $2^n$. $n$ and $a$ returns $a$'s little-endian encoding as a list with radix $2^n$.
......
...@@ -31,8 +31,8 @@ ...@@ -31,8 +31,8 @@
The Netherlands} The Netherlands}
\and \and
\IEEEauthorblockN{Timmy Weerwag} \IEEEauthorblockN{Timmy Weerwag}
\IEEEauthorblockA{Radboud University,\\ \IEEEauthorblockA{Radboud University \&\\
The Netherlands} Open University\\of the Netherlands}
\and \and
\IEEEauthorblockN{Freek Wiedijk} \IEEEauthorblockN{Freek Wiedijk}
\IEEEauthorblockA{Radboud University,\\ \IEEEauthorblockA{Radboud University,\\
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment