Commit b8792cdc authored by Benoit Viguier's avatar Benoit Viguier
Browse files

some more fixes

parent 78b21d53
......@@ -10,10 +10,10 @@
and array out of bounds errors.
We also formally prove, based on the work of Bartzia and Strub,
that X25519 is mathematically correct, i.e.,
that it correctly computes scalar multiplication on
that it correctly computes scalar multiplication on
the elliptic curve Curve25519.
The proofs are all computer-verified using the Coq theorem prover.
To establish the link between C and Coq we use the
To establish the link between C and Coq we use the
Verified Software Toolchain (VST).
\end{abstract}
......@@ -195,8 +195,10 @@ sv M(gf o,const gf a,const gf b) {
}
\end{lstlisting}
After the actual multiplication, the limbs of the result \texttt{o} are
too large to be used again as input, which is why the two calls to
After the multiplication, the limbs of the result \texttt{o} are
too large to be used again as input.
% which is why
The two calls to
\TNaCle{car25519} at the end of \TNaCle{M} propagate the carries through the limbs:
\begin{lstlisting}[language=Ctweetnacl]
sv car25519(gf o)
......
......@@ -186,41 +186,41 @@ is enough for our needs.
% This is not the case here: you compute idx 255 before 254...
% Can we shorten the next paragraph?
\subheading{Verifying \texttt{for} loops.}
Final states of \texttt{for} loops are usually computed by simple recursive functions.
However, we must define invariants which are true for each iteration step.
Assume that we want to prove a decreasing loop where indexes go from 3 to 0.
Define a function $g : \N \rightarrow State \rightarrow State $ which takes as
input an integer for the index and a state, then returns a state.
It simulates the body of the \texttt{for} loop.
Define the recursion: $f : \N \rightarrow State \rightarrow State $ which
iteratively applies $g$ with decreasing index:
\begin{equation*}
f ( i , s ) =
\begin{cases}
s & \text{if } s = 0 \\
f( i - 1 , g ( i - 1 , s )) & \text{otherwise}
\end{cases}
\end{equation*}
Then we have:
\begin{align*}
f(4,s) &= g(0,g(1,g(2,g(3,s))))
\end{align*}
To prove the correctness of $f(4,s)$, we need to prove that intermediate steps
$g(3,s)$; $g(2,g(3,s))$; $g(1,g(2,g(3,s)))$; $g(0,g(1,g(2,g(3,s))))$ are correct.
Due to the computation order of recursive function, our loop invariant for
$i\in\{0,1,2,3,4\}$ cannot use $f(i)$.
To solve this, we define an auxiliary function with an accumulator such that
given $i\in\{0,1,2,3,4\}$, it will compute the first $i$ steps of the loop.
We then prove for the complete number of steps, the function with the accumulator
and without returns the same result.
We formalized this result in a generic way in Appendix~\ref{subsubsec:for}.
Using this formalization, we prove that the 255 steps of the Montgomery ladder
in C provide the same computations as in \coqe{RFC}.
% \subheading{Verifying \texttt{for} loops.}
% Final states of \texttt{for} loops are usually computed by simple recursive functions.
% However, we must define invariants which are true for each iteration step.
%
% Assume that we want to prove a decreasing loop where indexes go from 3 to 0.
% Define a function $g : \N \rightarrow State \rightarrow State $ which takes as
% input an integer for the index and a state, then returns a state.
% It simulates the body of the \texttt{for} loop.
% Define the recursion: $f : \N \rightarrow State \rightarrow State $ which
% iteratively applies $g$ with decreasing index:
% \begin{equation*}
% f ( i , s ) =
% \begin{cases}
% s & \text{if } s = 0 \\
% f( i - 1 , g ( i - 1 , s )) & \text{otherwise}
% \end{cases}
% \end{equation*}
% Then we have:
% \begin{align*}
% f(4,s) &= g(0,g(1,g(2,g(3,s))))
% \end{align*}
% To prove the correctness of $f(4,s)$, we need to prove that intermediate steps
% $g(3,s)$; $g(2,g(3,s))$; $g(1,g(2,g(3,s)))$; $g(0,g(1,g(2,g(3,s))))$ are correct.
% Due to the computation order of recursive function, our loop invariant for
% $i\in\{0,1,2,3,4\}$ cannot use $f(i)$.
% To solve this, we define an auxiliary function with an accumulator such that
% given $i\in\{0,1,2,3,4\}$, it will compute the first $i$ steps of the loop.
%
% We then prove for the complete number of steps, the function with the accumulator
% and without returns the same result.
% We formalized this result in a generic way in Appendix~\ref{subsubsec:for}.
%
% Using this formalization, we prove that the 255 steps of the Montgomery ladder
% in C provide the same computations as in \coqe{RFC}.
%
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment