more text

cbf1658b · Benoit Viguier · 5c754263 · cbf1658b · cbf1658b · cbf1658b
Commit cbf1658b authored Sep 18, 2019 by Benoit Viguier
--- a/paper/3_RFC.tex
+++ b/paper/3_RFC.tex
@@ -4,26 +4,29 @@
 In this section we present our formalization of RFC~7748~\cite{rfc7748}.

 \begin{informaltheorem}
-The specification of X25519 in RFC~7748 is formalized by \Coqe{ZCrypto_Scalarmult}.
+The specification of X25519 in RFC~7748 is formalized by \Coqe{RFC}.
 \end{informaltheorem}

 More precisely, we formalized X25519 with the following definition.
-\begin{coq}
-Definition ZCrypto_Scalarmult n p :=
+\begin{lstlisting}[language=Coq]
+Definition RFC (n: list Z) (p: list Z) : list Z :=
+  let k := decodeScalar25519 n in
+  let u := decodeUCoordinate p in
  let t := montgomery_rec
-    255               (* iterate 255 times *)
-    (Zclamp n)        (* clamped n         *)
-    1                 (* x_2                *)
-    (ZUnpack25519 p)  (* x_3                *)
-    0                 (* z_2                *)
-    1                 (* z_3                *)
-    0                 (* dummy             *)
-    0                 (* dummy             *)
-    (ZUnpack25519 p)  (* x_1                *) in
+    255  (* iterate 255 times *)
+    k    (* clamped n         *)
+    1    (* x_2                *)
+    u    (* x_3                *)
+    0    (* z_2                *)
+    1    (* z_3                *)
+    0    (* dummy             *)
+    0    (* dummy             *)
+    u    (* x_1                *) in
  let a := get_a t in
  let c := get_c t in
-  ZPack25519 (Z.mul a (ZInv25519 c)).
-\end{coq}
+  let o := ZPack25519 (Z.mul a (ZInv25519 c))
+  in encodeUCoordinate o.
+\end{lstlisting}

 We first present a generic description of the Montgomery ladder (\ref{subsec:spec-ladder}).
 Then we turn our attention to the different steps of the computation (\ref{subsec:spec-unpack-clamp-inv-pack}).
@@ -64,6 +67,18 @@ We later prove our ladder correct in that respect (\sref{sec:maths}).
 \subsection{Unpacking, clamping, Inversion and Packing}
 \label{subsec:spec-unpack-clamp-inv-pack}

+
+\begin{lstlisting}[language=Coq]
+Definition decodeScalar25519 (l: list Z) : Z :=
+  ZofList 8 (clamp l).
+
+Definition decodeUCoordinate (l: list Z) : Z :=
+  ZofList 16 (Unpack25519 l).
+
+Definition encodeUCoordinate (x: Z) : list Z :=
+  ListofZ32 8 x.
+\end{lstlisting}
+
 Inputs of X25519
 % \emph{``To implement the X25519(k, u) and X448(k, u) functions (where k is
 % the scalar and u is the u-coordinate), first decode k and u and then

--- a/paper/4_lowlevel.tex
+++ b/paper/4_lowlevel.tex
@@ -3,10 +3,11 @@

 In this section we prove the following theorem:
 % In this section we outline the structure of our proofs of the following theorem:
+
 \begin{informaltheorem}
 \label{thm:VST-RFC}
 The implementation of X25519 in TweetNaCl (\TNaCle{crypto_scalarmult}) matches
-the specifications of RFC~7748~\cite{rfc7748} (\Coqe{ZCrypto_Scalarmult})
+the specifications of RFC~7748~\cite{rfc7748} (\Coqe{RFC})
 \end{informaltheorem}

 More formally.
@@ -27,10 +28,9 @@ used to in some of our more complex proofs (\ref{subsec:inversions-reflections})
 \label{subsec:proof-structure}

 In order to prove the correctness of X25519 in TweetNaCl code \TNaCle{crypto_scalarmult},
-we use VST to prove that the code matches our functional Coq specification of \Coqe{Crypto_Scalarmult}
-(to save space we sometimes abbreviate this as \Coqe{CSM}). Then, we prove that
-our specification of the scalar multiplication matches the mathematical definition
-of elliptic curves and Theorem 2.1 by Bernstein~\cite{Ber06} (\tref{thm:Elliptic-CSM}).
+we use VST to prove that the code matches our functional Coq specification of \Coqe{RFC}.
+Then, we prove that our specification of the scalar multiplication matches the mathematical definition
+of elliptic curves and Theorem 2.1 by Bernstein~\cite{Ber06} (\tref{thm:Elliptic-RFC}).
 \fref{tikz:ProofOverview} shows a graph of dependencies of the proofs.
 The mathematical proof of X25519 is presented in \sref{sec:maths}.
 \begin{figure}[h]
@@ -111,7 +111,7 @@ a pure Coq function.
 % A pure function is a function where the return value is only determined by its
 % input values, without observable side effects (Side effect are e.g. printing)
 This defines the equivalence between the Clight representation and our Coq
-definition of the ladder (\coqe{CSM}).
+definition of the ladder (\coqe{RFC}).

 \begin{lstlisting}[language=CoqVST]
 Definition crypto_scalarmult_spec :=
@@ -137,10 +137,10 @@ SEP  (sh [{ v_q }] <<(uch32)-- q;
      Ews [{ c121665 }] <<(lg16)-- mVI64 c_121665)
 (*------------------------------------------*)
 POST [ tint ]
-PROP (Forall (fun x => 0 <= x < 2^8) (CSM n p);
-      Zlength (CSM n p) = 32)
+PROP (Forall (fun x => 0 <= x < 2^8) (RFC n p);
+      Zlength (RFC n p) = 32)
 LOCAL(temp ret_temp (Vint Int.zero))
-SEP  (sh [{ v_q }] <<(uch32)-- mVI (CSM n p);
+SEP  (sh [{ v_q }] <<(uch32)-- mVI (RFC n p);
      sh [{ v_n }] <<(uch32)-- mVI n;
      sh [{ v_p }] <<(uch32)-- mVI p;
      Ews [{ c121665 }] <<(lg16)-- mVI64 c_121665
@@ -172,22 +172,22 @@ As Post-condition we have:
  The function \TNaCle{crypto_scalarmult} returns an integer.
  \item[] \VSTe{LOCAL}: \VSTe{temp ret_temp (Vint Int.zero)}\\
  The returned integer has value $0$.
-  \item[] \VSTe{SEP}: \VSTe{sh [{ v_q $\!\!\}\!\!]\!\!\!$ <<(uch32)-- mVI (CSM n p)}\\
+  \item[] \VSTe{SEP}: \VSTe{sh [{ v_q $\!\!\}\!\!]\!\!\!$ <<(uch32)-- mVI (RFC n p)}\\
  In the memory share \texttt{sh}, the address \VSTe{v_q} points
-  to a list of integer values \VSTe{mVI (CSM n p)} where \VSTe{CSM n p} is the
+  to a list of integer values \VSTe{mVI (RFC n p)} where \VSTe{RFC n p} is the
  result of the \VSTe{crypto_scalarmult} of \VSTe{n} and \VSTe{p}.
-  \item[] \VSTe{PROP}: \VSTe{Forall (fun x => 0 <= x < 2^8) (CSM n p)}\\
-  \VSTe{PROP}: \VSTe{Zlength (CSM n p) = 32}\\
-  We show that the computation for \VSTe{CSM} fits in  \TNaCle{u8[32]}.
+  \item[] \VSTe{PROP}: \VSTe{Forall (fun x => 0 <= x < 2^8) (RFC n p)}\\
+  \VSTe{PROP}: \VSTe{Zlength (RFC n p) = 32}\\
+  We show that the computation for \VSTe{RFC} fits in  \TNaCle{u8[32]}.
 \end{itemize}

 This specification shows that \TNaCle{crypto_scalarmult} in C computes the same
-result as \VSTe{CSM} in Coq provided that inputs are within their respective
+result as \VSTe{RFC} in Coq provided that inputs are within their respective
 bounds: arrays of 32 bytes.

 \begin{theorem}
 \label{thm:crypto-vst}
-\TNaCle{crypto_scalarmult} in TweetNaCl has the same behavior as \coqe{Crypto_Scalarmult} in Coq.
+\TNaCle{crypto_scalarmult} in TweetNaCl has the same behavior as \coqe{RFC} in Coq.
 \end{theorem}


@@ -278,7 +278,7 @@ and without returns the same result.
 We formalized this result in a generic way in Appendix~\ref{subsubsec:for}.

 Using this formalization, we prove that the 255 steps of the Montgomery ladder
-in C provide the same computations as in \coqe{CSM}.
+in C provide the same computations as in \coqe{RFC}.



@@ -645,22 +645,22 @@ By proving that each functions \coqe{Low.M}; \coqe{Low.A}; \coqe{Low.Sq}; \coqe{
 \coqe{Unpack25519}; \coqe{clamp}; \coqe{Pack25519}; \coqe{car25519} are behaving over \coqe{list Z}
 as their equivalent over \coqe{Z} in \coqe{:GF} (in \Zfield), we prove the correctness of

-\begin{theorem}
-  \label{thm:crypto-rfc}
-\coqe{Crypto_Scalarmult} matches the specification of RFC~7748.
-\end{theorem}
-
-This is formalized as follows in Coq:
-\begin{lstlisting}[language=Coq]
-Theorem Crypto_Scalarmult_Eq :
-  forall (n p:list Z),
-  Zlength n = 32 ->
-  Zlength p = 32 ->
-  Forall (fun x : Z, 0 <= x /\ x < 2 ^ 8) n ->
-  Forall (fun x : Z, 0 <= x /\ x < 2 ^ 8) p ->
-  ZofList 8 (Crypto_Scalarmult n p) =
-  ZCrypto_Scalarmult (ZofList 8 n) (ZofList 8 p).
-\end{lstlisting}
+% \begin{theorem}
+%   \label{thm:crypto-rfc}
+% \coqe{Crypto_Scalarmult} matches the specification of RFC~7748.
+% \end{theorem}
+
+% This is formalized as follows in Coq:
+% \begin{lstlisting}[language=Coq]
+% Theorem Crypto_Scalarmult_Eq :
+%   forall (n p:list Z),
+%   Zlength n = 32 ->
+%   Zlength p = 32 ->
+%   Forall (fun x : Z, 0 <= x /\ x < 2 ^ 8) n ->
+%   Forall (fun x : Z, 0 <= x /\ x < 2 ^ 8) p ->
+%   ZofList 8 (Crypto_Scalarmult n p) =
+%   ZCrypto_Scalarmult (ZofList 8 n) (ZofList 8 p).
+% \end{lstlisting}

 We prove that \coqe{Crypto_Scalarmult} matches the specification of RFC~7748 (\tref{thm:crypto-rfc}).
 With the VST we also prove that \coqe{Crypto_Scalarmult} matches the Clight translation of Tweetnacl (\tref{thm:crypto-vst}).

--- a/paper/5_highlevel.tex
+++ b/paper/5_highlevel.tex
@@ -2,12 +2,26 @@
 \label{sec:maths}

 In this section we prove the following theorem:
-\begin{theorem}
-\label{thm:Elliptic-CSM}
+
+\begin{informaltheorem}
+\label{thm:Elliptic-RFC}
 The implementation of X25519 in TweetNaCl (\TNaCle{crypto_scalarmult}) computes the
 $\F{p}$-restricted $x$-coordinate scalar multiplication on $E(\F{p^2})$ where $p$ is $\p$
 and $E$ is the elliptic curve $y^2 = x^3 + 486662 x^2 + x$.
-\end{theorem}
+\end{informaltheorem}
+
+More formally:
+\begin{lstlisting}[language=Coq]
+Theorem RFC_Correct: forall (n p : list Z)
+  (P:mc curve25519_Fp2_mcuType),
+  Zlength n = 32 ->
+  Zlength p = 32 ->
+  Forall (fun x => 0 <= x /\ x < 2 ^ 8) n ->
+  Forall (fun x => 0 <= x /\ x < 2 ^ 8) p ->
+  Fp2_x (decodeUCoordinate p) = P#x0 ->
+  RFC n p =
+    encodeUCoordinate ((P *+ (Z.to_nat (decodeScalar25519 n))) _x0).
+\end{lstlisting}

 We first review the work of Bartzia and Strub \cite{BartziaS14} (\ref{subsec:ECC-Weierstrass}).
 We extend it to support Montgomery curves (\ref{subsec:ECC-Montgomery})
@@ -414,7 +428,8 @@ we can find a $y$ such that $(x,y)$ is either on the curve or on the quadratic t
  over $M_{486662,2}(\F{p})$ such that the $x$-coordinate of $P$ is $x$.
 \end{lemma}
 \begin{lstlisting}[language=Coq]
-Theorem x_is_on_curve_or_twist: forall x : Zmodp.type,
+Theorem x_is_on_curve_or_twist:
+  forall x : Zmodp.type,
  (exists (p : mc curve25519_mcuType), p#x0 = x) \/
  (exists (p' : mc twist25519_mcuType), p'#x0 = x).
 \end{lstlisting}
@@ -430,22 +445,22 @@ Module Zmodp2.
 Inductive type :=
  Zmodp2 (x: Zmodp.type) (y:Zmodp.type).

-Definition pi (x : Zmodp.type * Zmodp.type) : type :=
+Definition pi (x: Zmodp.type * Zmodp.type) : type :=
  Zmodp2 x.1 x.2.
-Coercion repr (x : type) : Zmodp.type*Zmodp.type :=
+Coercion repr (x: type) : Zmodp.type*Zmodp.type :=
  let: Zmodp2 u v := x in (u, v).

 Definition zero : type :=
  pi ( 0%:R, 0%:R ).
 Definition one : type :=
  pi ( 1, 0%:R ).
-Definition opp (x : type) : type :=
+Definition opp (x: type) : type :=
  pi (- x.1 , - x.2).
-Definition add (x y : type) : type :=
+Definition add (x y: type) : type :=
  pi (x.1 + y.1, x.2 + y.2).
-Definition sub (x y : type) : type :=
+Definition sub (x y: type) : type :=
  pi (x.1 - y.1, x.2 - y.2).
-Definition mul (x y : type) : type :=
+Definition mul (x y: type) : type :=
  pi ((x.1 * y.1) + (2%:R * (x.2 * y.2)),
      (x.1 * y.2) + (x.2 * y.1)).
 \end{lstlisting}
@@ -556,16 +571,4 @@ Lemma ZCrypto_Scalarmult_curve25519_ladder:
 \end{lstlisting}

 From \tref{thm:RFC} and \tref{thm:general-scalarmult}, we prove the correctness
-of \TNaCle{crypto_scalarmult} (\tref{thm:Elliptic-CSM}).
-\begin{lstlisting}[language=Coq]
-Theorem Crypto_Scalarmult_Correct:
-  forall (n:list Z) (p:list Z)
-    (P:mc curve25519_Fp2_mcuType),
-  Zlength n = 32 ->
-  Zlength p = 32 ->
-  Forall (fun x => 0 <= x /\ x < 2^8) n ->
-  Forall (fun x => 0 <= x /\ x < 2^8) p ->
-  Fp2_x (ZUnpack25519 (ZofList 8 p)) = P#x0 ->
-  ZofList 8 (Crypto_Scalarmult n p) =
-    (P *+ (Z.to_nat (Zclamp (ZofList 8 n)))) _x0.
-\end{lstlisting}
+of \TNaCle{crypto_scalarmult} (\tref{thm:Elliptic-RFC}).
--- a/paper/A2_coq.tex
+++ b/paper/A2_coq.tex
@@ -77,8 +77,8 @@ match t with
 end.
 \end{lstlisting}

-\subsubsection{ZCrypto\_Scalarmult}
-\label{subsubsec:ZCryptoScalarmult}
+\subsubsection{RFC in Coq}
+\label{subsubsec:RFC-Coq}
 ~
 Instantiation of the Class \Coqe{Ops} with operations over \Z and modulo \p.
 \begin{lstlisting}[language=Coq]
@@ -152,21 +152,33 @@ Proof.
  apply Mid.getbit.   (* instantiate ith bit *)
 Defined.

+Definition decodeScalar25519 (l: list Z) : Z :=
+  ZofList 8 (clamp l).
+
+Definition decodeUCoordinate (l: list Z) : Z :=
+  ZofList 16 (Unpack25519 l).
+
+Definition encodeUCoordinate (x: Z) : list Z :=
+  ListofZ32 8 x.
+
 (* instantiate montgomery_rec with Z_Ops *)
-Definition ZCrypto_Scalarmult n p :=
+Definition RFC (n: list Z) (p: list Z) : list Z :=
+  let k := decodeScalar25519 n in
+  let u := decodeUCoordinate p in
  let t := montgomery_rec
-    255               (* iterate 255 times *)
-    (Zclamp n)        (* clamped n         *)
-    1                 (* x_2                *)
-    (ZUnpack25519 p)  (* x_3                *)
-    0                 (* z_2                *)
-    1                 (* z_3                *)
-    0                 (* dummy             *)
-    0                 (* dummy             *)
-    (ZUnpack25519 p)  (* x_1                *) in
+    255  (* iterate 255 times *)
+    k    (* clamped n         *)
+    1    (* x_2                *)
+    u    (* x_3                *)
+    0    (* z_2                *)
+    1    (* z_3                *)
+    0    (* dummy             *)
+    0    (* dummy             *)
+    u    (* x_1                *) in
  let a := get_a t in
  let c := get_c t in
-  ZPack25519 (Z.mul a (ZInv25519 c)).
+  let o := ZPack25519 (Z.mul a (ZInv25519 c))
+  in encodeUCoordinate o.
 \end{lstlisting}

 \subsubsection{CSM}

--- a/paper/tikz/proof.tex
+++ b/paper/tikz/proof.tex
@@ -8,8 +8,27 @@
     preaction = {decorate},
     postaction = {draw,line width=1.4pt, white,shorten >= 4.5pt}]

+   \path [thick, dashed] (2.5,1) edge +(0,-6.75);
+   \draw (2.5,1) node[anchor=north east] {\sref{sec:Coq-RFC}};
+   \draw (2.5,1) node[anchor=north west] {\sref{sec:C-Coq}};
+   \path [thick, dashed] (0,-5.75) edge +(8.5,0);
+   \draw (8.5,-5.75) node[anchor=north east] {\sref{sec:maths}};
+
+  % SECTION III
+
+  % Definition of RFC
+  \begin{scope}[yshift=-3 cm,xshift=0 cm]
+   \draw (0,0) -- (0.4, 0.4) -- (1.75,0.4) -- (1.75,0) -- cycle;
+   \draw (0,0) -- (1.75,0) -- (1.75,-1) -- (0, -1) -- cycle;
+   \draw (0.3,-0.05) node[textstyle] {Definition};
+   \draw (0.875,-0.5) node[textstyle, anchor=center] {\texttt{RFC}};
+   \draw (1.75,-1) node[textstyle, anchor = south east] {\color{doc@lstfunctions}{.V}};
+  \end{scope}
+
+   % SECTION IV
+
  % C code
-  \begin{scope}[yshift=0 cm,xshift=0 cm]
+  \begin{scope}[yshift=-0.25 cm,xshift=3 cm]
    \draw (0,0) -- (0.4, 0.4) -- (1.25,0.4) -- (1.25,0) -- cycle;
    \draw (0,0) -- (1.25,0) -- (1.25,-1.25) -- (0, -1.25) -- cycle;
    \draw (0.3,-0.05) node[textstyle] {code};
@@ -17,9 +36,8 @@
    \draw (1.25,-1.25) node[textstyle, anchor = south east] {\color{doc@lstfunctions}{.C}};
  \end{scope}

-
  % V code
-  \begin{scope}[yshift=0 cm,xshift=2.5 cm]
+  \begin{scope}[yshift=-0.25 cm,xshift=5 cm]
    \draw (0,0) -- (0.4, 0.4) -- (1.25,0.4) -- (1.25,0) -- cycle;
    \draw (0,0) -- (1.25,0) -- (1.25,-1.25) -- (0, -1.25) -- cycle;
    \draw (0.3,-0.05) node[textstyle] {code};
@@ -28,61 +46,63 @@
    % \draw (1.25,0)  node[anchor=south east, inner sep=0pt] {\includegraphics[width=.0125\textwidth]{img/coq_logo.png}};
  \end{scope}

-  % VST Theorem
-  \begin{scope}[yshift=0 cm,xshift=6 cm]
-    \draw (0,0) -- (0.4, 0.4) -- (2.5,0.4) -- (2.5,0) -- cycle;
-    \draw (0,0) -- (2.5,0) -- (2.5,-1.25) -- (0, -1.25) -- cycle;
-    \draw (0.3,-0.05) node[textstyle] {Proof};
-    \draw (1.25,-0.5) node[textstyle, anchor=center] {\{{\color{doc@lstnumbers}\textbf{Pre}}\} \texttt{Prog} \{{\color{doc@lstdirective}\textbf{Post}}\}};
-    \draw (2.5,-1.25) node[textstyle, anchor = south east] {\color{doc@lstfunctions}{\checkmark}};
-  \end{scope}
+  \path [thick, double, ->] (4.25,-0.75) edge (5, -0.75);

  % VST Spec
-  \begin{scope}[yshift=-2.5 cm,xshift=3 cm]
+  \begin{scope}[yshift=-3 cm,xshift=3 cm]
    \draw (0,0) -- (0.4, 0.4) -- (2,0.4) -- (2,0) -- cycle;
    \draw (0,0) -- (2,0) -- (2,-2) -- (0, -2) -- cycle;
    \draw (0.3,-0.05) node[textstyle] {Specification};
    \draw (1,-1) node[textstyle, anchor=center, align=left] {
      {\color{doc@lstnumbers}\textbf{Pre}}:\\
      ~~$n \in \N$,\\
+      % ~~$n \in$ \TNaCles{u8[32]},\\
      ~~$P \in E(\F{p^2})$\\
+      % ~~$P \in$ \TNaCles{u8[32]}\\
      {\color{doc@lstdirective}\textbf{Post}}:\\
-      ~~\texttt{CSM}$(n,P)$};
+      ~~\texttt{RFC}$(n,P)$};
  \end{scope}

-  % Definition of CSM
-  \begin{scope}[yshift=-4.5 cm,xshift=0 cm]
-    \draw (0,0) -- (0.4, 0.4) -- (2,0.4) -- (2,0) -- cycle;
-    \draw (0,0) -- (2,0) -- (2,-1) -- (0, -1) -- cycle;
-    \draw (0.3,-0.05) node[textstyle] {Definition};
-    \draw (1,-0.5) node[textstyle, anchor=center] {\texttt{CSM}};
+  % VST Theorem
+  \begin{scope}[yshift=-3 cm,xshift=6 cm]
+    \draw (0,0) -- (0.4, 0.4) -- (2.5,0.4) -- (2.5,0) -- cycle;
+    \draw (0,0) -- (2.5,0) -- (2.5,-1.25) -- (0, -1.25) -- cycle;
+    \draw (0.3,-0.05) node[textstyle] {Proof};
+    \draw (1.25,-0.5) node[textstyle, anchor=center] {\{{\color{doc@lstnumbers}\textbf{Pre}}\} \texttt{Prog} \{{\color{doc@lstdirective}\textbf{Post}}\}};
+    \draw (2.5,-1.25) node[textstyle, anchor = south east] {\color{doc@lstfunctions}{\checkmark}};
  \end{scope}

+  \path [thick, double] (5.625,-1.5) edge [out=-90, in=90] (5.625, -2.5);
+  \path [thick, double, ->] (5.625, -2.5) edge [out=-90, in=180] (6, -3.5);
+  \path [thick, double, ->] (5,-3.75) edge [out=0, in=180] (6, -3.75);
+
+
+
+  % SECTION V
+
  % Spec of Curve nP
-  \begin{scope}[yshift=-7.5 cm,xshift=0 cm]
-    \draw (0,0) -- (0.4, 0.4) -- (2,0.4) -- (2,0) -- cycle;
-    \draw (0,0) -- (2,0) -- (2,-1) -- (0, -1) -- cycle;
+  \begin{scope}[yshift=-7.25 cm,xshift=0 cm]
+    \draw (0,0) -- (0.4, 0.4) -- (1.75,0.4) -- (1.75,0) -- cycle;
+    \draw (0,0) -- (1.75,0) -- (1.75,-1) -- (0, -1) -- cycle;
    \draw (0.3,-0.05) node[textstyle] {Definition};
-    \draw (1,-0.5) node[textstyle, anchor=center] {$n \cdot P$};
+    \draw (0.875,-0.5) node[textstyle, anchor=center] {$n \cdot P$};
  \end{scope}

  % Correctness Theorem
-  \begin{scope}[yshift=-7 cm,xshift=6 cm]
+  \begin{scope}[yshift=-6.75 cm,xshift=6 cm]
    \draw (0,0) -- (0.4, 0.4) -- (2.5,0.4) -- (2.5,0) -- cycle;
    \draw (0,0) -- (2.5,0) -- (2.5,-1.5) -- (0, -1.5) -- cycle;
    \draw (0.3,-0.05) node[textstyle] {Proof};
    \draw (2.5,-1.5) node[textstyle, anchor = south east] {\color{doc@lstfunctions}{\checkmark}};
-    \draw (1.25,-0.75) node[textstyle, anchor=center] {{\color{doc@lstnumbers}\textbf{Pre}} $\implies$\\$\text{\texttt{CSM}}(n,P) = n \cdot P$};
+    \draw (1.25,-0.75) node[textstyle, anchor=center] {{\color{doc@lstnumbers}\textbf{Pre}} $\implies$\\$\text{\texttt{RFC}}(n,P) = n \cdot P$};
  \end{scope}

-  \path [thick, double, ->] (1.25,-0.5) edge (2.5, -0.5);
-  \path [thick, double, ->] (3.75,-0.5) edge (6, -0.5);
-  \path [thick, double, ->] (5,-3.5) edge [out=0, in=-90] (6.5, -1.25);
-  \path [thick, double, ->] (2,-5) edge  [out=0, in=-180] (3, -3.5);
-  \path [thick, double, ->] (2,-5) edge [out=0, in=-180] (6, -7.5);
-  \path [thick, double, ->] (2,-8) edge [out=0, in=-180] (6, -8);
+  \path [thick, double, ->] (1.75,-3.5) edge  [out=0, in=-180] (3, -3.5);
+  \path [thick, double] (1.75,-3.5) edge [out=0, in=90] (2.25, -4);
+  \path [thick, double] (2.25, -4) edge [out=-90, in=90] (2.25, -6.75);
+  \path [thick, double] (2.25, -6.75) edge [out=-90, in=-180] (3, -7.5);
+  \path [thick, double, ->] (3, -7.5) edge [out=0, in=-180] (6, -7.5);
+  \path [thick, double, ->] (1.75,-7.75) edge [out=0, in=-180] (6, -7.75);
+

-  \path [thick, dashed] (0,-5.75) edge +(8.5,0);
-  \draw (8.5,-5.75) node[anchor=south east] {\sref{sec:C-Coq-RFC}};
-  \draw (8.5,-5.75) node[anchor=north east] {\sref{sec:maths}};
 \end{tikzpicture}
--- a/proofs/vst/spec/spec_crypto_scalarmult.v
+++ b/proofs/vst/spec/spec_crypto_scalarmult.v
@@ -67,8 +67,6 @@ Require Import Tweetnacl_verif.verif_crypto_scalarmult_lemmas.
 Require Import Tweetnacl.Low.Get_abcdef.
 Require Import Tweetnacl.Low.ScalarMult_rev.
 Require Import Tweetnacl.Low.Constant.
-(* Require Import Tweetnacl.Low.Crypto_Scalarmult. *)
-(* Require Import Tweetnacl.Low.Crypto_Scalarmult_. *)
 Require Import Tweetnacl.Mid.Instances.
 Require Import Tweetnacl.rfc.rfc.
 Open Scope Z.