Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Benoit Viguier
coqveriftweetnacl
Commits
dc9fe4e1
Commit
dc9fe4e1
authored
Jul 03, 2019
by
Benoit Viguier
Browse files
WIP
parent
a88d3f80
Changes
2
Hide whitespace changes
Inline
Sidebyside
paper/lowlevel.tex
View file @
dc9fe4e1
...
...
@@ 4,6 +4,106 @@
In this section we describe techniques used to prove the equivalence between the
Clight description of TweetNaCl and Coq functions producing similar behaviors.
\subsection
{
Correctness Specification
}
We show the soundness of TweetNaCl by proving the following specification matches a pure Coq function.
This defines the equivalence between the Clight representation and a Coq definition of the ladder.
\begin{CoqVST}
Definition crypto
_
scalarmult
_
spec :=
DECLARE
_
crypto
_
scalarmult
_
curve25519
_
tweet
WITH
v
_
q: val, v
_
n: val, v
_
p: val, c121665:val,
sh : share,
q : list val, n : list Z, p : list Z
(**)
PRE [
_
q OF (tptr tuchar),
_
n OF (tptr tuchar),
_
p OF (tptr tuchar) ]
PROP (writable
_
share sh;
Forall (fun x => 0 <= x < 2
^
8) p;
Forall (fun x => 0 <= x < 2
^
8) n;
Zlength q = 32; Zlength n = 32;
Zlength p = 32)
LOCAL(temp
_
q v
_
q; temp
_
n v
_
n; temp
_
p v
_
p;
gvar
__
121665 c121665)
SEP (sh [
{
v
_
q
}
] <<(uch32) q;
sh [
{
v
_
n
}
] <<(uch32) mVI n;
sh [
{
v
_
p
}
] <<(uch32) mVI p;
Ews [
{
c121665
}
] <<(lg16) mVI64 c
_
121665)
(**)
POST [ tint ]
PROP (Forall (fun x => 0 <= x < 2
^
8) (CSM n p);
Zlength (CSM n p) = 32)
LOCAL(temp ret
_
temp (Vint Int.zero))
SEP (sh [
{
v
_
q
}
] <<(uch32) mVI (CSM n p);
sh [
{
v
_
n
}
] <<(uch32) mVI n;
sh [
{
v
_
p
}
] <<(uch32) mVI p;
Ews [
{
c121665
}
] <<(lg16) mVI64 c
_
121665
\end{CoqVST}
In this specification we state as preconditions:
\begin{itemize}
\item
[]
\VSTe
{
PRE
}
:
\VSTe
{_
p OF (tptr tuchar)
}
\\
The function
\texttt
{
crypto
\_
scalarmult
}
takes as input three pointers to
arrays of unsigned bytes (
\VSTe
{
tptr tuchar
}
)
\VSTe
{_
p
}
,
\VSTe
{_
q
}
and
\VSTe
{_
n
}
.
\item
[]
\VSTe
{
LOCAL
}
:
\VSTe
{
temp
_
p v
_
p
}
\\
Each pointer represent an address
\VSTe
{
v
_
p
}
,
\VSTe
{
v
_
q
}
and
\VSTe
{
v
_
n
}
.
\item
[]
\VSTe
{
SEP
}
:
\VSTe
{
sh [
{
v
_
p
$
\!\!\}\!\!
]
\!\!\!
$
<<(uch32) mVI p
}
\\
In the memory share
\texttt
{
sh
}
, the address
\VSTe
{
v
_
p
}
points
to a list of integer values
\VSTe
{
mVI p
}
.
\item
[]
\VSTe
{
PROP
}
:
\VSTe
{
Forall (fun x => 0 <= x < 2
^
8) p
}
\\
In order to consider all the possible inputs, we assumed each
elements of the list
\texttt
{
p
}
to be bounded by
$
0
$
included and
$
2
^
8
$
excluded.
\item
[]
\VSTe
{
PROP
}
:
\VSTe
{
Zlength p = 32
}
\\
We also assumed that the length of the list
\texttt
{
p
}
is 32. This defines the
complete representation of
\TNaCle
{
u8[32]
}
.
\end{itemize}
As Postcondition we have:
\begin{itemize}
\item
[]
\VSTe
{
POST
}
:
\VSTe
{
tint
}
\\
The function
\texttt
{
crypto
\_
scalarmult
}
returns an integer.
\item
[]
\VSTe
{
LOCAL
}
:
\VSTe
{
temp ret
_
temp (Vint Int.zero)
}
\\
The returned integer has value
$
0
$
.
\item
[]
\VSTe
{
SEP
}
:
\VSTe
{
sh [
{
v
_
q
$
\!\!\}\!\!
]
\!\!\!
$
<<(uch32) mVI (CSM n p)
}
\\
In the memory share
\texttt
{
sh
}
, the address
\VSTe
{
v
_
q
}
points
to a list of integer values
\VSTe
{
mVI (CSM n p)
}
where
\VSTe
{
CSM n p
}
is the
result of the
\VSTe
{
crypto
_
scalarmult
}
over
\VSTe
{
n
}
and
\VSTe
{
p
}
.
\item
[]
\VSTe
{
PROP
}
:
\VSTe
{
Forall (fun x => 0 <= x < 2
^
8) (CSM n p)
}
\\
\VSTe
{
PROP
}
:
\VSTe
{
Zlength (CSM n p) = 32
}
\\
We show that the computation for
\VSTe
{
CSM
}
fits in
\TNaCle
{
u8[32]
}
.
\end{itemize}
This specification shows that
\VSTe
{
crypto
_
scalarmult
}
in C computes the same
result as
\VSTe
{
CSM
}
in Coq provided that inputs are within their respective
bounds.
By converting those array of 32 bytes into their respective littleendian value
we prove the correctness of
\VSTe
{
crypto
_
scalarmult
}
(Theorem
\ref
{
CSMcorrect
}
)
in Coq (for the sake of simplicity we do not display the conversion in the theorem).
\begin{theorem}
\label
{
CSMcorrect
}
For all
$
n
\in
\N
, n <
2
^{
255
}$
and where the bits 1, 2, 5 248, 249, 250
are cleared and bit 6 is set, for all
$
P
\in
E
(
\F
{
p
^
2
}
)
$
,
for all
$
p
\in
\F
{
p
}$
such that
$
P.x
=
p
$
,
there exists
$
Q
\in
E
(
\F
{
p
^
2
}
)
$
such that
$
Q
=
nP
$
where
$
Q.x
=
q
$
and
$
q
$
=
\VSTe
{
CSM
}
$
n
$
$
p
$
.
\end{theorem}
A more complete description in Coq of Theorem
\ref
{
CSMcorrect
}
with the associated conversions
is as follow:
\begin{lstlisting}
[language=Coq]
Theorem Crypto
_
Scalarmult
_
Correct:
forall (n p:list Z) (P:mc curve25519
_
Fp2
_
mcuType),
Zlength n = 32 >
Zlength p = 32 >
Forall (fun x => 0 <= x /
\
x < 2
^
8) n >
Forall (fun x => 0 <= x /
\
x < 2
^
8) p >
Fp2
_
x (ZUnpack25519 (ZofList 8 p)) = P#x0 >
ZofList 8 (Crypto
_
Scalarmult n p) =
(P *+ (Z.to
_
nat (Zclamp (ZofList 8 n))))
_
x0.
\end{lstlisting}
\subsection
{
Number Representation and C Implementation
}
As described in Section
\ref
{
sec:impl
}
, numbers in
\TNaCle
{
gf
}
are represented
...
...
paper/preliminaries.tex
View file @
dc9fe4e1
...
...
@@ 2,25 +2,20 @@
\label
{
preliminaries
}
\subsection
{
The X25519 key exchange
}
\F
{
p
}
,
\F
{
p
^
2
}
, Coordinates, Xcoordinates in
\F
{
p
}
.
XXX: math definition from Cure25519 paper.
XXX: math definition from Cur
v
e25519 paper.
\subsection
{
X25519 in TweetNaCl
}
\subheading
{
The Montgomery ladder
}
\todo
{
Ladder algorithm C code
}
\todo
{
Ladderstep algorithm C code
}
\subheading
{
Arithmetic in
\Ffield
}
Given a natural number
$
n
$
and a value
$
x
\in
\F
{
p
}$
,
Curve
25519 is a function over a
$
\F
{
p
}$
restricted
Given a natural number
$
n
$
and a value
$
x
\in
\F
{
p
}$
,
X
25519 is a function over a
$
\F
{
p
}$
restricted
$
x
$
coordinate computing a scalar multiplication on
$
E
(
\F
{
p
^
2
}
)
$
.
As a result of this restriction, all computations are done over
$
\F
{
p
}$
.
Numbers in that field can be represented with 256 bits.
We represent them in 8bit limbs (respectively 16bit limbs),
making use of a base
$
2
^
8
$
(respectively
$
2
^{
16
}$
).
Consequently, inputs of the
Curve
25519 function are seen as arrays of bytes.
Consequently, inputs of the
X
25519 function are seen as arrays of bytes.
Computations inside this function makes use of the 16bit limbs representation.
Those are placed into 64bits signed container in order to mitigate overflows or underflows.
\begin{lstlisting}
[language=Ctweetnacl]
...
...
@@ 32,8 +27,8 @@ $\exists x,y \in$ \TNaCle{gf} such that
\vspace
{
0.25cm
}
$$
x
\neq
y
\ \ \land\ \
x
\equiv
y
\pmod
{
2
^{
255
}

19
}$$
On the other hand it allows simple definitions of addition (
\texttt
{
A
}
),
substraction (
\texttt
{
Z
}
), and schoolbook multiplication (
\texttt
{
M
}
).
On the other hand it allows simple definitions of addition (
\texttt
{
A
}
),
substraction (
\texttt
{
Z
}
), and schoolbook multiplication (
\texttt
{
M
}
).
% and squaring (\texttt{S}).
\begin{lstlisting}
[language=Ctweetnacl]
sv A(gf o,const gf a,const gf b)
{
...
...
@@ 84,11 +79,15 @@ $\exists x,y \in$ \TNaCle{gf} such that
% }
% \end{lstlisting}
At the end of the Montgomery ladder,
\texttt
{
inv25519
}
computes the inverse over
\Zfield
.
It uses Fermat's little theorem by the exponentiation to
$
2
^{
255
}

21
$
with the Squareandmultiply algorithm.
Inverse in
\Zfield
are computed with
\texttt
{
inv25519
}
.
It takes the exponentiation by
$
2
^{
255
}

21
$
with the Squareandmultiply algorithm.
Fermat's little theorem brings the correctness.
Notice that in this case the inverse of
$
0
$
is defined as
$
0
$
.
% It takes advantage of the shape of the number by not doing the multiplications only twice.
% \todo{Ladder algorithm C code}
% \todo{Ladderstep algorithm C code}
The last step of
\texttt
{
crypto
\_
scalarmult
}
is the packing of the limbs: an array of 32 bytes.
It first performs 3 carry propagations in order to guarantee
that each 16bit limbs values are between
$
0
$
and
$
2
^{
16
}$
.
...
...
@@ 124,7 +123,7 @@ $\exists x,y \in$ \TNaCle{gf} such that
}
\end{lstlisting}
The full Montgomery
ladder is defined as follow.
\subheading
{
The Montgomery ladder
}
The full
ladder is defined as follow.
First extract and clamp the value of
$
n
$
. Then unpack the value of
$
p
$
.
Compute the Montgomery ladder over the clamped
$
n
$
and
$
p
$
, pack the result into
$
q
$
.
\begin{lstlisting}
[language=Ctweetnacl]
...
...
@@ 222,104 +221,3 @@ This garantees us the correctness of the implementation.
\caption
{
Structural construction of the proof
}
\label
{
tk:ProofStructure
}
\end{figure}
\subsection
{
Correctness Specification
}
We show the soundness of TweetNaCl by proving the following specification matches a pure Coq function.
This defines the equivalence between the Clight representation and a Coq definition of the ladder.
\begin{CoqVST}
Definition crypto
_
scalarmult
_
spec :=
DECLARE
_
crypto
_
scalarmult
_
curve25519
_
tweet
WITH
v
_
q: val, v
_
n: val, v
_
p: val, c121665:val,
sh : share,
q : list val, n : list Z, p : list Z
(**)
PRE [
_
q OF (tptr tuchar),
_
n OF (tptr tuchar),
_
p OF (tptr tuchar) ]
PROP (writable
_
share sh;
Forall (fun x => 0 <= x < 2
^
8) p;
Forall (fun x => 0 <= x < 2
^
8) n;
Zlength q = 32; Zlength n = 32;
Zlength p = 32)
LOCAL(temp
_
q v
_
q; temp
_
n v
_
n; temp
_
p v
_
p;
gvar
__
121665 c121665)
SEP (sh [
{
v
_
q
}
] <<(uch32) q;
sh [
{
v
_
n
}
] <<(uch32) mVI n;
sh [
{
v
_
p
}
] <<(uch32) mVI p;
Ews [
{
c121665
}
] <<(lg16) mVI64 c
_
121665)
(**)
POST [ tint ]
PROP (Forall (fun x => 0 <= x < 2
^
8) (CSM n p);
Zlength (CSM n p) = 32)
LOCAL(temp ret
_
temp (Vint Int.zero))
SEP (sh [
{
v
_
q
}
] <<(uch32) mVI (CSM n p);
sh [
{
v
_
n
}
] <<(uch32) mVI n;
sh [
{
v
_
p
}
] <<(uch32) mVI p;
Ews [
{
c121665
}
] <<(lg16) mVI64 c
_
121665
\end{CoqVST}
In this specification we state as preconditions:
\begin{itemize}
\item
[]
\VSTe
{
PRE
}
:
\VSTe
{_
p OF (tptr tuchar)
}
\\
The function
\texttt
{
crypto
\_
scalarmult
}
takes as input three pointers to
arrays of unsigned bytes (
\VSTe
{
tptr tuchar
}
)
\VSTe
{_
p
}
,
\VSTe
{_
q
}
and
\VSTe
{_
n
}
.
\item
[]
\VSTe
{
LOCAL
}
:
\VSTe
{
temp
_
p v
_
p
}
\\
Each pointer represent an address
\VSTe
{
v
_
p
}
,
\VSTe
{
v
_
q
}
and
\VSTe
{
v
_
n
}
.
\item
[]
\VSTe
{
SEP
}
:
\VSTe
{
sh [
{
v
_
p
$
\!\!\}\!\!
]
\!\!\!
$
<<(uch32) mVI p
}
\\
In the memory share
\texttt
{
sh
}
, the address
\VSTe
{
v
_
p
}
points
to a list of integer values
\VSTe
{
mVI p
}
.
\item
[]
\VSTe
{
PROP
}
:
\VSTe
{
Forall (fun x => 0 <= x < 2
^
8) p
}
\\
In order to consider all the possible inputs, we assumed each
elements of the list
\texttt
{
p
}
to be bounded by
$
0
$
included and
$
2
^
8
$
excluded.
\item
[]
\VSTe
{
PROP
}
:
\VSTe
{
Zlength p = 32
}
\\
We also assumed that the length of the list
\texttt
{
p
}
is 32. This defines the
complete representation of
\TNaCle
{
u8[32]
}
.
\end{itemize}
As Postcondition we have:
\begin{itemize}
\item
[]
\VSTe
{
POST
}
:
\VSTe
{
tint
}
\\
The function
\texttt
{
crypto
\_
scalarmult
}
returns an integer.
\item
[]
\VSTe
{
LOCAL
}
:
\VSTe
{
temp ret
_
temp (Vint Int.zero)
}
\\
The returned integer has value
$
0
$
.
\item
[]
\VSTe
{
SEP
}
:
\VSTe
{
sh [
{
v
_
q
$
\!\!\}\!\!
]
\!\!\!
$
<<(uch32) mVI (CSM n p)
}
\\
In the memory share
\texttt
{
sh
}
, the address
\VSTe
{
v
_
q
}
points
to a list of integer values
\VSTe
{
mVI (CSM n p)
}
where
\VSTe
{
CSM n p
}
is the
result of the
\VSTe
{
crypto
_
scalarmult
}
over
\VSTe
{
n
}
and
\VSTe
{
p
}
.
\item
[]
\VSTe
{
PROP
}
:
\VSTe
{
Forall (fun x => 0 <= x < 2
^
8) (CSM n p)
}
\\
\VSTe
{
PROP
}
:
\VSTe
{
Zlength (CSM n p) = 32
}
\\
We show that the computation for
\VSTe
{
CSM
}
fits in
\TNaCle
{
u8[32]
}
.
\end{itemize}
This specification shows that
\VSTe
{
crypto
_
scalarmult
}
in C computes the same
result as
\VSTe
{
CSM
}
in Coq provided that inputs are within their respective
bounds.
By converting those array of 32 bytes into their respective littleendian value
we prove the correctness of
\VSTe
{
crypto
_
scalarmult
}
(Theorem
\ref
{
CSMcorrect
}
)
in Coq (for the sake of simplicity we do not display the conversion in the theorem).
\begin{theorem}
\label
{
CSMcorrect
}
For all
$
n
\in
\N
, n <
2
^{
255
}$
and where the bits 1, 2, 5 248, 249, 250
are cleared and bit 6 is set, for all
$
P
\in
E
(
\F
{
p
^
2
}
)
$
,
for all
$
p
\in
\F
{
p
}$
such that
$
P.x
=
p
$
,
there exists
$
Q
\in
E
(
\F
{
p
^
2
}
)
$
such that
$
Q
=
nP
$
where
$
Q.x
=
q
$
and
$
q
$
=
\VSTe
{
CSM
}
$
n
$
$
p
$
.
\end{theorem}
A more complete description in Coq of Theorem
\ref
{
CSMcorrect
}
with the associated conversions
is as follow:
\begin{lstlisting}
[language=Coq]
Theorem Crypto
_
Scalarmult
_
Correct:
forall (n p:list Z) (P:mc curve25519
_
Fp2
_
mcuType),
Zlength n = 32 >
Zlength p = 32 >
Forall (fun x => 0 <= x /
\
x < 2
^
8) n >
Forall (fun x => 0 <= x /
\
x < 2
^
8) p >
Fp2
_
x (ZUnpack25519 (ZofList 8 p)) = P#x0 >
ZofList 8 (Crypto
_
Scalarmult n p) =
(P *+ (Z.to
_
nat (Zclamp (ZofList 8 n))))
_
x0.
\end{lstlisting}
% Its proof is explained in the next section.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment