Verifying Curve25519 Software

Authors:
Yu-Fang Chen

Academia Sinica, Taipei, Taiwan Roc

Academia Sinica, Taipei, Taiwan Roc
View Profile

,
Chang-Hong Hsu

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Hsin-Hung Lin

Kyushu University, Fukuoka, Japan

Kyushu University, Fukuoka, Japan
View Profile

,
Peter Schwabe

Radboud University Nijmegen, Nijmegen, Netherlands

Radboud University Nijmegen, Nijmegen, Netherlands
View Profile

,
Ming-Hsien Tsai

Academia Sinica, Taipei, Taiwan Roc

Academia Sinica, Taipei, Taiwan Roc
View Profile

,
Bow-Yaw Wang

Academia Sinica, Taipei, Taiwan Roc

Academia Sinica, Taipei, Taiwan Roc
View Profile

,
Bo-Yin Yang

Academia Sinica, Taipei, Taiwan Roc

Academia Sinica, Taipei, Taiwan Roc
View Profile

,
Shang-Yi Yang

Academia Sinica, Taipei, Taiwan Roc

Academia Sinica, Taipei, Taiwan Roc
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 299–309https://doi.org/10.1145/2660267.2660370

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 299–309

ABSTRACT

This paper presents results on formal verification of high-speed cryptographic software. We consider speed-record-setting hand-optimized assembly software for Curve25519 elliptic-curve key exchange presented by Bernstein et al. at CHES 2011. Two versions for different microarchitectures are available. We successfully verify the core part of the computation, and reproduce detection of a bug in a previously published edition. An SMT solver supporting array and bit-vector theories is used to establish almost all properties. Remaining properties are verified in a proof assistant with simple rewrite tactics. We also exploit the compositionality of Hoare logic to address the scalability issue. Essential differences between both versions of the software are discussed from a formal-verification perspective.

References

R. Affeldt. On construction of a library of formally verified low-level arithmetic functions. Innovations in Systems and Software Engineering, 9(2):59--77, 2013. https://staff.aist.go.jp/reynald.affeldt/documents/arilib-affeldt.pdf. Google ScholarDigital Library
R. Affeldt and N. Marti. An approach to formal verification of arithmetic functions in assembly. In M. Okada and I. Satoh, editors, Advances in Computer Science -- ASIAN 2006, volume 4435 of Lecture Notes in Computer Science, pages 346--360. Springer-Verlag Berlin Heidelberg, 2007. https://staff.aist.go.jp/reynald.affeldt/documents/affeldt-asian2006.pdf. Google ScholarDigital Library
R. Affeldt, D. Nowak, and K. Yamada. Certifying assembly with formal security proofs: The case of BBS. Science of Computer Programming, 77(10--11):1058{1074, 2012. http://www.sciencedirect.com/science/article/pii/S0167642311001493. Google ScholarDigital Library
J. B. Almeida, M. Barbosa, G. Barthe, and F. Dupressoir. Certified computer-aided cryptography: effcient provably secure machine code from high-level implementations. In V. Gligor and M. Yung, editors, Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1217--1230. ACM New York, 2013. http://eprint.iacr.org/2013/316/. Google ScholarDigital Library
B. Alpern, M. N. Wegman, and F. K. Zadeck. Detecting equality of variables in programs. In ACM Symposium on Principles of Programming Languages -- (POPL 1988), pages 1--11. ACM Press, 1988. http://courses.cs.washington.edu/courses/cse501/04wi/papers/alpern-popl88.pdf. Google ScholarDigital Library
R. Avanzi, H. Cohen, C. Doche, G. Frey, T. Lange, K. Nguyen, and F. Vercauteren. Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman & Hall/CRC, 2006. Google ScholarDigital Library
E.-I. Bartzia. Formalisation des courbes elliptiques en coq. Master's thesis, Universite de Vincennes-Saint Denis { Paris VIII, 2011. http://pierre-yves.strub.nu/research/ec/.Google Scholar
A. G. Bayrak, F. Regazzoni, D. Novo, and P. Ienne. Sleuth: Automated verification of software power analysis countermeasures. In G. Bertoni and J.-S. Coron, editors, Cryptographic Hardware and Embedded Systems -- CHES 2013, volume 8086 of Lecture Notes in Computer Science, pages 293--310. Springer-Verlag Berlin Heidelberg, 2013. Google ScholarDigital Library
D. J. Bernstein. qhasm: tools to help write high-speed software. http://cr.yp.to/qhasm.html.Google Scholar
D. J. Bernstein. Supercop: System for unified performance evaluation related to cryptographic operations and primitives. http://bench.cr.yp.to/supercop.html. Published as part of ECRYPT II VAMPIRE Lab.Google Scholar
D. J. Bernstein. Curve25519: new Diffie-Hellman speed records. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, Public Key Cryptography -- PKC 2006, volume 3958 of Lecture Notes in Computer Science, pages 207{228. Springer-Verlag Berlin Heidelberg, 2006. http://cr.yp.to/papers.html#curve25519. Google ScholarDigital Library
D. J. Bernstein. Batch binary Edwards. In S. Halevi, editor, Advances in Cryptology -- CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 317--336. Springer-Verlag Berlin Heidelberg, 2009. http://cr.yp.to/papers.html#bbe. Google ScholarDigital Library
D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang. High-speed high-security signatures. In B. Preneel and T. Takagi, editors, Cryptographic Hardware and Embedded Systems -- CHES 2011, volume 6917 of Lecture Notes in Computer Science, pages 124--142. Springer-Verlag Berlin Heidelberg, 2011. see also full version {14}. Google ScholarDigital Library
D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang. High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2):77--89, 2012. http://cryptojedi.org/papers/#ed25519, see also short version {13}.Google ScholarCross Ref
D. J. Bernstein and T. L. (editors). eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to (accessed May 17, 2014).Google Scholar
D. J. Bernstein and T. L. (editors). Explicit-formulas database. http://www.hyperelliptic.org/EFD/ (accessed May 17, 2014).Google Scholar
D. J. Bernstein, W. Janssen, T. Lange, and P. Schwabe. TweetNaCl: A crypto library in 100 tweets, 2013. http://cryptojedi.org/papers/#tweetnacl.Google Scholar
D. J. Bernstein, T. Lange, and P. Schwabe. The security impact of a new cryptographic library. In A. Hevia and G. Neven, editors, Progress in Cryptology -- LATINCRYPT 2012, volume 7533 of Lecture Notes in Computer Science, pages 159--176.Springer-Verlag Berlin Heidelberg, 2012. http://cryptojedi.org/papers/#coolnacl. Google ScholarDigital Library
Y. Bertot and P. Cast--eran. Interactive Theorem Proving and Program Development Coq'Art: The Calculus of Inductive Constructions. EATCS. Springer, 2004. Google ScholarDigital Library
K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and S. Zanella-Beguelin. miTLS: A verified reference TLS implementation, 2014. http://www.mitls.org/wsgi/home.Google Scholar
K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In IEEE Symposium on Security and Privacy 2013, pages 445--459, 2013. full version: http://www.mitls.org/downloads/miTLS-report.pdf. Google ScholarDigital Library
B. B. Brumley, M. Barbosa, D. Page, and F. Vercauteren. Practical realisation and elimination of an ECC-related software bug attack. In O. Dunkelman, editor, Topics in Cryptology -- CT-RSA 2012, volume 7178 of Lecture Notes in Computer Science, pages 171--186. Springer-Verlag Berlin Heidelberg, 2012. http://eprint.iacr.org/2011/633. Google ScholarDigital Library
R. Brummayer and A. Biere. Boolector: An effcient SMT solver for bit-vectors and arrays. In S. Kowalewski and A. Philippou, editors, Tools and Algorithms for the Construction and Analysis of Systems -- (TACAS 2009), volume 5505 of Lecture Notes in Computer Science, pages 174--177. Springer-Verlag Berlin Heidelberg, 2009. http://fmv.jku.at/papers/BrummayerBiere-TACAS09.pdf. Google ScholarDigital Library
C. Costello, H. Hisil, and B. Smith. Faster compact diffie--hellman: Endomorphisms on the x-line. In P. Q. Nguyen and E. Oswald, editors, Advances in Cryptology -- EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 183--200. Springer-Verlag Berlin Heidelberg, 2014. http://eprint.iacr.org/2013/692/.Google Scholar
M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao. The daikon system for dynamic detection of likely invariants. Sci. Comput. Program., 69(1{3):35{45, 2007. http://pgbovine.net/publications/ daikon-invariant-detector_SCP-2007.pdf. Google ScholarDigital Library
M. Gordon. CryptVer project. http://www.cl.cam.ac.uk/~mjcg/proposals/CryptVer/.Google Scholar
D. Hankerson, A. Menezes, and S. A. Vanstone. Guide to Elliptic Curve Cryptography. Springer-Verlag New York, 2004. Google ScholarDigital Library
C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12(10):576--580, 1969. http://www.spatial.maine.edu/~worboys/processes/hoare/20axiomatic.pdf. Google ScholarDigital Library
P. Longa and F. Sica. Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In X. Wang and K. Sako, editors, Advances in Cryptology -- ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 718{739. Springer-Verlag Berlin Heidelberg, 2012. https://eprint.iacr.org/2011/608. Google ScholarDigital Library
D. Molnar, M. Piotrowski, D. Schultz, and D. Wagner. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In D. H. Won and S. Kim, editors, Information Security and Cryptology -- ICISC 2005, volume 3935 of Lecture Notes in Computer Science, pages 156--168. Springer-Verlag Berlin Heidelberg, 2005. Full version at http://eprint.iacr.org/2005/368/. Google ScholarDigital Library
P. L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization. Mathematics ofComputation, 48(177):243--264, 1987. http://www.ams.org/journals/mcom/1987--48--177/S0025--5718--1987-0866113--7/S0025--5718--1987-0866113--7.pdf.Google ScholarCross Ref
M. O. Myreen and M. J. C. Gordon. Hoare logic for realistically modelled machine code. In O. Grumberg and M. Huth, editors, Tools and Algorithms for the Construction and Analysis of Systems, volume 4424 of Lecture Notes in Computer Science, pages 568--582. Springer-Verlag Berlin Heidelberg, 2007. http: //www.cl.cam.ac.uk/~mom22/mc-hoare-logic.pdf. Google ScholarDigital Library
T. Oliveira, J. Lopez, D. F. Aranha, and F. Rodrguez-Henrquez. Lambda coordinates for binary elliptic curves. In G. Bertoni and J.-S. Coron, editors, Cryptographic Hardware and Embedded Systems -- CHES 2013, volume 8086 of Lecture Notes in Computer Science, pages 311--330. Springer-Verlag Berlin Heidelberg, 2013. http: //eprint.iacr.org/2013/131/20130611:205154. Google ScholarDigital Library
S. Ragan. Bugcrowd launches funding drive to audit popenssl. News article on CSO, 2014. http://www.csoonline.com/article/2145020/security-industry/ bugcrowd-launches-funding-drive-to-audit-openssl. html (accessed May 17, 2014).Google Scholar
B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Global value numbers and redundant computations. In ACM Symposium on Principles of Programming Languages -- (POPL 1988), pages 12--27. ACM Press, 1988. http://www.cs.wustl.edu/~cytron/cs531/ Resources/Papers/valnum.pdf. Google ScholarDigital Library
L. Thery and G. Hanrot. Primality proving with elliptic curves. In K. Schneider and J. Brandt, editors, Theorem Proving in Higher Order Logics, volume 4732 of Lecture Notes in Computer Science, pages 319--333. Springer-Verlag Berlin Heidelberg, 2007. http://hal.inria.fr/docs/00/14/06/58/PDF/paper.pdf. Google ScholarDigital Library
K. White and M. Green. IsTrueCryptAuditedYet? http://istruecryptauditedyet.com/ (accessed May 17, 2014).Google Scholar

Index Terms

Verifying Curve25519 Software
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

Inductive Completeness of Logics of Programs

We propose a new approach to delineating logics of programs, based directly on inductive definition of program semantics. The ingredients are elementary and well-known, but their fusion yields a simple yet powerful approach, surprisingly overlooked for ...
Read More
Completeness and decidability of converse PDL in the constructive type theory of Coq
CPP 2018: Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs

The completeness proofs for Propositional Dynamic Logic (PDL) in the literature are non-constructive and usually presented in an informal manner. We obtain a formal and constructive completeness proof for Converse PDL by recasting a completeness proof ...
Read More
VPHL

We introduce a Hoare-style logic for probabilistic programs, called VPHL, that has been formally verified in the Coq proof assistant. VPHL features propositional, rather than additive, assertions and a simple set of rules for reasoning about these ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Check for updates
Author Tags
boolector
coq
elliptic-curve cryptography
hoare logic
optimized assembly
smt solver
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 42
  Total Citations
  View Citations
- 1,112
  Total Downloads
- Downloads (Last 12 months)168
- Downloads (Last 6 weeks)23
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Verifying Curve25519 Software

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Inductive Completeness of Logics of Programs

Completeness and decidability of converse PDL in the constructive type theory of Coq

VPHL