HACLxN: Verified Generic SIMD Crypto (for all your favourite platforms)

We present a new methodology for building formally verified cryptographic libraries that are optimized for multiple architectures. In particular, we show how to write and verify generic crypto code in the F* programming language that exploits single-instruction multiple data (SIMD) parallelism. We show how this code can be compiled to platforms that support vector instructions, including ARM Neon and Intel AVX, AVX2, and AVX512. We apply our methodology to obtain verified vectorized implementations on all these platforms for the ChaCha20 encryption algorithm, the Poly1305 one-time MAC, and the SHA-2 and Blake2 families of hash algorithms. A distinctive feature of our approach is that we aggressively share code and verification effort between scalar and vectorized code, between vectorized code for different platforms, and between implementations of different cryptographic primitives. By doing so, we significantly reduce the manual effort needed to add new implementations to our verified library. In this paper, we describe our methodology and verification results, evaluate the performance of our code, and describe its integration into the HACL* crypto library. Our vectorized code has already been incorporated into several software projects, including the Firefox web browser.

[1]  Xavier Leroy,et al.  CompCert - A Formally Verified Optimizing Compiler , 2016 .

[2]  Nikhil Swamy,et al.  A verified, efficient embedding of a verifiable assembly language , 2019, Proc. ACM Program. Lang..

[3]  Eric Rescorla,et al.  Encrypted Server Name Indication for TLS 1.3 , 2000 .

[4]  Morris J. Dworkin,et al.  SP 800-38A 2001 edition. Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[5]  Nikhil Swamy,et al.  EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[6]  Adam Chlipala,et al.  Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[7]  Andrew W. Appel,et al.  Verification of a Cryptographic Primitive: SHA-256 , 2015, TOPL.

[8]  Aaron Tomb Automated Verification of Real-World Cryptographic Implementations , 2016, IEEE Security & Privacy.

[9]  Bo-Yin Yang,et al.  Signed Cryptographic Program Verification with Typed CryptoLine , 2019, CCS.

[10]  Karthikeyan Bhargavan,et al.  HACL×N: Verified Generic SIMD Crypto (for all your favorite platforms) , 2020, IACR Cryptol. ePrint Arch..

[11]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[12]  Benjamin Grégoire,et al.  Jasmin: High-Assurance and High-Speed Cryptography , 2017, CCS.

[13]  Peter Schwabe,et al.  NEON Crypto , 2012, CHES.

[14]  Andrew W. Appel,et al.  Verified Correctness and Security of OpenSSL HMAC , 2015, USENIX Security Symposium.

[15]  Edwin Brady,et al.  Idris, a general-purpose dependently typed programming language: Design and implementation , 2013, Journal of Functional Programming.

[16]  Benjamin Grégoire,et al.  The Last Mile: High-Assurance and High-Speed Cryptographic Implementations , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[17]  Yi Zhou,et al.  A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[18]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[19]  Srinath T. V. Setty,et al.  Vale: Verifying High-Performance Cryptographic Assembly Code , 2017, USENIX Security Symposium.

[20]  Richard Barnes,et al.  The Messaging Layer Security (MLS) Protocol , 2019 .

[21]  Bryan Parno,et al.  SoK: Computer-Aided Cryptography , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[22]  Karthikeyan Bhargavan,et al.  Formally Verified Cryptographic Web Applications in WebAssembly , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[23]  Ross J. Anderson,et al.  What You Get is What You C: Controlling Side Effects in Mainstream C Compilers , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[24]  Benjamin Grégoire,et al.  Formal Verification of a Constant-Time Preserving C Compiler : 3 by theoretical justifications : in [ , 2019 .

[25]  Christopher A. Wood,et al.  Hybrid Public Key Encryption , 2019, RFC.

[26]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[27]  Derek Dreyer,et al.  Mtac2: typed tactics for backward reasoning in Coq , 2018, Proc. ACM Program. Lang..

[28]  Shay Gueron,et al.  Simultaneous hashing of multiple messages , 2012, IACR Cryptol. ePrint Arch..

[29]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[30]  Jean-Philippe Aumasson,et al.  The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC) , 2015, RFC.

[31]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[32]  Nikhil Swamy,et al.  Verified low-level programming embedded in F* , 2017, Proc. ACM Program. Lang..

[33]  Nikhil Swamy,et al.  EverParse: Verified Secure Zero-Copy Parsers for Authenticated Message Formats , 2019, USENIX Security Symposium.