Efficient Verification of Optimized Code: Correct High-speed Curve25519

Code that is highly optimized poses a problem for programlevel verification. Programmers can employ various clever tricks that are non-trivial to reason about. For cryptography on low-power devices, it is nonetheless crucial that implementations be functionally correct, secure, and efficient. These are usually crafted in hand-optimized machine code that eschew conventional control flow as much as possible. We have formally verified such code: a library which implements elliptic curve cryptography on 8-bit AVR microcontrollers. The chosen implementation is the most efficient currently known for this microarchitecture. It consists of over 3000 lines of assembly instructions. Building on earlier work, we use the Why3 platform to model the code and generate verification conditions, which are proven using automated provers. The approach is re-usable and adaptable, and allows for validation. Furthermore, an error in the original implementation was found and corrected, at the same time reducing its memory footprint. This shows that practical verification of cutting-edge code is not only possible, but can in fact add to its efficiency—and is clearly necessary.

[1]  Torben Amtoft,et al.  Faithful Translations between Polyvariant Flows and Polymorphic Types , 2000, ESOP.

[2]  Srinath T. V. Setty,et al.  Vale: Verifying High-Performance Cryptographic Assembly Code , 2017, USENIX Security Symposium.

[3]  Bow-Yaw Wang,et al.  Verifying Arithmetic in Cryptographic C Programs , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Peter Schwabe,et al.  High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers , 2015, Des. Codes Cryptogr..

[5]  Yuval Yarom,et al.  May the Fourth Be With You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519 , 2017, CCS.

[6]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[7]  Nikolaj Bjørner,et al.  Proofs and Refutations, and Z3 , 2008, LPAR Workshops.

[8]  Nikhil Swamy,et al.  Everest: Towards a Verified, Drop-in Replacement of HTTPS , 2017, SNAPL.

[9]  Marko C. J. D. van Eekelen,et al.  Is Deductive Program Verification Mature Enough to be Taught to Software Engineers? , 2019, CSERC.

[10]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[11]  Adam Langley,et al.  Elliptic Curves for Security , 2016, RFC.

[12]  Nikhil Swamy,et al.  EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[13]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[14]  Tanja Lange,et al.  Montgomery curves and the Montgomery ladder , 2017, IACR Cryptol. ePrint Arch..

[15]  Adam Chlipala,et al.  Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[16]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[17]  Karthikeyan Bhargavan,et al.  A Verified Extensible Library of Elliptic Curves , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[18]  Peter Schwabe,et al.  Verifying Curve25519 Software , 2014, CCS.

[19]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[20]  Jean-Christophe Filliâtre,et al.  Why3 - Where Programs Meet Provers , 2013, ESOP.

[21]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[22]  Serge Vaudenay,et al.  When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015 , 2016, CANS.

[23]  Marc Schoolderman Verifying Branch-Free Assembly Code in Why3 , 2017, VSTTE.

[24]  Loganaden Velvindron,et al.  Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits , 2017, RFC.

[25]  Hans Eberle,et al.  Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs , 2004, CHES.

[26]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[27]  Pascal Fontaine,et al.  Better SMT Proofs for Easier Reconstruction , 2019 .