Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations

We present a computer-aided framework for proving concrete security bounds for cryptographic machine code implementations. The front-end of the framework is an interactive verification tool that extends the EasyCrypt framework to reason about relational properties of C-like programs extended with idealised probabilistic operations in the style of code-based security proofs. The framework also incorporates an extension of the CompCert certified compiler to support trusted libraries providing complex arithmetic calculations or instantiating idealized components such as sampling operations. This certified compiler allows us to carry to executable code the security guarantees established at the high-level, and is also instrumented to detect when compilation may interfere with side-channel countermeasures deployed in source code. We demonstrate the applicability of the framework by applying it to the RSA-OAEP encryption scheme, as standardized in PKCS#1 v2.1. The outcome is a rigorous analysis of the advantage of an adversary to break the security of assembly implementations of the algorithms specified by the standard. The example also provides two contributions of independent interest: it bridges the gap between computer-assisted security proofs and real-world cryptographic implementations as described by standards such as PKCS,and demonstrates the use of the CompCert certified compiler in the context of cryptographic software development.

[1]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[2]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[3]  David Sands,et al.  On Confidentiality and Algorithms , 2001, S&P 2001.

[4]  James Manger,et al.  A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 , 2001, CRYPTO.

[5]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[6]  Nicolas Magaud,et al.  A Proof of GMP Square Root , 2004, Journal of Automated Reasoning.

[7]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[8]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[9]  John Matthews,et al.  A verifying core for a cryptographic language compiler , 2006, ACL2 '06.

[10]  Enrico Tassi,et al.  A Small Scale Reflection Extension for the Coq system , 2008 .

[11]  Sabine Fischer Formal Verification of a Big Integer Library , 2008 .

[12]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[13]  David L. Dill,et al.  Automatic Formal Verification of Block Cipher Implementations , 2008, 2008 Formal Methods in Computer-Aided Design.

[14]  Yevgeniy Dodis,et al.  Survey: Leakage Resilience and the Bounded Retrieval Model , 2009, ICITS.

[15]  Falko Strenzke Manger's Attack Revisited , 2010, ICICS.

[16]  Manuel Barbosa,et al.  Deductive verification of cryptographic software , 2010, Innovations in Systems and Software Engineering.

[17]  Benjamin Grégoire,et al.  Beyond Provable Security Verifiable IND-CCA Security of OAEP , 2011, CT-RSA.

[18]  Kenneth G. Paterson,et al.  Provable Security in the Real World , 2011, IEEE Security & Privacy.

[19]  Pierre-Yves Strub,et al.  Modular code-based cryptographic verification , 2011, CCS '11.

[20]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[21]  Andrew W. Appel Verified Software Toolchain - (Invited Talk) , 2011, ESOP.

[22]  Jan Jürjens,et al.  Computational verification of C protocol implementations by symbolic execution , 2012, CCS.

[23]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[24]  Bruno Blanchet,et al.  Security Protocol Verification: Symbolic and Computational Models , 2012, POST.

[25]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[26]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[27]  Reynald Affeldt,et al.  Certifying assembly with formal security proofs: The case of BBS , 2012, Sci. Comput. Program..

[28]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[29]  Ralf Küsters,et al.  A Framework for the Cryptographic Verification of Java-Like Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[30]  Guillaume Melquiond,et al.  Floating-point arithmetic , 2023, Acta Numerica.

[31]  François Dupressoir,et al.  Proving cryptographic C programs secure with general-purpose verification tools , 2013 .

[32]  Xavier Leroy,et al.  The CompCert C verified compiler: Documentation and user’s manual , 2015 .

[33]  Bruno Blanchet,et al.  Proved generation of implementations from computationally secure protocol specifications , 2015, J. Comput. Secur..