adventures in verifying arithmetic
play

Adventures in Verifying Arithmetic John Harrison Amazon Web - PowerPoint PPT Presentation

Apr 15, 2023 •100 likes •777 views

Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00 Austin, 12:00-13:00 Pacific) From arithmetic on R to arithmetic on Z Floating-point verification at Intel Crypto bignum verification at

  1. Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00 Austin, 12:00-13:00 Pacific)

  2. ◮ From arithmetic on R to arithmetic on Z ◮ Floating-point verification at Intel ◮ Crypto bignum verification at AWS ◮ Points of similarity, points of contrast ◮ Requirements (correctness, efficiency, security) ◮ Formalizing mathematics, continuous and discrete ◮ Programming custom inference rules ◮ The general usefulness of interval bounds ◮ Newton’s method vs. Hensel lifting ◮ ISA modeling and continuous integration ◮ Conclusions

  3. 2006: Verifying floating-point arithmetic at Intel

  4. 2019: Verifying crypto bignums at AWS

  5. Floating-point kernels v cryptographic primitives ◮ They are both intended to be mathematically correct (give the right answer or ‘within 0 . 52 ulps’)

  6. Floating-point kernels v cryptographic primitives ◮ They are both intended to be mathematically correct (give the right answer or ‘within 0 . 52 ulps’) ◮ They are both intended to be fast

  7. Floating-point kernels v cryptographic primitives ◮ They are both intended to be mathematically correct (give the right answer or ‘within 0 . 52 ulps’) ◮ They are both intended to be fast ◮ Crypto bignums often need to be constant-time (to avoid timing side-channels), and this may take precedence over average-case speed

  8. Floating-point kernels v cryptographic primitives ◮ They are both intended to be mathematically correct (give the right answer or ‘within 0 . 52 ulps’) ◮ They are both intended to be fast ◮ Crypto bignums often need to be constant-time (to avoid timing side-channels), and this may take precedence over average-case speed For this collection of reasons, we are writing and verifying code at the machine code level.

  9. From arithmetic on R to arithmetic on Z Moving from the richer and more sophisticated real number system to integer arithmetic (and modular arithmetic at that).

  10. From arithmetic on R to arithmetic on Z Moving from the richer and more sophisticated real number system to integer arithmetic (and modular arithmetic at that). Looks like regressive evolution!

  11. Mathematical contrasts ◮ The mathematical structure R of reals is a richer field containing the integers Z as a subring. But in practice we are interested in some finite subsets.

  12. Mathematical contrasts ◮ The mathematical structure R of reals is a richer field containing the integers Z as a subring. But in practice we are interested in some finite subsets. ◮ Floating-point numbers can be considered as a subset of R but operations have more intricate mathematical properties ◮ Most everyday algebraic laws like x + ( y + z ) = ( x + y ) + z fail, though commutativity is more or less true (except for NaNs) ◮ Rounding is a fundamentally important operation, with some regular properties but also many difficulties

  13. Mathematical contrasts ◮ The mathematical structure R of reals is a richer field containing the integers Z as a subring. But in practice we are interested in some finite subsets. ◮ Floating-point numbers can be considered as a subset of R but operations have more intricate mathematical properties ◮ Most everyday algebraic laws like x + ( y + z ) = ( x + y ) + z fail, though commutativity is more or less true (except for NaNs) ◮ Rounding is a fundamentally important operation, with some regular properties but also many difficulties ◮ In cryptography, we are mainly concerned with operations on Z n , the integers modulo n . This is at least a ring, and if n is prime it’s a field (multiplicative inverses exist).

  14. Mathematical similarities There are meaningful analogies between ‘metrical’ and ‘ p -adic’ algorithms: ◮ Over R where things get smaller ◮ Over Z where things get more divisible by something

  15. Mathematical similarities There are meaningful analogies between ‘metrical’ and ‘ p -adic’ algorithms: ◮ Over R where things get smaller ◮ Over Z where things get more divisible by something Nice table from Brent and Zimmermann “Modern Computer Arithmetic”.

  16. A common tool: HOL Light ◮ HOL Light is a member of the HOL family of provers, descended from Mike Gordon’s original HOL system developed in the 80s.

  17. A common tool: HOL Light ◮ HOL Light is a member of the HOL family of provers, descended from Mike Gordon’s original HOL system developed in the 80s. ◮ An LCF-style proof checker for classical higher-order logic built on top of (polymorphic) simply-typed λ -calculus.

  18. A common tool: HOL Light ◮ HOL Light is a member of the HOL family of provers, descended from Mike Gordon’s original HOL system developed in the 80s. ◮ An LCF-style proof checker for classical higher-order logic built on top of (polymorphic) simply-typed λ -calculus. ◮ HOL Light is designed to have a particularly simple and clean logical foundation.

  19. A common tool: HOL Light ◮ HOL Light is a member of the HOL family of provers, descended from Mike Gordon’s original HOL system developed in the 80s. ◮ An LCF-style proof checker for classical higher-order logic built on top of (polymorphic) simply-typed λ -calculus. ◮ HOL Light is designed to have a particularly simple and clean logical foundation. ◮ Written in Objective CAML (OCaml), a somewhat popular variant of the ML family of languages.

  20. The HOL family DAG There are many HOL provers, of which HOL Light is just one, all descended from Mike Gordon’s original HOL system in the late 1980s. HOL88 ❍❍❍❍❍❍❍ � ❅ � ❅ � ❅ ✠ � ❅ ❘ ❍ ❥ hol90 ProofPower Isabelle/HOL ❅ ❅ ❘ ❅ ❄ HOL Light � ❅ � ❅ � ❅ � ✠ ❄ ❅ ❘ ❄ hol98 HOL Zero ❄ HOL 4

  21. Why HOL Light? We need a general theorem proving system with: ◮ High standard of logical rigor and reliability ◮ Ability to mix interactive and automated proof ◮ Programmability for domain-specific proof tasks ◮ A substantial library of pre-proved mathematics Needless to say ACL2 has also been used in these and similar domains, as have Coq, HOL4, Isabelle/HOL, PVS etc.

  22. Formalizing mathematics For floating-point verifications the mathematics required is mostly: ◮ Elementary number theory and real analysis ◮ Floating-point numbers, results about rounding etc.

  23. Formalizing mathematics For floating-point verifications the mathematics required is mostly: ◮ Elementary number theory and real analysis ◮ Floating-point numbers, results about rounding etc. For the crypto bignums ◮ Additional number theory (e.g. Miller-Rabin pseudoprimes) github.com/jrh13/hol-light/blob/master/Examples/miller_rabin.ml

  24. Formalizing mathematics For floating-point verifications the mathematics required is mostly: ◮ Elementary number theory and real analysis ◮ Floating-point numbers, results about rounding etc. For the crypto bignums ◮ Additional number theory (e.g. Miller-Rabin pseudoprimes) github.com/jrh13/hol-light/blob/master/Examples/miller_rabin.ml ◮ Elementary group theory, properties of elliptic curve groups github.com/jrh13/hol-light/blob/master/Examples/nist_curves.ml

  25. Custom inference rules For floating-point verifications: ◮ Verifying solution set of some quadratic congruences ◮ Proving primality of particular numbers ◮ Verifying error bounds in polynomial approximations

  26. Custom inference rules For floating-point verifications: ◮ Verifying solution set of some quadratic congruences ◮ Proving primality of particular numbers ◮ Verifying error bounds in polynomial approximations For crypto bignums ◮ Proving equational theorems in abstract groups and rings ◮ Reasoning about general properties of congruences

  27. Automating divisibility reasoning Linear (Presburger) arithmetic is a common workhorse in formal verifications. For a lot of the ‘congruential’ reasoning a custom decision procedure is a similarly useful workhorse: d | a ∧ d | b ⇒ d | ( a − b ) coprime( d , a ) ∧ coprime( d , b ) ⇒ coprime( d , ab ) coprime( d , ab ) ⇒ coprime( d , a ) coprime( a , b ) ∧ x ≡ y (mod a ) ∧ x ≡ y (mod b ) ⇒ x ≡ y (mod ( ab )) m | r ∧ n | r ∧ coprime( m , n ) ⇒ ( mn ) | r coprime( xy , x 2 + y 2 ) ⇔ coprime( x , y ) coprime( a , b ) ⇒ ∃ x . x ≡ u (mod a ) ∧ x ≡ v (mod b ) ax ≡ ay (mod n ) ∧ coprime( a , n ) ⇒ x ≡ y (mod n ) gcd( a , n ) | b ⇒ ∃ x . ax ≡ b (mod n )

  28. Automating divisibility reasoning Linear (Presburger) arithmetic is a common workhorse in formal verifications. For a lot of the ‘congruential’ reasoning a custom decision procedure is a similarly useful workhorse: d | a ∧ d | b ⇒ d | ( a − b ) coprime( d , a ) ∧ coprime( d , b ) ⇒ coprime( d , ab ) coprime( d , ab ) ⇒ coprime( d , a ) coprime( a , b ) ∧ x ≡ y (mod a ) ∧ x ≡ y (mod b ) ⇒ x ≡ y (mod ( ab )) m | r ∧ n | r ∧ coprime( m , n ) ⇒ ( mn ) | r coprime( xy , x 2 + y 2 ) ⇔ coprime( x , y ) coprime( a , b ) ⇒ ∃ x . x ≡ u (mod a ) ∧ x ≡ v (mod b ) ax ≡ ay (mod n ) ∧ coprime( a , n ) ⇒ x ≡ y (mod n ) gcd( a , n ) | b ⇒ ∃ x . ax ≡ b (mod n ) For more on how this works, see my paper Automating elementary number-theoretic proofs using Gr¨ obner bases (CADE 21): https://www.cl.cam.ac.uk/~jrh13/papers/divisibility.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK Formal Methods Meets JavaScript, VeTSS Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 1 / 21 The webs evolution We want richer web

521 views • 21 slides
Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Looking backwards to look forward: Mark Twain and best practice for developing clear and effective content in our globalised, digitally-connected world Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

437 views • 21 slides
Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Principles Of Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary Arithmetic Same basic methodology as decimal arithmetic Important to know number representation Unsigned Signed

704 views • 11 slides
Nonlinear real arithmetic and -satisfiability Paolo Zuliani School of Computing Science

Nonlinear real arithmetic and -satisfiability Paolo Zuliani School of Computing Science

Nonlinear real arithmetic and -satisfiability Paolo Zuliani School of Computing Science Newcastle University, UK ( Slides courtesy of Sicun Gao, MIT) 1 / 26 Introduction We use hybrid systems for modelling and verifying biological

530 views • 30 slides
Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and Kindness question your principles @jessitron Adventures in Elm Events, Reproducibility, and Kindness Data Data In Out Server UI Everything My

646 views • 39 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit Performs most processor operations Control signal predicates addition subtraction logic operations shifting (w / or w / o sign extension) Figure:

205 views • 8 slides
The Adventures of NIKA2 from the AoD perspective Bilal Ladjelate - Observing the millimeter

The Adventures of NIKA2 from the AoD perspective Bilal Ladjelate - Observing the millimeter

The Adventures of NIKA2 from the AoD perspective Bilal Ladjelate - Observing the millimeter Universe with the NIKA2 Camera Outline of these adventures Review of the di ff erent pools Overview of projects observed Evolution of NIKA2

310 views • 28 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Arithmetic paper 4 Once you have completed the arithmetic paper, use the slides to help you to

Arithmetic paper 4 Once you have completed the arithmetic paper, use the slides to help you to

Arithmetic paper 4 Once you have completed the arithmetic paper, use the slides to help you to understand where you have made your mistakes. Are your scores improving each week? You will need to subtract 100 from the hundreds column. 800 -

461 views • 20 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Expressions, and Arithmetic Chapters 4 1 2 Arithmetic Operator Precedence Just as in

Expressions, and Arithmetic Chapters 4 1 2 Arithmetic Operator Precedence Just as in

9/9/2012 For Next Time Read Chapter 4 Expressions, and Arithmetic Chapters 4 1 2 Arithmetic Operator Precedence Just as in normal mathematics: Operator Operation * and / are applied before + and + Addition Parentheses

152 views • 3 slides
Arithmetic paper 5 Once you have completed the arithmetic paper, use the slides to help you to

Arithmetic paper 5 Once you have completed the arithmetic paper, use the slides to help you to

Arithmetic paper 5 Once you have completed the arithmetic paper, use the slides to help you to understand where you have made your mistakes. Try to improve your score each week! You will need to add 100 to the hundreds column. 400 + 100 = 500

361 views • 19 slides
Chapt hapter er 3 3 Arithmetic for Computers 3.1 Introduction Arithmetic for Computers

Chapt hapter er 3 3 Arithmetic for Computers 3.1 Introduction Arithmetic for Computers

COMPUTER ORGANIZATION AND DESIGN 5 th Edition The Hardware/Software Interface Chapt hapter er 3 3 Arithmetic for Computers 3.1 Introduction Arithmetic for Computers Operations on integers Addition and subtraction

718 views • 57 slides
Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving trigonometric functions. We learn to verify and spend time verifying trigonometric identities because the practice we get verifying trigonometric

661 views • 46 slides
TaML Table Manipulation Language Adam Dossa (aid2112) Qiuzi Shangguan (qs2130) Maria Taku

TaML Table Manipulation Language Adam Dossa (aid2112) Qiuzi Shangguan (qs2130) Maria Taku

TaML Table Manipulation Language Adam Dossa (aid2112) Qiuzi Shangguan (qs2130) Maria Taku (mat2185) Le Chang (lc2879) Columbia University 19th December 2012 1 Overview 1.Simple C-like language for building, editing, and manipulating

490 views • 11 slides
T YPES OF I NTERACTORS Prasun Dewan Department of Computer Science University of North Carolina

T YPES OF I NTERACTORS Prasun Dewan Department of Computer Science University of North Carolina

T YPES OF I NTERACTORS Prasun Dewan Department of Computer Science University of North Carolina at Chapel Hill dewan@cs.unc.edu Code available at: https://github.com/pdewan/ColabTeaching P RE -R EQUISITES Model-Interactor Separation 2 I

481 views • 20 slides
RECMA NEW BUSINESS PERFORMANCE JANUARY TO OCTOBER 2017 THE HOLDING COMPANIES DAN IS CLEAR

RECMA NEW BUSINESS PERFORMANCE JANUARY TO OCTOBER 2017 THE HOLDING COMPANIES DAN IS CLEAR

RECMA NEW BUSINESS PERFORMANCE JANUARY TO OCTOBER 2017 THE HOLDING COMPANIES DAN IS CLEAR LEADER WITH A $3.5 BN GAP WITH OMG 1 987 DENTSU AEGIS DAN 496 406 PUBLICIS HAVAS GROUPM MEDIA MEDIA WPP IPG MBRANDS -30 -492 OMG -1 523

438 views • 6 slides
U 4: I

U 4: I

Example: Friday the 13 th Announcements Friday the 13 th Between 1990 - 1992 researchers in the UK collected data on traffic flow, accidents, and hospital admissions on Friday 13 th and the previous Friday, Friday 6 th . U 4: I

394 views • 10 slides
Social Media Marketing: 10 optimization tactics that Scholastic used to grow fans 350% Gabriela

Social Media Marketing: 10 optimization tactics that Scholastic used to grow fans 350% Gabriela

Social Media Marketing: 10 optimization tactics that Scholastic used to grow fans 350% Gabriela Acatrinei Daniel Burstein Digital Marketing Manager Director of Editorial Content Scholastic Inc. MECLABS Speaker Gabriela Acatrinei Digital

609 views • 26 slides
FIRST Naval Construction Division FIRST Naval Construction Division SAME Middle Atlantic

FIRST Naval Construction Division FIRST Naval Construction Division SAME Middle Atlantic

FIRST Naval Construction Division FIRST Naval Construction Division SAME Middle Atlantic Middle East Regional Conference 11 October 2007 1 United States Fleet Forces United States Fleet Forces Operational Readiness, Effectiveness,

652 views • 26 slides
Introduction to Data Science: x (1) x 1 x 2 x ( n ) x i n 1 1 Size: size

Introduction to Data Science: x (1) x 1 x 2 x ( n ) x i n 1 1 Size: size

Exploratory Data Analysis Exploratory Data Analysis: Summary Statistics Exploratory Data Analysis: Summary Statistics EDA with the grammar of graphics Exploratory Data Analysis: Summary Statistics Exploratory Data Analysis: Summary Statistics

1.27k views • 90 slides
Groups, Algorithms, Programming and Free Software Steve Linton Centre for Interdisciplinary

Groups, Algorithms, Programming and Free Software Steve Linton Centre for Interdisciplinary

Groups, Algorithms, Programming and Free Software Steve Linton Centre for Interdisciplinary Research in Computational Algebra University of St Andrews ICMS 2006, Castro Urdiales 1 Groups The mathematician's handle on symmetry Key

374 views • 20 slides

More recommend