efficient and verified finite field operations
play

Efficient and Verified Finite-Field Operations Andres Erbsen, Jade - PowerPoint PPT Presentation

May 13, 2023 •245 likes •513 views

Efficient and Verified Finite-Field Operations Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, Adam Chlipala RWC 2019 g i t h u b . c o m / m i t - p l v / fi a t - c r y p t o Example of Tricky Tedium:

  1. Efficient and Verified Finite-Field Operations Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, Adam Chlipala RWC 2019 g i t h u b . c o m / m i t - p l v / fi a t - c r y p t o

  2. Example of Tricky Tedium: P256 mul // smallfelem_mul sets |out| = |small1| * |small2| // On entry: small1[i] < 2^64 and small2[i] < 2^64 // On exit: out[i] < 7 * 2^64 < 2^67. static void smallfelem_mul(longfelem out, const smallfelem small1,const smallfelem small2){ a = ((uint128_t)small1[2]) * small2[2]; a = ((uint128_t)small1[3]) * small2[2]; limb a; a = ((uint128_t)small1[1]) * small2[0]; a = ((uint128_t)small1[2]) * small2[0]; a = ((uint128_t)small1[2]) * small2[1]; low = a; low = a; ` low = a; low = a; uint64_t high, low; low = a; high = a >> 64; high = a >> 64; high = a >> 64; high = a >> 64; a = ((uint128_t)small1[0]) * small2[0]; high = a >> 64; out[4] += low; out[1] += low; out[2] += low; out[3] += low; low = a; out[5] += high; out[5] += low; out[2] += high; out[3] += high; out[4] += high; a = ((uint128_t)small1[3]) * small2[1]; high = a >> 64; a = ((uint128_t)small1[0]) * small2[2]; a = ((uint128_t)small1[0]) * small2[3]; a = ((uint128_t)small1[3]) * small2[0]; out[6] += high; low = a; low = a; low = a; low = a; out[0] = low; a = ((uint128_t)small1[3]) * small2[3]; high = a >> 64; high = a >> 64; high = a >> 64; high = a >> 64; out[1] = high; out[4] += low; low = a; out[2] += low; out[3] += low; out[3] += low; a = ((uint128_t)small1[0]) * small2[1]; out[5] += high; out[3] = high; out[4] = high; out[4] += high; high = a >> 64; low = a; a = ((uint128_t)small1[2]) * small2[3]; a = ((uint128_t)small1[1]) * small2[1]; a = ((uint128_t)small1[1]) * small2[2]; a = ((uint128_t)small1[1]) * small2[3]; out[6] += low; low = a; low = a; low = a; low = a; high = a >> 64; high = a >> 64; high = a >> 64; high = a >> 64; high = a >> 64; out[7] = high; out[1] += low; out[5] += low; out[2] += low; out[3] += low; out[4] += low; } out[2] = high; out[6] = high; out[3] += high; out[4] += high; out[5] = high; 2

  3. ...and the reduction (64-bit) tmp[0] += b; tmp[3] -= mask & kPrime[3]; tmp[2] = zero110[2] + (u64)in[2]; static void felem_shrink( tmp[1] -= (((limb)b) << 32); tmp[0] = zero110[0] + in[0]; tmp[1] += ((u64)(tmp[0] >> 64)); smallfelem out, tmp[1] = zero110[1] + in[1]; tmp[0] = (u64)tmp[0]; high = tmp[3] >> 64; const felem in) { tmp[2] += ((u64)(tmp[1] >> 64)); a = tmp[3] >> 64; high = ~(high - 1); tmp[1] = (u64)tmp[1]; felem tmp; tmp[3] = (u64)tmp[3]; low = tmp[3]; tmp[3] += ((u64)(tmp[2] >> 64)); u64 a, b, mask; tmp[3] -= a; mask = low >> 63; tmp[2] = (u64)tmp[2]; tmp[3] += ((limb)a) << 32; s64 high, low; low &= bottom63bits; low -= kPrime3Test; static const u64 kPrime3Test = 0x7fffffff00000001ul; b = a; out[0] = tmp[0]; low = ~low; a = tmp[3] >> 64; low >>= 63; out[1] = tmp[1]; b += a; tmp[3] = zero110[3] + in[3] + out[2] = tmp[2]; tmp[3] = (u64)tmp[3]; ((u64)(in[2] >> 64)); mask = (mask & low) | high; out[3] = tmp[3]; tmp[3] -= a; tmp[0] -= mask & kPrime[0]; } tmp[3] += ((limb)a) << 32; tmp[1] -= mask & kPrime[1]; 3

  4. Reduction Algorithm for 32-bit CPUs A = (A15,A14,A13,A12,A11,A10,A9,A8,A7,A6,A5,A4,A3,A2,A1,A0) T = (A7, A6, A5, A4, A3, A2, A1, A0) S1 = (A15, A14, A13, A12, A11, 0, 0, 0) S2 = (0, A15, A14, A13, A12, 0, 0, 0) S3 = (A15, A14, 0, 0, 0, A10, A9, A8) S4 = (A8, A13, A15, A14, A13, A11, A10, A9) D1 = (A10, A8, 0, 0, 0, A13, A12, A11) D2 = (A11, A9, 0, 0, A15, A14, A13, A12) D3 = (A12, 0, A10, A9, A8, A15, A14, A13) D4 = (A13, 0, A11, A10, A9, 0, A15, A14) A mod p256 = T+2S1+2S2+S3+S4−D1−D2−D3−D4 mod p256 4

  5. Finite Field Implementations – Status Quo Operations HW Arches Prime #s   Limiting factor: experts are busy and fallible. 5

  6. A Different Finite-Field Library ● Boring from the programmer’s perspective – from_bytes, +, *, -, …, to_bytes ● Computer-checkable proofs of correctness (Coq) ● Many fields & CPUs; compile-time specialization ● As fast as handwritten C for Curve25519, P256 ● Used in BoringSSL, Ring, Titan, WireGuard 6

  7. demo of push-button synthesis 7

  8. Coq – Interactive Proof Assistant ● A functional programming language for definitions ● Theorem statements in the same language ● Various means of generating proofs – Scripting (imagine shell, JavaScript) – Already-proven algorithms (static analysis) ● One relatively small checker for all proofs 8

  9. Our Algorithm-Centric Workflow Specification mulmod a b := a * b mod m 9

  10. Our Algorithm-Centric Workflow Template Implementation Specification Proof Let reduce s c p := let (lo, hi) mulmod a b := := split s p in a * b mod m add lo (mul c hi). 10

  11. Our Algorithm-Centric Workflow Template Implementation Specification Proof Let reduce s c p := let (lo, hi) mulmod a b := := split s p in a * b mod m add lo (mul c hi). Parameter Micro- cc Specialization Selection optimization 11

  12. Template Implementations ● Inputs and output: list of limb weights and values ● Mathematical integers, no overflow! ● mul [(a,x), …] [(b,y), …] = [(a*b, x*y), …] ● Lists and weights optimized away ● Bitwidths chosen based on ranges 12

  13. Multiplication: Code & Proof Definition mul (p q : list (Z*Z)) : list (Z*Z) := flat_map (fun ‘(a, x) => map (fun ‘(b, y) => (a*b, x*y)) q) p. Lemma eval_map_mul a x p: eval (map (fun ‘(b, y)=>(a*b, x*y)) p)=a*x*eval p. Proof. induction p; push; nsatz. Qed. Lemma eval_mul p q : eval (mul p q) = eval p * eval q. Proof. induction p; cbv [mul]; push; nsatz. Qed. 13

  14. Solinas Reduction: Code & Proof Lemma reduction_rule a b s c (modulus_nz:s-c<>0) : (a + s * b) mod (s - c) = (a + c * b) mod (s - c). Proof. apply Z.add_mod_Proper;[reflexivity|apply reduction_rule',modulus_nz]. Qed. Definition reduce (s:Z) (c:list (Z*Z)) (p:list (Z*Z)) : list (Z*Z) := let ‘(low, high) := split s p in add low (mul c high). Lemma eval_reduce s c p (s_nz:s<>0) (modulus_nz:s-eval c<>0) : eval (reduce s c p) mod (s - eval c) = eval p mod (s - eval c). Proof. cbv [reduce]; push. rewrite <-reduction_rule, eval_split; trivial. Qed. 14

  15. Solinas Reduction: Code & Proof Lemma reduction_rule a b s c (modulus_nz:s-c<>0) : (a + s * b) mod (s - c) = (a + c * b) mod (s - c). Proof. apply Z.add_mod_Proper;[reflexivity|apply reduction_rule',modulus_nz]. Qed. Definition reduce (s:Z) (c:list (Z*Z)) (p:list (Z*Z)) : list (Z*Z) := let ‘(low, high) := split s p in add low (mul c high). Lemma eval_reduce s c p (s_nz:s<>0) (modulus_nz:s-eval c<>0) : eval (reduce s c p) mod (s - eval c) = eval p mod (s - eval c). Proof. cbv [reduce]; push. rewrite <-reduction_rule, eval_split; trivial. Qed. 15

  16. Solinas Reduction: Code & Proof Lemma reduction_rule a b s c (modulus_nz:s-c<>0) : (a + s * b) mod (s - c) = (a + c * b) mod (s - c). Proof. apply Z.add_mod_Proper;[reflexivity|apply reduction_rule',modulus_nz]. Qed. Definition reduce (s:Z) (c:list (Z*Z)) (p:list (Z*Z)) : list (Z*Z) := let ‘(low, high) := split s p in add low (mul c high). Lemma eval_reduce s c p (s_nz:s<>0) (modulus_nz:s-eval c<>0) : eval (reduce s c p) mod (s - eval c) = eval p mod (s - eval c). Proof. cbv [reduce]; push. rewrite <-reduction_rule, eval_split; trivial. Qed. 16

  17. More Implementations ● Unsaturated Solinas reduction ● Word-by-word Montgomery reduction ● Saturated Solinas reduction ● Barrett reduction 17

  18. Compilation Step-by-Step ● add [x, y, z] [t, 0, v] – concrete length ● a = x+t; b = y+0; c = z + v; – unroll loop ● a = x+t; b = y; c = z + v; – arith. opt. ● Assuming inputs <2 26 , have – range analysis uint32_t a=x+t; uint32_t b=y; uint32_t c=z+v; ● Continue knowing a<2 27 , b <2 26 , c <2 27 ● Possible* using Coq’s built-in partial evaluation! 18

  19. Speed of Compilation & Checking ● It matters! ● Incremental compilation helps (but not in CI) ● Coq is largely unoptimized (asymptotics!) ● ...but allows proven extensions ● Write & prove partial evaluator in Coq 19

  20. Performance ● Curve25519, P256: fastest C code we know of ● Faster than GMP on all primes from curves@ Curve25519 on a Broadwell laptop 20

  21. Integration Considerations for Generated Code ● Check in generated code (slow compilation, dependency) ● Not really human-readable – Presentation issues: variable naming, whitespace… – Only slightly less readable than expert-optimized code – But it’s proven correct so we don’t care (mostly) ● Document caller’s responsibilities! – No proof prevents incorrect use – Caller refactoring considered independently beneficial 21

  22. Low-Level Interfaces Still Delicate // fe means field element. Here the field is Z/(2^255-19). An element t, // entries t[0]...t[9], encodes the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 // t[3]+2^102 t[4]+...+2^230 t[9]. // fe limbs are bounded by 1.125*2^26, 1.125*2^25, 1.125*2^26 , etc. // Multiplication and carrying produce fe from fe_loose. typedef struct fe { uint32_t v[10]; } fe; // fe_loose limbs are bounded by 3.375*2^26, 3.375*2^25, 3.375*2^26 , etc. // Addition and subtraction produce fe_loose from (fe, fe). typedef struct fe_loose { uint32_t v[10]; } fe_loose; 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 1 Modular and finite field arithmetic 1/40 2/40 Finite fields The

883 views • 49 slides
How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft (joint work with Guillaume Melquiond and Claude March) TrustInSoft Inria 1 / 20 Context, motivation, goals goal: efficient and formally verified

508 views • 22 slides
Weighted Finite State Transducer (WFST) Efficient algorithms for various operations. Weights

Weighted Finite State Transducer (WFST) Efficient algorithms for various operations. Weights

Prepared by Prof. Hui Jiang 12-11-21 (CSE6328) Weighted Finite State Transducer (WFST) Efficient algorithms for various operations. Weights Handle uncertainty in text, handwritten text, speech, image, biological sequences.

495 views • 13 slides
Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics,

Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics,

Introduction Unsatisfiability proof formats for SAT Verified efficient checking of clausal proofs Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics, Belgrade (joint work with Florian Haftmann, TU Munich)

516 views • 26 slides
How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft (joint work with Guillaume Melquiond and Claude March) TrustInSoft Inria November 13, 2018 1/21 Context, motivation, goals goal: efficient and

564 views • 21 slides
How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft (joint work with Guillaume Melquiond and Claude March) TrustInSoft Inria May 28, 2018 1/31 Context, motivation, goals goal: efficient and

663 views • 33 slides
Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo &amp; Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo &amp; Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo &amp; Javad Doliskani) Western University University of Waterloo July 9, 2015 Basics 2 / 30 Finite fields Definition A finite field is a field (a set with

750 views • 45 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 2 Elliptic curve arithmetic 1/41 The two facets of an elliptic curve

606 views • 42 slides
Finite fields Definition Theorem (Field) Let F be a set with two binary operations + and . Let

Finite fields Definition Theorem (Field) Let F be a set with two binary operations + and . Let

Finite Fields Finite Fields AES AES Definition (Group) Let G be a set and be a binary operation defined on G , Definition i.e., : G G G . We say ( G , ) is a group if (Ring) Let R be a set with two binary operations + and

612 views • 5 slides
Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with

Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with

I NTRODUCTION A S EQUENCE OF C HECKERS C ONCLUSION R EFERENCES Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with Marijn Heule and Warren Hunt, Jr.) ACL2 Seminar The University of Texas at Austin

621 views • 49 slides
Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions

Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions

T HE P ROBLEM T OWARDS A S OLUTION A S EQUENCE OF C HECKERS R ELATED W ORK C ONCLUSION R EFERENCES Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions from Marijn Heule, Warren Hunt, and Nathan Wetzler)

216 views • 21 slides
Context This talk is about software for finite field arithmetic ( + . . . ; most

Context This talk is about software for finite field arithmetic ( + . . . ; most

The mp F q library and implementing curve-based key exchanges (yet another finite field library) Emmanuel Thom e, Pierrick Gaudry p. 1/21 Context This talk is about software for finite field arithmetic ( + . . . ; most

539 views • 25 slides
Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Efficient Binary Field Arithmetic and Applications to Curve-based Cryptography Diego F. Aranha Department of Computer Science University of Bras lia CHES 2012 Tutorial Diego F. Aranha Efficient Binary Field Arithmetic Part I: RELIC

738 views • 48 slides
A Finite Field Example Over F p geometric pictures dont make sense. Example Let E : y 2 = x 3

A Finite Field Example Over F p geometric pictures dont make sense. Example Let E : y 2 = x 3

E LLIPTIC CURVES C RYPTOGRAPHY F RANCESCO P APPALARDI #3 - T HIRD L ECTURE . J UNE 18 TH 2019 WAMS S CHOOL : O I NTRODUCTORY TOPICS IN N UMBER T HEORY AND D IFFERENTIAL G EOMETRY King Khalid University Abha, Saudi Arabia A Finite Field Example

404 views • 13 slides
ICT Security PeaceKeeping Operations Field Missions Challenges Peacekeeping Field

ICT Security PeaceKeeping Operations Field Missions Challenges Peacekeeping Field

ICT Security PeaceKeeping Operations Field Missions Challenges Peacekeeping Field Technology ICT Security &amp; Support Operations Operations Centre Operational Resilience 16 Peacekeeping missions (PKM) + UNSOA 20 Special

450 views • 10 slides
Cost Efficient Operations Cost Efficient Operations at Fira Barcelona at Fira Barcelona How to

Cost Efficient Operations Cost Efficient Operations at Fira Barcelona at Fira Barcelona How to

Cost Efficient Operations Cost Efficient Operations at Fira Barcelona at Fira Barcelona How to focus on what really counts How to focus on what really counts Introduction Halls 5 &amp; 7 2 venues: Montjuc and Gran Via under

421 views • 23 slides
MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara,

681 views • 64 slides
Summary of campaign results Control of major risks on civil construction sites (2011/12) Concrete

Summary of campaign results Control of major risks on civil construction sites (2011/12) Concrete

Workplace Health and Safety Queensland Summary of campaign results Control of major risks on civil construction sites (2011/12) Concrete pump and placement boom compliance campaign (2012) Control of major risks on civil construction sites

553 views • 15 slides
Scheme-Style Macros: Patterns and Lexical Scope Matthew Flatt University of Utah 1 Why Macros?

Scheme-Style Macros: Patterns and Lexical Scope Matthew Flatt University of Utah 1 Why Macros?

Scheme-Style Macros: Patterns and Lexical Scope Matthew Flatt University of Utah 1 Why Macros? Language designers have to stop somewhere (544 pages) No language can provide every possible useful construct Macros let a programmer fill in gaps

1.05k views • 70 slides
MESOS &amp; CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation

MESOS &amp; CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation

MESOS &amp; CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation support (a.k.a the docker like thing) Yan Xu xujyan WHAT IS A CONTAINER Loosely defined: a lightweight VM / OS-level virtualization /

620 views • 34 slides
Macros and Metaprogramming Dr. Mattox Beckman University of Illinois at Urbana-Champaign

Macros and Metaprogramming Dr. Mattox Beckman University of Illinois at Urbana-Champaign

Introduction Macro systems Variable Capture Macros and Metaprogramming Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Introduction Macro systems Variable Capture Objectives You should be able

551 views • 15 slides
ALLOCATION IN C CSSE 120 Rose Hulman Institute of Technology Final Exam Facts Date:

ALLOCATION IN C CSSE 120 Rose Hulman Institute of Technology Final Exam Facts Date:

FILES &amp; DYNAMIC MEMORY ALLOCATION IN C CSSE 120 Rose Hulman Institute of Technology Final Exam Facts Date: Wednesday, Feb 25, 2009 Time: 8:00AM to 12:00 PM Venue: O267, O269, O231, O233 Chapters: Zelle chapters 1 to 12.1,

480 views • 16 slides
recursion 2: power, binary search Oct. 4/5, 2017 1 Recall: Converting to binary (iterative)

recursion 2: power, binary search Oct. 4/5, 2017 1 Recall: Converting to binary (iterative)

COMP 250 Lecture 12 recursion 2: power, binary search Oct. 4/5, 2017 1 Recall: Converting to binary (iterative) k = 0 while n &gt; 0 { b[ k ] = n % 2 n = n / 2 k++ } Recall that in binary needs approximately bits.

663 views • 29 slides
On truncated discrete moment problems Tobias Kuna University of Reading, UK (Joint work with

On truncated discrete moment problems Tobias Kuna University of Reading, UK (Joint work with

On truncated discrete moment problems Tobias Kuna University of Reading, UK (Joint work with Maria Infusino, Joel Lebowitz, Eugene Speer) IWOTA 2019 Lisbon 26th July T. Kuna On truncated discrete moment problems Discrete truncated moment

299 views • 19 slides

More recommend