how to get an efficient yet verified arbitrary precision
play

How to get an efficient yet verified arbitrary-precision integer - PowerPoint PPT Presentation

Dec 29, 2023 •277 likes •508 views

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft (joint work with Guillaume Melquiond and Claude March) TrustInSoft Inria 1 / 20 Context, motivation, goals goal: efficient and formally verified

  1. How to get an efficient yet verified arbitrary-precision integer library Raphaël Rieu-Helft (joint work with Guillaume Melquiond and Claude Marché) TrustInSoft Inria 1 / 20

  2. Context, motivation, goals goal: efficient and formally verified large-integer library GMP: widely-used, high-performance library tested, but hard to ensure good coverage (unlikely branches) correctness bugs have been found in the past idea: 1 formally verify GMP algorithms with Why3 2 extract efficient C code 2 / 20

  3. Outline 1 Reimplementing GMP using Why3 2 An example: schoolbook multiplication 3 Benchmarks, conclusions 3 / 20

  4. Reimplementing GMP using Why3 Reimplementing GMP using Why3 4 / 20

  5. Reimplementing GMP using Why3 Tool: the Why3 platform approach: file.mlw implement the GMP algorithms in WhyML Alt-Ergo verify them with Why3 CVC4 extract to C Why3 Z3 difficulties: preserve all GMP etc. implementation tricks file.ml file.c prove them correct extract to efficient C code 5 / 20

  6. Reimplementing GMP using Why3 An example: comparison large integer ≡ pointer to array of unsigned integers a 0 . . . a n − 1 called limbs n − 1 � a i β i usually β = 2 64 value ( a , n ) = i = 0 type ptr ’a = ... exception Return32 int32 let wmpn_cmp (x y: ptr uint64) (sz: int32): int32 = let i = ref sz in try while !i ≥ 1 do i := !i - 1; let lx = x[!i] in let ly = y[!i] in if lx � = ly then if lx > ly then raise (Return32 1) else raise (Return32 (-1)) done; 0 with Return32 r → r end 6 / 20

  7. Reimplementing GMP using Why3 Memory model simple memory model, more restrictive than C type ptr ’a = abstract { mutable data: array ’a ; offset: int } predicate valid (p:ptr ’a) (sz:int) = 0 ≤ sz ∧ 0 ≤ p.offset ∧ p.offset + sz ≤ plength p p.offset 0 1 2 3 4 5 6 7 8 p.data � �� � valid(p,5) val malloc (sz:uint32) : ptr ’a (* malloc(sz * sizeof(’a)) *) ... val free (p:ptr ’a) : unit (* free(p) *) ... no explicit address for pointers 7 / 20

  8. Reimplementing GMP using Why3 Alias control aliased C pointers ⇔ point to the same memory object aliased Why3 pointers ⇔ same data field only way to get aliased pointers: incr type ptr ’a = abstract { mutable data: array ’a ; offset: int } val incr (p:ptr ’a) (ofs:int32): ptr ’a (* p+ofs *) alias { result.data with p.data } ensures { result.offset = p.offset + ofs } ... val free (p:ptr ’a) : unit requires { p.offset = 0 } writes { p.data } ensures { p.data.length = 0 } Why3 type system: all aliases are known statically ⇒ no need to prove non-aliasing hypotheses 8 / 20

  9. Reimplementing GMP using Why3 Example specification: long multiplication specifications are defined in terms of value (** [wmpn_mul r x y sx sy] multiplies [(x, sx)] and [(y,sy)] and writes the result in [(r, sx+sy)]. [sx] must be greater than or equal to [sy]. Corresponds to [mpn_mul]. *) let wmpn_mul (r x y: ptr uint64) (sx sy: int32) : unit requires { 0 < sy ≤ sx } requires { valid x sx } requires { valid y sy } requires { valid r (sy + sx) } writes { r.data.elts } ensures { value r (sy + sx) = value x sx * value y sy } Why3 typing constraint: r cannot be aliased to x or y simplifies proofs : aliases are known statically we need separate functions for in-place operations 9 / 20

  10. Reimplementing GMP using Why3 Extraction mechanism goals: simple, straightforward extraction (trusted) performance: no added complexity, no closures or indirections inefficiencies caused by extraction must be optimizable by the compiler tradeoff: handle only a small, C-like fragment of WhyML ✓ loops ✗ polymorphism, abstract types ✓ references ✗ higher order ✓ machine integers ✗ mathematical integers ✓ manual memory management ✗ garbage collection 10 / 20

  11. Reimplementing GMP using Why3 Comparison: extracted C code int32_t wmpn_cmp(uint64_t * x, let wmpn_cmp (x y: ptr uint64) uint64_t * y, (sz: int32): int32 int32_t sz) { = let i = ref sz in int32_t i, o; try uint64_t lx , ly; while !i ≥ 1 do i = (sz); i := !i - 1; while (i >= 1) { let lx = x[!i] in o = (i - 1); i = o; let ly = y[!i] in lx = (*(x+(i))); if lx � = ly then ly = (*(y+(i))); if lx > ly if (lx != ly) { then raise (Return32 1) if (lx > ly) return (1); else raise (Return32 (-1)) else return ( -(1)); done; } 0 } with Return32 r → r return (0); end } 11 / 20

  12. An example: schoolbook multiplication An example: schoolbook multiplication 12 / 20

  13. An example: schoolbook multiplication Schoolbook multiplication simple algorithm, optimal for smaller sizes GMP switches to divide-and-conquer algorithms at ∼ 20 words mp_limb_t mpn_mul (mp_ptr rp , mp_srcptr up , mp_size_t un , mp_srcptr vp , mp_size_t vn) { /* We first multiply by the low order limb. This result can be stored , not added , to rp. We also avoid a loop for zeroing this way. */ rp[un] = mpn_mul_1 (rp , up , un , vp [0]); /* Now accumulate the product of up[] and the next higher limb from vp []. */ while (--vn >= 1) { rp += 1, vp += 1; rp[un] = mpn_addmul_1 (rp , up , un , vp [0]); } return rp[un]; } 13 / 20

  14. An example: schoolbook multiplication Why3 implementation while !i < sy do invariant { value r (!i + sx) = value x sx * value y !i } ly := get_ofs y !i; let c = addmul_limb !rp x !ly sx in set_ofs !rp sx c; i := !i + 1; !rp := C.incr !rp 1; done; ... 14 / 20

  15. An example: schoolbook multiplication Why3 implementation while !i < sy do invariant { 0 ≤ !i ≤ sy } invariant { value r (!i + sx) = value x sx * value y !i } invariant { (!rp).offset = r.offset + !i } invariant { plength !rp = plength r } invariant { pelts !rp = pelts r } variant { sy - !i } ly := get_ofs y !i; let c = addmul_limb !rp x !ly sx in value_sub_update_no_change (pelts r) ((!rp).offset + sx) r.offset (r.offset + !i) c; set_ofs !rp sx c; i := !i + 1; value_sub_tail (pelts r) r.offset (r.offset + sx + k); value_sub_tail (pelts y) y.offset (y.offset + k); value_sub_concat (pelts r) r.offset (r.offset + k) (r.offset + k + sx); assert { value r (!i + sx) = value x sx * value y !i by ... so ... so ... (* 20+ subgoals *) }; !rp := C.incr !rp 1; done; ... 14 / 20

  16. An example: schoolbook multiplication Building block: addmul_limb (** [addmul_limb r x y sz] multiplies [(x, sz)] by [y], adds the [sz] least significant limbs to [(r, sz)] and writes the result in [(r,sz)]. Returns the most significant limb of the product plus the carry of the addition. Corresponds to [mpn_addmul_1].*) let addmul_limb (r x: ptr uint64) (y: uint64) (sz: int32): uint64 requires { valid x sz } requires { valid r sz } ensures { value r sz + (power radix sz) * result = value (old r) sz + value x sz * y } writes { r.data.elts } ensures { forall j. j < r.offset ∨ r.offset + sz ≤ j → r[j] = (old r)[j] } adds y × x to r does not change the contents of r outside the first sz cells called on r + i , x and y i for 0 ≤ i ≤ sy 15 / 20

  17. An example: schoolbook multiplication Extracted code void mul(uint64_t * r12 , uint64_t * x15 , uint64_t * y13 , int32_t sx4 , int32_t sy4) { uint64_t ly9 , c8 , res16; uint64_t * rp3; int32_t i16 , o28; uint64_t * o29; ly9 = (*( y13 )); c8 = (mul_limb(r12 , x15 , ly9 , sx4 )); *( r12 +( sx4 )) = c8; rp3 = (r12 +(1)); i16 = (1); while (i16 < sy4) { ly9 = *( y13 +( i16 )); res16 = ( addmul_limb (rp3 , x15 , ly9 , sx4 )); *( rp3 +( sx4 )) = res16; o28 = (i16 + 1); i16 = o28; o29 = (rp3 +(1)); (rp3) = o29; } return (*( rp3 +( sx4 - 1))); } not as concise as GMP, but close enough to be optimized by the compiler 16 / 20

  18. Benchmarks, conclusions Benchmarks, conclusions 17 / 20

  19. Benchmarks, conclusions Comparison with GMP we compare with GMP without assembly (option --disable-assembly ) we only consider inputs of 20 words or less ( ∼ 1300 bits) ⇒ above that, GMP uses different algorithms multiplication: less than 5 % slower than GMP division: ∼ 10 % slower than GMP except for very small inputs except for sx very close to sy ⇒ GMP uses a different algorithm for sy > sx / 2, to do performances are very dependent on the compiled code of the primitives ongoing: link to GMP to use the exact same primitives 18 / 20

  20. Benchmarks, conclusions Proof effort 6000 lines of Why3 code 1350 of programs 4650 of specifications and (mostly) assertions 4200 subgoals, around two thirds are for division large proof contexts, nonlinear arithmetic ⇒ many long assertions are needed even for some “easy” goals Ongoing: use computational reflection to automate some proofs and delete the assertions ⇒ ∼ 700 lines of assertions deleted, work in progress ⇒ removes the need for some tedious proofs, but still finnicky 19 / 20

  21. Benchmarks, conclusions Conclusions verified C library, bit-compatible with GMP GMP mpn functions implemented: schoolbook add, sub, mul, div, shifts, divide-and-conquer multiplication (wip) GMP implementation tricks preserved ⇒ satisfactory performances in the handled cases new Why3 features: extraction and memory model for C alias of return value and parameter Why3 framework for proofs by reflection coming soon: divide-and-conquer algorithms for multiplication and division GMP mpz functions extract specifications as well? 20 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft (joint work with Guillaume Melquiond and Claude March) TrustInSoft Inria November 13, 2018 1/21 Context, motivation, goals goal: efficient and

564 views • 21 slides
How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft (joint work with Guillaume Melquiond and Claude March) TrustInSoft Inria May 28, 2018 1/31 Context, motivation, goals goal: efficient and

663 views • 33 slides
Arb: efficient arbitrary-precision midpoint-radius interval arithmetic Fredrik Johansson LFANT,

Arb: efficient arbitrary-precision midpoint-radius interval arithmetic Fredrik Johansson LFANT,

Arb: efficient arbitrary-precision midpoint-radius interval arithmetic Fredrik Johansson LFANT, Inria Bordeaux &amp; Institut de Math ematiques de Bordeaux 24th IEEE Symposium on Computer Arithmetic (ARITH 24) Imperial College London, UK,

308 views • 26 slides
Faster arbitrary-precision dot product and matrix multiplication Fredrik Johansson Inria

Faster arbitrary-precision dot product and matrix multiplication Fredrik Johansson Inria

Faster arbitrary-precision dot product and matrix multiplication Fredrik Johansson Inria Bordeaux 26th IEEE Symposium on Computer Arithmetic (ARITH 26) Kyoto, Japan June 10, 2019 1 / 26 Arbitrary-precision arithmetic Precision: p 2 bits

879 views • 35 slides
Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics,

Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics,

Introduction Unsatisfiability proof formats for SAT Verified efficient checking of clausal proofs Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics, Belgrade (joint work with Florian Haftmann, TU Munich)

516 views • 26 slides
Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with

Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with

I NTRODUCTION A S EQUENCE OF C HECKERS C ONCLUSION R EFERENCES Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with Marijn Heule and Warren Hunt, Jr.) ACL2 Seminar The University of Texas at Austin

621 views • 49 slides
Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions

Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions

T HE P ROBLEM T OWARDS A S OLUTION A S EQUENCE OF C HECKERS R ELATED W ORK C ONCLUSION R EFERENCES Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions from Marijn Heule, Warren Hunt, and Nathan Wetzler)

216 views • 21 slides
Correctly Rounded Arbitrary-Precision Floating-Point Summation Vincent LEFVRE AriC, Inria

Correctly Rounded Arbitrary-Precision Floating-Point Summation Vincent LEFVRE AriC, Inria

Correctly Rounded Arbitrary-Precision Floating-Point Summation Vincent LEFVRE AriC, Inria Grenoble Rhne-Alpes / LIP, ENS-Lyon ARITH 23, Santa Clara, CA, USA 2016-07-11 [arith23.tex 90371 2016-07-10 17:27:32Z vinc17/zira] Introduction

801 views • 17 slides
Automatic Generation of High Throughput Energy Efficient Streaming Architectures for Arbitrary

Automatic Generation of High Throughput Energy Efficient Streaming Architectures for Arbitrary

Automatic Generation of High Throughput Energy Efficient Streaming Architectures for Arbitrary Fixed Permutations Ren Chen, Viktor K. Prasanna Ming Hsieh Department of Electrical Engineering Presented by: Ajitesh Srivastava, Department of

614 views • 33 slides
Efficient Cryptography on the RISC-V Architecture Ko Stoffelen Tl;dr In this talk: Fast

Efficient Cryptography on the RISC-V Architecture Ko Stoffelen Tl;dr In this talk: Fast

Efficient Cryptography on the RISC-V Architecture Ko Stoffelen Tl;dr In this talk: Fast AES-128 assembly for RV32I Fast ChaCha20 assembly for RV32I Fast Keccak- f [1600] assembly for RV32I Fast arbitrary-precision integer

421 views • 19 slides
Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona

Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona

Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona State), Jingyu He (Chicago Booth), Hedibert Lopes (INSPER) November 21, 2018 1 Motivation Goal: run a Gaussian linear regression and a new prior

1.01k views • 52 slides
Computation of the error functions erf and erfc in arbitrary precision with correct rounding

Computation of the error functions erf and erfc in arbitrary precision with correct rounding

Computation of the error functions erf and erfc in arbitrary precision with correct rounding Sylvain Chevillard Arenaire, LIP, ENS-Lyon, France Sylvain.Chevillard@ens-lyon.fr Nathalie Revol INRIA, Arenaire, LIP, ENS-Lyon, France

630 views • 37 slides
Efficient and Verified Finite-Field Operations Andres Erbsen, Jade Philipoom, Jason Gross, Robert

Efficient and Verified Finite-Field Operations Andres Erbsen, Jade Philipoom, Jason Gross, Robert

Efficient and Verified Finite-Field Operations Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, Adam Chlipala RWC 2019 g i t h u b . c o m / m i t - p l v / fi a t - c r y p t o Example of Tricky Tedium:

513 views • 25 slides
High Performance and Energy Efficient Machine Learning Accelerators and Variable Precision

High Performance and Energy Efficient Machine Learning Accelerators and Variable Precision

High Performance and Energy Efficient Machine Learning Accelerators and Variable Precision Circuits for Sub-10nm Microprocessors (Invited Paper) Ram Krishnamurthy Senior Principal Engineer &amp; Director of High Performance and Low Voltage

609 views • 28 slides
Efficient implementation of elementary functions in the medium-precision range Fredrik Johansson

Efficient implementation of elementary functions in the medium-precision range Fredrik Johansson

Efficient implementation of elementary functions in the medium-precision range Fredrik Johansson (LFANT, INRIA Bordeaux) 22nd IEEE Symposium on Computer Arithmetic (ARITH 22), Lyon, France, June 2015 1 / 27 Elementary functions Functions :

1.16k views • 72 slides
Horn Formulas 1 Efficient satisfiability checks In the following: A very efficient

Horn Formulas 1 Efficient satisfiability checks In the following: A very efficient

Propositional Logic Horn Formulas 1 Efficient satisfiability checks In the following: A very efficient satisfiability check for the special class of Horn formulas. Efficient satisfiability checks for arbitrary formulas in CNF:

459 views • 6 slides
Pool::count Pool::grow() Pool::alloc() Pool_element_header Pool_element_header::next

Pool::count Pool::grow() Pool::alloc() Pool_element_header Pool_element_header::next

Pool::count Pool::grow() Pool::alloc() Pool_element_header Pool_element_header::next Pool::head Pool::free(void *) Pool Pool::purge() Block_pool_ATTLC::free() Block_header_ATTLC Block_header_ATTLC::next Block_pool_ATTLC::head

362 views • 12 slides
Head First into GlobalISel Or: How to delete SelectionDAG in 100* easy commits 1 LLVM Dev Meeting

Head First into GlobalISel Or: How to delete SelectionDAG in 100* easy commits 1 LLVM Dev Meeting

Head First into GlobalISel Or: How to delete SelectionDAG in 100* easy commits 1 LLVM Dev Meeting 2017 Justin Bogner, Aditya Nandakumar, Daniel Sanders Apple Porting to GlobalISel What is the structure of a GlobalISel backend? How

2.04k views • 177 slides
Valuing ISR Resources Tod S. Levi6 * , Kellen G. Leister * ,

Valuing ISR Resources Tod S. Levi6 * , Kellen G. Leister * ,

Valuing ISR Resources Tod S. Levi6 * , Kellen G. Leister * , Ronald F. Woodaman * , Jerrit K. Askvig * , Kathryn B. Laskey * , Rick Hayes-Roth ,

862 views • 46 slides
ESQPT in systems with long-range interactions Lea F. Santos Yeshiva University, New York, NY, USA

ESQPT in systems with long-range interactions Lea F. Santos Yeshiva University, New York, NY, USA

ESQPT in systems with long-range interactions Lea F. Santos Yeshiva University, New York, NY, USA Francisco Prez-Bernal Universidad de Huelva, Spain G. Luca Celardo and Fausto Borgonovi Universita Cattolica del Sacro Cuore, Italy

425 views • 31 slides
Divide and Conquer Algorithms Divide-and-Conquer The most-well known algorithm design strategy:

Divide and Conquer Algorithms Divide-and-Conquer The most-well known algorithm design strategy:

Divide and Conquer Algorithms Divide-and-Conquer The most-well known algorithm design strategy: 1. Divide instance of problem into two or more smaller instances 2. Solve smaller instances recursively 3. Obtain solution to original (larger)

861 views • 54 slides
Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue Bloomberg L.P. New York, USA. May 24, 2015 Big picture : The Automated Exploitation Grand Challenge A Security Exploit is a program taking

451 views • 23 slides
The Cosmic Microwave Background as a Backlight David Spergel Princeton Marseilles July 2014

The Cosmic Microwave Background as a Backlight David Spergel Princeton Marseilles July 2014

The Cosmic Microwave Background as a Backlight David Spergel Princeton Marseilles July 2014 Planck vs. ACT Consitent Parameters P -217x217 WMAP9+ACT PLANCK+WP Spectral Index 0.97430.0087 0.973 0.011 0.96030.0073 Matter Density

870 views • 43 slides
Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and

Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and

Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and Austin R. Benson Department of Computer Science, Cornell University ICML 2020 Discrete choice models Goal Model human choices 1 / 19 Discrete choice

1.2k views • 77 slides

More recommend