jasmin high assurance and high speed cryptography
play

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar - PowerPoint PPT Presentation

Jan 11, 2024 •129 likes •440 views

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

  1. Jasmin: High-Assurance and High-Speed Cryptography José Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grégoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS’17 — 2017-11-02 Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 0 / 22

  2. Implementing “crypto”: a subtle equilibrium ◮ Correct ◮ Fast ◮ Secure (side-channel free) Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 1 / 22

  3. A gap between C and assembly C ◮ Portable ◮ Convenient software-engineering abstractions ◮ Readable, maintainable Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 2 / 22

  4. A gap between C and assembly C ◮ Portable ◮ Convenient software-engineering abstractions ◮ Readable, maintainable Assembly ◮ Efficiency ◮ Control (instruction selection and scheduling) ◮ Precise semantics Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 2 / 22

  5. Jasmin: the blossoming programming language A language A formal semantics A (correct) compiler Tooling for proof of safety and leakage-freedom Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 3 / 22

  6. Jasmin by example Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 4 / 22

  7. Jasmin “Hello World!” (constant-time swapping) Zero-cost abstractions param int n = 4; inline ◮ Variable names fn cswap (stack b64[n] x, stack b64[n] y, reg b64 swap) → stack b64[n], stack b64[n] { ◮ Global parameters − reg b64 tmp1, tmp2, mask; inline int i; ◮ Arrays mask = swap * 0xffffffffffffffff; ◮ Loops for i = 0 to n { tmp1 = x[i]; ◮ Inline functions (with custom tmp1 ^= y[i]; tmp1 &= mask; calling conventions) tmp2 = x[i]; tmp2 ^= tmp1; x[i] = tmp2; tmp2 = y[i]; tmp2 ^= tmp1; y[i] = tmp2; } return x, y; } Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 5 / 22

  8. Control down to the instruction-set architecture level reg bool cf; reg b64 addt0, addt1, t10, t11, t12, t13; // . . . t10 = [workp + 4 * 8]; t11 = [workp + 5 * 8]; t12 = [workp + 6 * 8]; t13 = [workp + 7 * 8]; // . . . cf, t10 += [workp + 8 * 8]; cf, t11 += [workp + 9 * 8] + cf; cf, t12 += [workp + 10 * 8] + cf; cf, t13 += [workp + 11 * 8] + cf; addt0 = 0; addt1 = 38; addt1 = addt0 if ! cf; ◮ Direct memory access ◮ The carry flag is an ordinary boolean variable Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 6 / 22

  9. Control down to the instruction-set architecture level reg bool cf; reg b64 i, j; reg b64 addt0, addt1, t10, t11, t12, t13; stack b64 is, js; // . . . // . . . t10 = [workp + 4 * 8]; j = 62; t11 = [workp + 5 * 8]; i = 3; t12 = [workp + 6 * 8]; while (i >=s 0) { t13 = [workp + 7 * 8]; is = i; // . . . // . . . cf, t10 += [workp + 8 * 8]; while (j >=s 0) { cf, t11 += [workp + 9 * 8] + cf; js = j; cf, t12 += [workp + 10 * 8] + cf; // . . . cf, t13 += [workp + 11 * 8] + cf; j = js; j -= 1; addt0 = 0; } addt1 = 38; j = 63; i = is; i -= 1; addt1 = addt0 if ! cf; } ◮ Direct memory access ◮ Control over loop unrolling ◮ The carry flag is an ordinary boolean ◮ Control over spilling variable Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 6 / 22

  10. The Jasmin compiler Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 7 / 22

  11. Goals / Features ◮ Predictability and control of the generated assembly ◮ Zero-cost abstractions ◮ Correct (Coq proofs, machine-checked) ◮ Preserves constant-time Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 8 / 22

  12. Compilation passes ◮ For loop unrolling ◮ Function inlining ◮ Constant-propagation ◮ Redundancy elimination ◮ Sharing of stack variables ◮ Register array expansion ◮ Lowering ◮ Register allocation ◮ Linearization Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 9 / 22

  13. A correctness theorem Each pass proved on its own Maximal use of validation Reuse of a single checker (core) for various passes Suitable theorem for libraries (aka separate compilation) Theorem (Jasmin compiler correctness) ∀ p p ′ · compile ( p ) = ok ( p ′ ) − → ∀ f · f ∈ exports ( p ) − → ∀ v a m v r m ′ · enough-stack-space ( f , p ′ , m ) − → → f , v a , m ⇓ p ′ v r , m ′ f , v a , m ⇓ p v r , m ′ − Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 10 / 22

  14. Beyond correctness Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 11 / 22

  15. Automatic proof of memory safety fn pack (reg u64 rp, reg u64[4] xa) //@ requires valid(rp, 0 * 8, 4 * 8 - 1); { inline int i; ◮ Goal: prove that all memory accesses are valid. ◮ Require user annotations: function xa = freeze(xa); preconditions, loop invariants. for i = 0 to 3 ◮ Translate to Dafny //@ invariant valid(rp, 0 * 8, 4 * 8 - 1); { ◮ Reuse the Dafny · Boogie infrastructure [rp + (i * 8)] = xa[i]; } } Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 12 / 22

  16. Automatic proof of constant-time fn mladder (stack u64[4] xr, reg u64 sp) ◮ Goal: prove that a function is “constant-time” → (stack u64[4], stack u64[4]) − ◮ Require user annotations: function //@ security requires public(sp); { preconditions, loop invariants. . . . ◮ Translate to Dafny then Boogie while (i >=s 0) ◮ Build a product program and check that the //@ security invariant public(i); product is safe (technique adapted from the { . . . CT-verif tool) Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 13 / 22

  17. Jasmin for secure programming ◮ Infrastructure for automatic checks ◮ The compiler preserves functional correctness, safety, constant-time ◮ Known verification techniques apply to Jasmin programs ◮ Jasmin high-level features make automatic verification easier: arbitrary while loops and pointer arithmetic are seldom used. Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 14 / 22

  18. Running Jasmin programs Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 15 / 22

  19. Jasmin programs as libraries ◮ Compliant with standard ABI ◮ Link with your own programs written in assembly, C, OCaml, Rust. . . Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 16 / 22

  20. Experiment: from qhasm to Jasmin qhasm ◮ A high-level assembly language by D. Bernstein ◮ “Included” in Jasmin ◮ . . . hence easy automatic translation from qhasm to Jasmin Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 17 / 22

  21. Experiment: from qhasm to Jasmin qhasm ◮ A high-level assembly language by D. Bernstein ◮ “Included” in Jasmin ◮ . . . hence easy automatic translation from qhasm to Jasmin Supercop ◮ A cool infrastructure for testing and comparing crypto implementations ◮ Includes various examples written in qhasm ◮ A nice supply of Jasmin programs (since there are not many Jasmin programmers yet) Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 17 / 22

  22. Jasmin in Supercop which compilation Implementation qhasm Jasmin Ratio variables X25519-4limb-base 147 084 148 914 1 . 012 come X25519-4limb 147 890 148 922 1 . 006 on X25519-4limb-jasmin 143 982 X25519-5limb-base 148 354 147 200 0 . 992 prop- X25519-5limb 148 572 147 090 0 . 990 opti- ed25519-5limb-keypair 55 364 56 594 1 . 022 constant- ed25519-5limb-sign 83 430 85 038 1 . 019 anal- ed25519-5limb-open 182 520 188 180 1 . 031 and design, salsa20 12 322 12 460 1 . 011 compiler. In salsa20-xor 12 208 12 252 1 . 004 should impose Figure 1: Supercop cycle count Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 18 / 22

  23. Conclusions Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 19 / 22

  24. Present ◮ The Jasmin language ◮ Correct compiler for x64 ◮ Automatic checkers for safety and constant-time ◮ Programs obtained from qhasm Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 20 / 22

  25. Future ◮ More target architectures ◮ Vector instructions ◮ Logic and verification tools ◮ Write more programs Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 21 / 22

  26. Thanks ¿ Questions ? https://github.com/jasmin-lang/jasmin Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 22 / 22

  27. Extra Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 23 / 22

  28. Jasmin vs. qhasm qhasm ◮ Multi-platform ◮ Vector instructions Jasmin ◮ Loops ◮ Arrays ◮ Functions ◮ Formal semantics ◮ Proof of correctness Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 24 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B. Almeida, M. Barbosa, G. Barthe, B. Grgoire, A. Koutsos , V. La- porte, T. Oliveira, P-Y. Strub Octobre 9th, 2019 1 Context 2 Context Cryptographic

985 views • 57 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides
High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Picture credits: geeky-gadgets.com ; Star Trek The Internet of Things Andrew Myers, Stanford Report, 2011.02.11:

543 views • 36 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin

A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin

A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) Thanks to Peter Schwabe (Radboud University) NEXTLEAP (nextleap.eu) Harry Halpin Harry.halpin@inria.fr Prosecco @harryhalpin High Assurance

490 views • 16 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder Interface for Overview New linear position/velocity sensor Non-contact High resolution High speed Based on proven

320 views • 27 slides
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA

Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA

Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share the same secret key . Key Ciphertext

1.17k views • 59 slides
Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers Authors Alberto Sonnino* Mustafa Al-Bassam* Shehar Bano* Sarah Meiklejohn* George Danezis* * University College London February 2019 The

553 views • 52 slides
Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine Cryptographic Attacks Artem Pavlenko, Maxim Buzdalov, Vladimir Ulyantsev GECCO 2019, July 16 Symmetric cryptography Alice wants to send a secret

715 views • 44 slides
ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN #qconlondon @vixentael @vixentael

ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN #qconlondon @vixentael @vixentael

ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN #qconlondon @vixentael @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :) CRYPTOGRAPHY? Blowfish Twofish Rabbit Salsa20 AES OFB

1.03k views • 69 slides
Consultative Committee for Photometry and Radiometry CCPR Dr Takashi USUDA CCPR President and

Consultative Committee for Photometry and Radiometry CCPR Dr Takashi USUDA CCPR President and

Consultative Committee for Photometry and Radiometry CCPR Dr Takashi USUDA CCPR President and CIPM member (NMIJ Japan) 25 th meeting of the CGPM Scope of the CCPR Consultative Committee for Photometry Describes the

420 views • 9 slides
Coordinator: Technikon Forschungs- und Planungsgesellschaft mbH coordination@futuretpm.com

Coordinator: Technikon Forschungs- und Planungsgesellschaft mbH coordination@futuretpm.com

The FutureTPM project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No 779391. Coordinator: Technikon Forschungs- und Planungsgesellschaft mbH coordination@futuretpm.com

495 views • 15 slides
OVERVIEW OF TALK 1. Introduction and Context 2. Design Philosophy and General PRNG Struc- ture

OVERVIEW OF TALK 1. Introduction and Context 2. Design Philosophy and General PRNG Struc- ture

THE YARROW-160 PRNG John Kelsey, Bruce Schneier, and Niels Ferguson Counterpane Systems 101 E. Minnehaha Pkwy Minneapolis, MN 55419 { kelsey,schneier,niels } @counterpane.com http://www.counterpane.com 1 OVERVIEW OF TALK 1. Introduction and

463 views • 23 slides
BLOCKCHAIN & Cryptocurrency Members of FAN Include: FLagency.net Florida Agency Network

BLOCKCHAIN & Cryptocurrency Members of FAN Include: FLagency.net Florida Agency Network

BLOCKCHAIN & Cryptocurrency Members of FAN Include: FLagency.net Florida Agency Network Locations APOLLO BEACH NEW TAMPA SOUTH TAMPA Paramount Title Hillsborough Title Hillsborough Title BRANDON PANAMA

574 views • 35 slides

More recommend