Usable verification of terminal fast cryptographic software Daniel - - PowerPoint PPT Presentation

1

Usable verification of fast cryptographic software Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

2

terminal processes files RAM disk Operating-system kernel divides RAM among processes, divides disk among files. Provides convenient functions for processes to access files, start new processes, etc.

1

verification of cryptographic software

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven

2

terminal processes files RAM disk Operating-system kernel divides RAM among processes, divides disk among files. Provides convenient functions for processes to access files, start new processes, etc. my terminal my p RAM Donald’s Donald’s

1

verification of cryptographic software Bernstein Illinois at Chicago & Universiteit Eindhoven

2

terminal processes files RAM disk Operating-system kernel divides RAM among processes, divides disk among files. Provides convenient functions for processes to access files, start new processes, etc. my terminal my processes RAM Donald’s processes Donald’s terminal

1

re Chicago & Eindhoven

2

terminal processes files RAM disk Operating-system kernel divides RAM among processes, divides disk among files. Provides convenient functions for processes to access files, start new processes, etc. my terminal my processes my RAM Donald’s processes Donald’s Donald’s terminal

2

terminal processes files RAM disk Operating-system kernel divides RAM among processes, divides disk among files. Provides convenient functions for processes to access files, start new processes, etc.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

2

terminal cesses files RAM disk erating-system kernel RAM among processes, disk among files. Provides convenient functions cesses to access files, new processes, etc.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal Can Donald appearing

2

files disk kernel among processes, among files. convenient functions access files, cesses, etc.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal Can Donald corrupt appearing on my terminal?

2

cesses, functions files,

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal Can Donald corrupt the data appearing on my terminal?

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal?

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security. Attack: use my terminal earlier and leave a program running that looks like the usual login screen but intercepts my password.

3

my terminal my processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security. Attack: use my terminal earlier and leave a program running that looks like the usual login screen but intercepts my password. Defense: secure attention key.

3

my terminal processes my files RAM disk Donald’s processes Donald’s files Donald’s terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security. Attack: use my terminal earlier and leave a program running that looks like the usual login screen but intercepts my password. Defense: secure attention key. Donald is data on Attack: part of RAM,

3

my files disk cesses Donald’s files terminal

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security. Attack: use my terminal earlier and leave a program running that looks like the usual login screen but intercepts my password. Defense: secure attention key. Donald is authorized data on the same computer. Attack: Donald sto part of RAM, or my

3

my files disk Donald’s files

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security. Attack: use my terminal earlier and leave a program running that looks like the usual login screen but intercepts my password. Defense: secure attention key. Donald is authorized to store data on the same computer. Attack: Donald stores data in part of RAM, or my part of

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security. Attack: use my terminal earlier and leave a program running that looks like the usual login screen but intercepts my password. Defense: secure attention key.

5

Donald is authorized to store data on the same computer. Attack: Donald stores data in my part of RAM, or my part of disk.

4

Can Donald corrupt the data appearing on my terminal? Attack: guess my password. Defense: I have a high-entropy randomly generated password. Attack: replace the terminal with a rigged terminal that intercepts my password. Defense: physical security. Attack: use my terminal earlier and leave a program running that looks like the usual login screen but intercepts my password. Defense: secure attention key.

5

Donald is authorized to store data on the same computer. Attack: Donald stores data in my part of RAM, or my part of disk. Two-part defense:

• 1. “Memory protection”.

Hardware does not allow processes to access data

• utside areas marked by kernel.
• 2. Kernel keeps track of which

parts of RAM and disk are mine, and which parts are Donald’s.

4

Donald corrupt the data ring on my terminal? ttack: guess my password. Defense: I have a high-entropy randomly generated password. ttack: replace the terminal rigged terminal that intercepts my password. Defense: physical security. ttack: use my terminal earlier leave a program running that like the usual login screen intercepts my password. Defense: secure attention key.

5

Donald is authorized to store data on the same computer. Attack: Donald stores data in my part of RAM, or my part of disk. Two-part defense:

• 1. “Memory protection”.

Hardware does not allow processes to access data

• utside areas marked by kernel.
• 2. Kernel keeps track of which

parts of RAM and disk are mine, and which parts are Donald’s. Bugs in can comp allowing to my pa

4

rrupt the data terminal? my password. a high-entropy generated password. the terminal terminal that password. physical security. terminal earlier rogram running that usual login screen my password. attention key.

5

Donald is authorized to store data on the same computer. Attack: Donald stores data in my part of RAM, or my part of disk. Two-part defense:

• 1. “Memory protection”.

Hardware does not allow processes to access data

• utside areas marked by kernel.
• 2. Kernel keeps track of which

parts of RAM and disk are mine, and which parts are Donald’s. Bugs in this kernel can compromise securit allowing Donald to to my part of RAM

4

data rd. high-entropy

• rd.

terminal that . earlier running that creen d. key.

5

Donald is authorized to store data on the same computer. Attack: Donald stores data in my part of RAM, or my part of disk. Two-part defense:

• 1. “Memory protection”.

Hardware does not allow processes to access data

• utside areas marked by kernel.
• 2. Kernel keeps track of which

parts of RAM and disk are mine, and which parts are Donald’s. Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk.

5

Donald is authorized to store data on the same computer. Attack: Donald stores data in my part of RAM, or my part of disk. Two-part defense:

• 1. “Memory protection”.

Hardware does not allow processes to access data

• utside areas marked by kernel.
• 2. Kernel keeps track of which

parts of RAM and disk are mine, and which parts are Donald’s.

6

Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk.

5

Donald is authorized to store data on the same computer. Attack: Donald stores data in my part of RAM, or my part of disk. Two-part defense:

• 1. “Memory protection”.

Hardware does not allow processes to access data

• utside areas marked by kernel.
• 2. Kernel keeps track of which

parts of RAM and disk are mine, and which parts are Donald’s.

6

Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk. Fix: Eliminate the bugs! Bug-free code is expensive but not impossible when code volume is small enough. Successful example: computer-verified proof of seL4 microkernel correctness, including RAM partitioning etc.

5

Donald is authorized to store

• n the same computer.

ttack: Donald stores data in my

• f RAM, or my part of disk.
• -part defense:

“Memory protection”. are does not allow cesses to access data

• utside areas marked by kernel.

Kernel keeps track of which

• f RAM and disk are mine,

which parts are Donald’s.

6

Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk. Fix: Eliminate the bugs! Bug-free code is expensive but not impossible when code volume is small enough. Successful example: computer-verified proof of seL4 microkernel correctness, including RAM partitioning etc. If a small has cut off communication I can run program and still Donald is the output

5

rized to store same computer. stores data in my my part of disk. defense: rotection”. not allow access data rked by kernel. track of which and disk are mine, are Donald’s.

6

Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk. Fix: Eliminate the bugs! Bug-free code is expensive but not impossible when code volume is small enough. Successful example: computer-verified proof of seL4 microkernel correctness, including RAM partitioning etc. If a small bug-free has cut off Donald’s communication with I can run a 10000000-line program filled with and still be confident Donald is unable to the output of the p

5

store computer. data in my

• f disk.

ernel. which mine, ld’s.

6

Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk. Fix: Eliminate the bugs! Bug-free code is expensive but not impossible when code volume is small enough. Successful example: computer-verified proof of seL4 microkernel correctness, including RAM partitioning etc. If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program.

6

Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk. Fix: Eliminate the bugs! Bug-free code is expensive but not impossible when code volume is small enough. Successful example: computer-verified proof of seL4 microkernel correctness, including RAM partitioning etc.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program.

6

Bugs in this kernel code can compromise security, allowing Donald to write to my part of RAM or disk. Fix: Eliminate the bugs! Bug-free code is expensive but not impossible when code volume is small enough. Successful example: computer-verified proof of seL4 microkernel correctness, including RAM partitioning etc.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program. The trusted computing base (TCB) is the part of the system that enforces security policy. The 10000000-line program is not part of the TCB.

6

in this kernel code compromise security, wing Donald to write part of RAM or disk. Eliminate the bugs! Bug-free code is expensive not impossible when volume is small enough. Successful example: computer-verified proof of microkernel correctness, including RAM partitioning etc.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program. The trusted computing base (TCB) is the part of the system that enforces security policy. The 10000000-line program is not part of the TCB. But we w Today: Alice I downloa These users to put data

6

ernel code security, to write RAM or disk. the bugs! expensive

• ssible when

small enough. example: computer-verified proof of ernel correctness, partitioning etc.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program. The trusted computing base (TCB) is the part of the system that enforces security policy. The 10000000-line program is not part of the TCB. But we want communication! Today: Alice sends I download Bob’s w These users are autho to put data on my

6

disk. enough. rrectness, rtitioning etc.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program. The trusted computing base (TCB) is the part of the system that enforces security policy. The 10000000-line program is not part of the TCB. But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program. The trusted computing base (TCB) is the part of the system that enforces security policy. The 10000000-line program is not part of the TCB.

8

But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program. The trusted computing base (TCB) is the part of the system that enforces security policy. The 10000000-line program is not part of the TCB.

8

But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen. Security policy: Whenever the computer shows me a file, it also tells me the source of the file.

7

If a small bug-free kernel has cut off Donald’s communication with me: I can run a 10000000-line program filled with bugs, and still be confident that Donald is unable to corrupt the output of the program. The trusted computing base (TCB) is the part of the system that enforces security policy. The 10000000-line program is not part of the TCB.

8

But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen. Security policy: Whenever the computer shows me a file, it also tells me the source of the file. If Donald creates a file and convinces the computer to show me the file as having source “Alice” then this policy is violated.

7

small bug-free kernel cut off Donald’s communication with me: run a 10000000-line rogram filled with bugs, still be confident that Donald is unable to corrupt

• utput of the program.

trusted computing base is the part of the system enforces security policy. 10000000-line program part of the TCB.

8

But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen. Security policy: Whenever the computer shows me a file, it also tells me the source of the file. If Donald creates a file and convinces the computer to show me the file as having source “Alice” then this policy is violated.

7

bug-free kernel Donald’s with me: 10000000-line with bugs, confident that to corrupt the program. computing base rt of the system security policy. 10000000-line program the TCB.

8

But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen. Security policy: Whenever the computer shows me a file, it also tells me the source of the file. If Donald creates a file and convinces the computer to show me the file as having source “Alice” then this policy is violated.

7

rrupt rogram. base system

• licy.

rogram

8

But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen. Security policy: Whenever the computer shows me a file, it also tells me the source of the file. If Donald creates a file and convinces the computer to show me the file as having source “Alice” then this policy is violated.

8

But we want communication! Today: Alice sends me email. I download Bob’s web page. These users are authorized to put data on my screen. Security policy: Whenever the computer shows me a file, it also tells me the source of the file. If Donald creates a file and convinces the computer to show me the file as having source “Alice” then this policy is violated.

9

8

e want communication! y: Alice sends me email. wnload Bob’s web page. users are authorized data on my screen. Security policy: Whenever the computer shows me a file, it also me the source of the file. Donald creates a file convinces the computer w me the file having source “Alice” this policy is violated.

9

Which pa enforces

8

communication! sends me email. Bob’s web page. authorized my screen. Whenever the me a file, it also source of the file. reates a file the computer file “Alice” is violated.

9

Which part of the enforces the securit

8

communication! email. e. the it also file. computer violated.

9

Which part of the system enforces the security policy?

9 10

Which part of the system enforces the security policy?

9 10

Which part of the system enforces the security policy? Widely deployed software systems make no real efforts to limit this. There is some “security” code inside kernel and browser. But bugs in other code can and do compromise security. TCB has >30000000 lines.

9 10

Which part of the system enforces the security policy? Widely deployed software systems make no real efforts to limit this. There is some “security” code inside kernel and browser. But bugs in other code can and do compromise security. TCB has >30000000 lines. Fix: rearchitect entire system so that a small TCB tracks sources of all data. Eliminate all bugs in TCB.

9 10

Which part of the system enforces the security policy? Widely deployed software systems make no real efforts to limit this. There is some “security” code inside kernel and browser. But bugs in other code can and do compromise security. TCB has >30000000 lines. Fix: rearchitect entire system so that a small TCB tracks sources of all data. Eliminate all bugs in TCB. Cryptography What happ through

9 10

Which part of the system enforces the security policy? Widely deployed software systems make no real efforts to limit this. There is some “security” code inside kernel and browser. But bugs in other code can and do compromise security. TCB has >30000000 lines. Fix: rearchitect entire system so that a small TCB tracks sources of all data. Eliminate all bugs in TCB. Cryptography in the What happens if data through Donald’s net

9 10

Which part of the system enforces the security policy? Widely deployed software systems make no real efforts to limit this. There is some “security” code inside kernel and browser. But bugs in other code can and do compromise security. TCB has >30000000 lines. Fix: rearchitect entire system so that a small TCB tracks sources of all data. Eliminate all bugs in TCB. Cryptography in the TCB What happens if data is sent through Donald’s network?

10

Which part of the system enforces the security policy? Widely deployed software systems make no real efforts to limit this. There is some “security” code inside kernel and browser. But bugs in other code can and do compromise security. TCB has >30000000 lines. Fix: rearchitect entire system so that a small TCB tracks sources of all data. Eliminate all bugs in TCB.

11

Cryptography in the TCB What happens if data is sent through Donald’s network?

10

Which part of the system enforces the security policy? Widely deployed software systems make no real efforts to limit this. There is some “security” code inside kernel and browser. But bugs in other code can and do compromise security. TCB has >30000000 lines. Fix: rearchitect entire system so that a small TCB tracks sources of all data. Eliminate all bugs in TCB.

11

Cryptography in the TCB What happens if data is sent through Donald’s network? Solution: Sender and receiver scramble communication in a way that Donald cannot understand and cannot silently corrupt.

10

part of the system rces the security policy? deployed software systems no real efforts to limit this. is some “security” code kernel and browser. bugs in other code and do compromise security. has >30000000 lines. rearchitect entire system that a small TCB sources of all data. Eliminate all bugs in TCB.

11

Cryptography in the TCB What happens if data is sent through Donald’s network? Solution: Sender and receiver scramble communication in a way that Donald cannot understand and cannot silently corrupt. OpenSSL 500000 lines are many All of this Many devastating Why is crypto

10

the system security policy? software systems efforts to limit this. “security” code browser.

• ther code

compromise security. 30000000 lines. entire system TCB

• f all data.

bugs in TCB.

11

Cryptography in the TCB What happens if data is sent through Donald’s network? Solution: Sender and receiver scramble communication in a way that Donald cannot understand and cannot silently corrupt. OpenSSL crypto lib 500000 lines of code, are many other crypto All of this is in the Many devastating Why is crypto so

10

• licy?

systems limit this. code curity. lines. system TCB.

11

Cryptography in the TCB What happens if data is sent through Donald’s network? Solution: Sender and receiver scramble communication in a way that Donald cannot understand and cannot silently corrupt. OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big?

11

Cryptography in the TCB What happens if data is sent through Donald’s network? Solution: Sender and receiver scramble communication in a way that Donald cannot understand and cannot silently corrupt.

12

OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big?

11

Cryptography in the TCB What happens if data is sent through Donald’s network? Solution: Sender and receiver scramble communication in a way that Donald cannot understand and cannot silently corrupt.

12

OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big? Most important answer: the pursuit of performance. (Same issue elsewhere in TCB, but most blatant for crypto. The rest of this talk will focus on crypto.)

11

Cryptography in the TCB happens if data is sent through Donald’s network? Solution: Sender and receiver scramble communication in a way Donald cannot understand cannot silently corrupt.

12

OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big? Most important answer: the pursuit of performance. (Same issue elsewhere in TCB, but most blatant for crypto. The rest of this talk will focus on crypto.) e.g. Variable-length-big-integer arithmetic consumes Includes

• ptimized

11

the TCB if data is sent Donald’s network? Sender and receiver unication in a way not understand ilently corrupt.

12

OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big? Most important answer: the pursuit of performance. (Same issue elsewhere in TCB, but most blatant for crypto. The rest of this talk will focus on crypto.) e.g. Variable-length-big-integer arithmetic library inside consumes 50000 lines Includes 38 asm implementations

• ptimized for various

11

sent rk? receiver in a way understand rrupt.

12

OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big? Most important answer: the pursuit of performance. (Same issue elsewhere in TCB, but most blatant for crypto. The rest of this talk will focus on crypto.) e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

12

OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big? Most important answer: the pursuit of performance. (Same issue elsewhere in TCB, but most blatant for crypto. The rest of this talk will focus on crypto.)

13

e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

12

OpenSSL crypto library has 500000 lines of code, and there are many other crypto libraries. All of this is in the TCB. Many devastating security bugs. Why is crypto so big? Most important answer: the pursuit of performance. (Same issue elsewhere in TCB, but most blatant for crypto. The rest of this talk will focus on crypto.)

13

e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

e.g. ECDSA signature verification: (H(M)=S)B + (x(R)=S)A = R, with S checked to be nonzero. OpenSSL has complicated code for fast computation of 1=S. Checking H(M)B + x(R)A = SR would be somewhat slower.

12

enSSL crypto library has 500000 lines of code, and there many other crypto libraries. this is in the TCB. devastating security bugs. is crypto so big? important answer: pursuit of performance. issue elsewhere in TCB, most blatant for crypto. rest of this talk cus on crypto.)

13

e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

e.g. ECDSA signature verification: (H(M)=S)B + (x(R)=S)A = R, with S checked to be nonzero. OpenSSL has complicated code for fast computation of 1=S. Checking H(M)B + x(R)A = SR would be somewhat slower. e.g. NIST 2256 − 2224 ECDSA reduction an integer Write A (A15; A14 A8; A7; meaning Define T; S1; S2 as

12

library has code, and there crypto libraries. the TCB. devastating security bugs. so big? answer: erformance. elsewhere in TCB, blatant for crypto. talk crypto.)

13

e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

e.g. ECDSA signature verification: (H(M)=S)B + (x(R)=S)A = R, with S checked to be nonzero. OpenSSL has complicated code for fast computation of 1=S. Checking H(M)B + x(R)A = SR would be somewhat slower. e.g. NIST P-256 p 2256 − 2224 + 2192 ECDSA standard sp reduction procedure an integer “A less Write A as (A15; A14; A13; A12 A8; A7; A6; A5; A4 meaning P

i Ai232i

Define T; S1; S2; S3; S4; D as

12

has there raries. bugs. rmance. TCB, crypto.

13

e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

e.g. ECDSA signature verification: (H(M)=S)B + (x(R)=S)A = R, with S checked to be nonzero. OpenSSL has complicated code for fast computation of 1=S. Checking H(M)B + x(R)A = SR would be somewhat slower. e.g. NIST P-256 prime p is 2256 − 2224 + 2192 + 296 − 1. ECDSA standard specifies reduction procedure given an integer “A less than p2”: Write A as (A15; A14; A13; A12; A11; A10; A8; A7; A6; A5; A4; A3; A2; A meaning P

i Ai232i.

Define T; S1; S2; S3; S4; D1; D2; D3; as

13

e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

e.g. ECDSA signature verification: (H(M)=S)B + (x(R)=S)A = R, with S checked to be nonzero. OpenSSL has complicated code for fast computation of 1=S. Checking H(M)B + x(R)A = SR would be somewhat slower.

14

e.g. NIST P-256 prime p is 2256 − 2224 + 2192 + 296 − 1. ECDSA standard specifies reduction procedure given an integer “A less than p2”: Write A as (A15; A14; A13; A12; A11; A10; A9; A8; A7; A6; A5; A4; A3; A2; A1; A0), meaning P

i Ai232i.

Define T; S1; S2; S3; S4; D1; D2; D3; D4 as

13

ariable-length-big-integer rithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations

• ptimized for various CPUs.

ECDSA signature verification: )=S)B + (x(R)=S)A = R, checked to be nonzero. enSSL has complicated code fast computation of 1=S. Checking H(M)B + x(R)A = SR be somewhat slower.

14

e.g. NIST P-256 prime p is 2256 − 2224 + 2192 + 296 − 1. ECDSA standard specifies reduction procedure given an integer “A less than p2”: Write A as (A15; A14; A13; A12; A11; A10; A9; A8; A7; A6; A5; A4; A3; A2; A1; A0), meaning P

i Ai232i.

Define T; S1; S2; S3; S4; D1; D2; D3; D4 as (A7; A6; A (A15; A14 (0; A15; A (A15; A14 (A8; A13; (A10; A8; (A11; A9; (A12; 0; A (A13; 0; A Compute S4 − D1 Reduce mo subtracting

13

riable-length-big-integer ry inside OpenSSL lines of code. implementations rious CPUs. signature verification: x(R)=S)A = R, to be nonzero. complicated code computation of 1=S. B + x(R)A = SR somewhat slower.

14

e.g. NIST P-256 prime p is 2256 − 2224 + 2192 + 296 − 1. ECDSA standard specifies reduction procedure given an integer “A less than p2”: Write A as (A15; A14; A13; A12; A11; A10; A9; A8; A7; A6; A5; A4; A3; A2; A1; A0), meaning P

i Ai232i.

Define T; S1; S2; S3; S4; D1; D2; D3; D4 as (A7; A6; A5; A4; A3 (A15; A14; A13; A12 (0; A15; A14; A13; A (A15; A14; 0; 0; 0; A (A8; A13; A15; A14; (A10; A8; 0; 0; 0; A13 (A11; A9; 0; 0; A15; (A12; 0; A10; A9; A8 (A13; 0; A11; A10; A Compute T + 2S1 S4 − D1 − D2 − D Reduce modulo p subtracting a few copies”

13

riable-length-big-integer OpenSSL code. implementations CPUs. verification: = R, nonzero. code =S. = SR er.

14

e.g. NIST P-256 prime p is 2256 − 2224 + 2192 + 296 − 1. ECDSA standard specifies reduction procedure given an integer “A less than p2”: Write A as (A15; A14; A13; A12; A11; A10; A9; A8; A7; A6; A5; A4; A3; A2; A1; A0), meaning P

i Ai232i.

Define T; S1; S2; S3; S4; D1; D2; D3; D4 as (A7; A6; A5; A4; A3; A2; A1; A (A15; A14; A13; A12; A11; 0; 0; (0; A15; A14; A13; A12; 0; 0; 0); (A15; A14; 0; 0; 0; A10; A9; A8); (A8; A13; A15; A14; A13; A11; A (A10; A8; 0; 0; 0; A13; A12; A11 (A11; A9; 0; 0; A15; A14; A13; A (A12; 0; A10; A9; A8; A15; A14 (A13; 0; A11; A10; A9; 0; A15; A Compute T + 2S1 + 2S2 + S S4 − D1 − D2 − D3 − D4. Reduce modulo p “by adding subtracting a few copies” of

14

e.g. NIST P-256 prime p is 2256 − 2224 + 2192 + 296 − 1. ECDSA standard specifies reduction procedure given an integer “A less than p2”: Write A as (A15; A14; A13; A12; A11; A10; A9; A8; A7; A6; A5; A4; A3; A2; A1; A0), meaning P

i Ai232i.

Define T; S1; S2; S3; S4; D1; D2; D3; D4 as

15

(A7; A6; A5; A4; A3; A2; A1; A0); (A15; A14; A13; A12; A11; 0; 0; 0); (0; A15; A14; A13; A12; 0; 0; 0); (A15; A14; 0; 0; 0; A10; A9; A8); (A8; A13; A15; A14; A13; A11; A10; A9); (A10; A8; 0; 0; 0; A13; A12; A11); (A11; A9; 0; 0; A15; A14; A13; A12); (A12; 0; A10; A9; A8; A15; A14; A13); (A13; 0; A11; A10; A9; 0; A15; A14). Compute T + 2S1 + 2S2 + S3 + S4 − D1 − D2 − D3 − D4. Reduce modulo p “by adding or subtracting a few copies” of p.

14

NIST P-256 prime p is 2224 + 2192 + 296 − 1. ECDSA standard specifies reduction procedure given integer “A less than p2”: A as

14; A13; A12; A11; A10; A9; 7; A6; A5; A4; A3; A2; A1; A0),

meaning P

i Ai232i.

S2; S3; S4; D1; D2; D3; D4

15

(A7; A6; A5; A4; A3; A2; A1; A0); (A15; A14; A13; A12; A11; 0; 0; 0); (0; A15; A14; A13; A12; 0; 0; 0); (A15; A14; 0; 0; 0; A10; A9; A8); (A8; A13; A15; A14; A13; A11; A10; A9); (A10; A8; 0; 0; 0; A13; A12; A11); (A11; A9; 0; 0; A15; A14; A13; A12); (A12; 0; A10; A9; A8; A15; A14; A13); (A13; 0; A11; A10; A9; 0; A15; A14). Compute T + 2S1 + 2S2 + S3 + S4 − D1 − D2 − D3 − D4. Reduce modulo p “by adding or subtracting a few copies” of p. Next-generation One of my removing security, In particula simple high-sec setting new e.g. 2006 is twice as and much >1000000000 today: iOS, Tor, QUIC,

14

prime p is

192 + 296 − 1.

specifies cedure given less than p2”:

12; A11; A10; A9;

A4; A3; A2; A1; A0),

32i.

; D1; D2; D3; D4

15

(A7; A6; A5; A4; A3; A2; A1; A0); (A15; A14; A13; A12; A11; 0; 0; 0); (0; A15; A14; A13; A12; 0; 0; 0); (A15; A14; 0; 0; 0; A10; A9; A8); (A8; A13; A15; A14; A13; A11; A10; A9); (A10; A8; 0; 0; 0; A13; A12; A11); (A11; A9; 0; 0; A15; A14; A13; A12); (A12; 0; A10; A9; A8; A15; A14; A13); (A13; 0; A11; A10; A9; 0; A15; A14). Compute T + 2S1 + 2S2 + S3 + S4 − D1 − D2 − D3 − D4. Reduce modulo p “by adding or subtracting a few copies” of p. Next-generation crypto One of my favorite removing tensions security, simplicity, In particular, designing simple high-securit setting new speed e.g. 2006 Bernstein is twice as fast as and much simpler >1000000000 Curve25519 today: iOS, Signal, Tor, QUIC, WhatsApp,

14

is 1. ”:

10; A9;

; A1; A0),

3; D4

15

(A7; A6; A5; A4; A3; A2; A1; A0); (A15; A14; A13; A12; A11; 0; 0; 0); (0; A15; A14; A13; A12; 0; 0; 0); (A15; A14; 0; 0; 0; A10; A9; A8); (A8; A13; A15; A14; A13; A11; A10; A9); (A10; A8; 0; 0; 0; A13; A12; A11); (A11; A9; 0; 0; A15; A14; A13; A12); (A12; 0; A10; A9; A8; A15; A14; A13); (A13; 0; A11; A10; A9; 0; A15; A14). Compute T + 2S1 + 2S2 + S3 + S4 − D1 − D2 − D3 − D4. Reduce modulo p “by adding or subtracting a few copies” of p. Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more.

15

(A7; A6; A5; A4; A3; A2; A1; A0); (A15; A14; A13; A12; A11; 0; 0; 0); (0; A15; A14; A13; A12; 0; 0; 0); (A15; A14; 0; 0; 0; A10; A9; A8); (A8; A13; A15; A14; A13; A11; A10; A9); (A10; A8; 0; 0; 0; A13; A12; A11); (A11; A9; 0; 0; A15; A14; A13; A12); (A12; 0; A10; A9; A8; A15; A14; A13); (A13; 0; A11; A10; A9; 0; A15; A14). Compute T + 2S1 + 2S2 + S3 + S4 − D1 − D2 − D3 − D4. Reduce modulo p “by adding or subtracting a few copies” of p.

16

Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more.

15

; A5; A4; A3; A2; A1; A0);

14; A13; A12; A11; 0; 0; 0);

; A14; A13; A12; 0; 0; 0);

14; 0; 0; 0; A10; A9; A8); 13; A15; A14; A13; A11; A10; A9); 8; 0; 0; 0; A13; A12; A11); 9; 0; 0; A15; A14; A13; A12);

; A10; A9; A8; A15; A14; A13); ; A11; A10; A9; 0; A15; A14). Compute T + 2S1 + 2S2 + S3 +

1 − D2 − D3 − D4.

Reduce modulo p “by adding or subtracting a few copies” of p.

16

Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more. NaCl: fast high-securit work with nacl.cr.yp.to

15

A3; A2; A1; A0);

12; A11; 0; 0; 0);

; A12; 0; 0; 0); ; A10; A9; A8);

14; A13; A11; A10; A9);

A13; A12; A11);

15; A14; A13; A12);

A8; A15; A14; A13); ; A9; 0; A15; A14).

1 + 2S2 + S3 +

D3 − D4. p “by adding or copies” of p.

16

Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more. NaCl: fast easy-to-use high-security crypto work with Lange and nacl.cr.yp.to

15

; A0); 0; 0); 0);

8);

; A10; A9);

11);

; A12);

14; A13);

; A14). + S3 + . adding or

• f p.

16

Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more. NaCl: fast easy-to-use high-security crypto library. work with Lange and Schwab nacl.cr.yp.to

16

Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to

16

Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl

16

Next-generation crypto One of my favorite topics: removing tensions between security, simplicity, speed. In particular, designing simple high-security crypto setting new speed records. e.g. 2006 Bernstein “Curve25519” is twice as fast as standard ECC and much simpler to implement. >1000000000 Curve25519 users today: iOS, Signal, OpenSSH, Tor, QUIC, WhatsApp, more.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl?

16

Next-generation crypto

• f my favorite topics:

removing tensions between y, simplicity, speed. rticular, designing high-security crypto new speed records. 2006 Bernstein “Curve25519” wice as fast as standard ECC much simpler to implement. 1000000000 Curve25519 users iOS, Signal, OpenSSH, QUIC, WhatsApp, more.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl? Biggest challenge: between such as a and (e.g.)

16

crypto rite topics: tensions between simplicity, speed. designing rity crypto eed records. Bernstein “Curve25519” as standard ECC simpler to implement. Curve25519 users Signal, OpenSSH, WhatsApp, more.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl? Biggest challenge: between big-integer such as a; b → ab and (e.g.) 32-bit op

16

rds. “Curve25519” rd ECC implement. users enSSH, more.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl? Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 and (e.g.) 32-bit operations.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl?

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl?

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl?

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

17

NaCl: fast easy-to-use high-security crypto library. Joint work with Lange and Schwabe. nacl.cr.yp.to TweetNaCl: self-contained 100-tweet C library providing the same easy-to-use high-security functions. Joint work with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl Can we guarantee zero bugs in TweetNaCl? And in NaCl?

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

• 2. Input-dependent timing.

Timing can leak secret keys. Not okay even for TweetNaCl.

17

fast easy-to-use high-security crypto library. Joint with Lange and Schwabe. nacl.cr.yp.to eetNaCl: self-contained eet C library providing same easy-to-use high-security functions. Joint with van Gastel, Janssen, Lange, Schwabe, Smetsers. twitter.com/tweetnacl e guarantee zero bugs in eetNaCl? And in NaCl?

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

• 2. Input-dependent timing.

Timing can leak secret keys. Not okay even for TweetNaCl. ACM CCS Schwabe–Tsai–W “Verifying computer-aided correctness in two high-sp Curve25519

17

easy-to-use crypto library. Joint and Schwabe. self-contained rary providing easy-to-use

• functions. Joint

Gastel, Janssen, e, Smetsers. twitter.com/tweetnacl rantee zero bugs in And in NaCl?

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

• 2. Input-dependent timing.

Timing can leak secret keys. Not okay even for TweetNaCl. ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Y “Verifying Curve25519 computer-aided pro correctness of main in two high-speed Curve25519 implementations.

17

. Joint abe. roviding Joint Janssen, etsers. bugs in NaCl?

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

• 2. Input-dependent timing.

Timing can leak secret keys. Not okay even for TweetNaCl. ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Y “Verifying Curve25519 softw computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations.

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

• 2. Input-dependent timing.

Timing can leak secret keys. Not okay even for TweetNaCl.

19

ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations.

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

• 2. Input-dependent timing.

Timing can leak secret keys. Not okay even for TweetNaCl.

19

ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations. Proof required extensive human effort for each implementation: many detailed annotations, plus higher-level composition work.

18

Biggest challenge: the gap between big-integer operations such as a; b → ab mod 2255 − 19 and (e.g.) 32-bit operations. Some big-integer software has been formally verified. Could NaCl switch to this?

• 1. Not state-of-the-art speed.

Okay for TweetNaCl; not NaCl.

• 2. Input-dependent timing.

Timing can leak secret keys. Not okay even for TweetNaCl.

19

ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations. Proof required extensive human effort for each implementation: many detailed annotations, plus higher-level composition work. Each proof also required many hours of computer time.

18

Biggest challenge: the gap een big-integer operations as a; b → ab mod 2255 − 19 (e.g.) 32-bit operations. big-integer software een formally verified. NaCl switch to this? Not state-of-the-art speed. for TweetNaCl; not NaCl. Input-dependent timing. Timing can leak secret keys. ay even for TweetNaCl.

19

ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations. Proof required extensive human effort for each implementation: many detailed annotations, plus higher-level composition work. Each proof also required many hours of computer time. Joint wo new verifier focusing gfverif.cryptojedi.org Automatically graph from Automatically convert ops New peephole Ask human annotations computations

18

challenge: the gap big-integer operations b mod 2255 − 19

• perations.

big-integer software rmally verified. switch to this? state-of-the-art speed. tNaCl; not NaCl. endent timing. secret keys. for TweetNaCl.

19

ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations. Proof required extensive human effort for each implementation: many detailed annotations, plus higher-level composition work. Each proof also required many hours of computer time. Joint work with Schw new verifier gfverif focusing on arithm gfverif.cryptojedi.org Automatically build graph from original Automatically analyze convert ops into polynomials. New peephole range Ask human for occasional annotations expres computations on integers

18

erations

255 − 19

erations. this? eed. NaCl. timing. eys. eetNaCl.

19

ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations. Proof required extensive human effort for each implementation: many detailed annotations, plus higher-level composition work. Each proof also required many hours of computer time. Joint work with Schwabe: new verifier gfverif focusing on arithmetic mod p gfverif.cryptojedi.org Automatically build computa graph from original code. Automatically analyze range convert ops into polynomials. New peephole range optimizer. Ask human for occasional annotations expressing high-level computations on integers mo

19

ACM CCS 2014 Chen–Hsu–Lin– Schwabe–Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: computer-aided proof of correctness of main loops in two high-speed asm Curve25519 implementations. Proof required extensive human effort for each implementation: many detailed annotations, plus higher-level composition work. Each proof also required many hours of computer time.

20

Joint work with Schwabe: new verifier gfverif focusing on arithmetic mod p. gfverif.cryptojedi.org Automatically build computation graph from original code. Automatically analyze ranges, convert ops into polynomials. New peephole range optimizer. Ask human for occasional annotations expressing high-level computations on integers mod p.

19

CCS 2014 Chen–Hsu–Lin– abe–Tsai–Wang–Yang–Yang erifying Curve25519 software”: computer-aided proof of rrectness of main loops high-speed asm Curve25519 implementations. required extensive human for each implementation: detailed annotations, plus higher-level composition work. roof also required hours of computer time.

20

Joint work with Schwabe: new verifier gfverif focusing on arithmetic mod p. gfverif.cryptojedi.org Automatically build computation graph from original code. Automatically analyze ranges, convert ops into polynomials. New peephole range optimizer. Ask human for occasional annotations expressing high-level computations on integers mod p. Have verified computation, for another Only 1 minute Under 300 annotations Usable b Continuing annotation be able to annotations

19

Chen–Hsu–Lin– ang–Yang–Yang Curve25519 software”: proof of main loops eed asm implementations. extensive human implementation: annotations, plus composition work. required computer time.

20

Joint work with Schwabe: new verifier gfverif focusing on arithmetic mod p. gfverif.cryptojedi.org Automatically build computation graph from original code. Automatically analyze ranges, convert ops into polynomials. New peephole range optimizer. Ask human for occasional annotations expressing high-level computations on integers mod p. Have verified entire computation, not just for another implementation. Only 1 minute of computer Under 300 lines of annotations per implementation. Usable by crypto Continuing to improve annotation language. be able to reduce b annotations per implementation.

19

Chen–Hsu–Lin– ang–Yang software”: implementations. human tion: tions, plus

• rk.

time.

20

Joint work with Schwabe: new verifier gfverif focusing on arithmetic mod p. gfverif.cryptojedi.org Automatically build computation graph from original code. Automatically analyze ranges, convert ops into polynomials. New peephole range optimizer. Ask human for occasional annotations expressing high-level computations on integers mod p. Have verified entire Curve25519 computation, not just main lo for another implementation. Only 1 minute of computer time. Under 300 lines of easy annotations per implementation. Usable by crypto developers. Continuing to improve gfverif annotation language. Should be able to reduce below 100 annotations per implementation.

20

Joint work with Schwabe: new verifier gfverif focusing on arithmetic mod p. gfverif.cryptojedi.org Automatically build computation graph from original code. Automatically analyze ranges, convert ops into polynomials. New peephole range optimizer. Ask human for occasional annotations expressing high-level computations on integers mod p.

21

Have verified entire Curve25519 computation, not just main loop, for another implementation. Only 1 minute of computer time. Under 300 lines of easy annotations per implementation. Usable by crypto developers. Continuing to improve gfverif annotation language. Should be able to reduce below 100 annotations per implementation.