Certified computer-aided cryptography

Almeida, José Bacelar; Barbosa, Manuel; Barthe, Gilles; Dupressoir, François

doi:10.1145/2508859.2516652

Cited by 30 publications

(4 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, several other works focus on secure refinement for a certain class of programs, e.g., stream processing functions [36], schedulers [11], cryptographic algorithms [37,38], or security protocols [39,40]. These approaches typically employ models tailored to their use case and the specific desired information flow properties.…”

Section: Morgan and Mcivermentioning

confidence: 99%

On Compositional Information Flow Aware Refinement

Baumann

Dam

Guanciale

et al. 2021

2021 IEEE 34th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

The concepts of information flow security and refinement are known to have had a troubled relationship ever since the seminal work of McLean. In this work we study refinements that support changes in data representation and semantics, including the addition of state variables that may induce new observational power or side channels. We propose a new epistemic approach to ignorance-preserving refinement where an abstract model is used as a specification of a system's permitted information flows, that may include the declassification of secret information. The core idea is to require that refinement steps must not induce observer knowledge that is not already available in the abstract model. Our study is set in the context of a class of shared variable multiagent models similar to interpreted systems in epistemic logic. We demonstrate the expressiveness of our framework through a series of small examples and compare our approach to existing, stricter notions of information-flow secure refinement based on bisimulations and noninterference preservation. Interestingly, noninterference preservation is not supported "out of the box" in our setting, because refinement steps may introduce new secrets that are independent of secrets already present at abstract level. To support verification, we first introduce a "cube-shaped" unwinding condition related to conditions recently studied in the context of value-dependent noninterference, kernel verification, and secure compilation. A fundamental problem with ignorancepreserving refinement, caused by the support for general data and observation refinement, is that sequential composability is lost. We propose a solution based on relational pre-and postconditions and illustrate its use together with unwinding on the oblivious RAM construction of Chung and Pass.

show abstract

Section: Morgan and Mcivermentioning

confidence: 99%

On Compositional Information Flow Aware Refinement

Baumann

Dam

Guanciale

et al. 2021

2021 IEEE 34th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…In the following, we use Keccak-p as shorthand for this permutation. 2 In this section we first describe the Sponge construction and the SHA-3 functions. Then we explain how the Sponge construction offers very strong security properties, when the underlying permutation is modelled as a purely random object, and why this gives strong heuristic evidence for the security of the SHA-3 functions in real world use.…”

Section: Technical Overviewmentioning

confidence: 99%

“…the padding algorithm pad, and iii. the rate (or block size) r. We write c for the construction's 2 We note that the standard in fact defines a family of permutations, indexed by state size and number of rounds, but only approves Keccak-p[1600, 24] for use in SHA-3 and other standards. All discussions related to the permutation in this paper focus on Keccak-p[1600, 24] unless otherwise specified.…”

Section: The Sponge Constructionmentioning

confidence: 99%

See 1 more Smart Citation

Machine-Checked Proofs for Cryptographic Standards

Almeida

Baritel-Ruet

Barbosa

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

We present a high-assurance and high-speed implementation of the SHA-3 hash function. Our implementation is written in the Jasmin programming language, and is formally verified for functional correctness, provable security and timing attack resistance in the EasyCrypt proof assistant. Our implementation is the first to achieve simultaneously the four desirable properties (efficiency, correctness, provable security, and side-channel protection) for a non-trivial cryptographic primitive.Concretely, our mechanized proofs show that: 1) the SHA-3 hash function is indifferentiable from a random oracle, and thus is resistant against collision, first and second preimage attacks; 2) the SHA-3 hash function is correctly implemented by a vectorized x86 implementation. Furthermore, the implementation is provably protected against timing attacks in an idealized model of timing leaks. The proofs include new EasyCrypt libraries of independent interest for programmable random oracles and modular indifferentiability proofs.

show abstract

Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time Verification

Almeida

Barbosa

Barthe

et al. 2020

Progress in Cryptology – INDOCRYPT 2020

Self Cite

View full text Add to dashboard Cite

We present a new tool for the generation and verification of high-assurance high-speed machine-level cryptography implementations: a certified C compiler supporting instruction extensions to the x86. We demonstrate the practical applicability of our tool by incorporating it into supercop: a toolkit for measuring the performance of cryptographic software, which includes over 2000 different implementations. We show i. that the coverage of x86 implementations in supercop increases significantly due to the added support of instruction extensions via intrinsics and ii. that the obtained verifiably correct implementations are much closer in performance to unverified ones. We extend our compiler with a specialized type system that acts at pre-assembly level; this is the first constant-time verifier that can deal with extended instruction sets. We confirm that, by using instruction extensions, the performance penalty for verifiably constant-time code can be greatly reduced.

show abstract

Certified computer-aided cryptography

Cited by 30 publications

References 29 publications

On Compositional Information Flow Aware Refinement

On Compositional Information Flow Aware Refinement

Machine-Checked Proofs for Cryptographic Standards

Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time Verification

Contact Info

Product

Resources

About