Your SlideShare is downloading. ×
Coqによる暗号アルゴリズムの実装の安全性検証
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Coqによる暗号アルゴリズムの実装の安全性検証

3,120
views

Published on

Coq庵での発表資料

Coq庵での発表資料

Published in: Education

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,120
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide




















  • Transcript

    • 1. 1 /18
    • 2. ▶ ▶ ▶ 2 /18
    • 3. ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ 3 /18
    • 4. ▶ • • 4 /18
    • 5. ▶ ▶ , , ... 5 /18
    • 6. ▶ ▶ ▶ ▶ BBS ▶ x0 ← seed; M ← modulus xi+1 = xi2 mod M; bi = lsb(xi) ▶ 6 /18
    • 7. ▶ ▶ ▶ seed, modulus BBS 0 1 1 0 1 0 ··· × guess next ? 1 Pr[guess = next] ≒ 0.5 output or 2 ? k Pr[output = ] ≒ 0.5 , Pr 7 /18
    • 8. ▶ BBS Coq seed, modulus BBS BBS (x86_64) seed = 4, modulus=11×19 0: addq %r9, %r9 1: movq %r9, 16(%rsp) 16 = 0001000 0 2: movq -56(%rsp), %rax xi+1 = xi2 mod M 3: salq $4, %rax 47 = 0010111 1 4: movq %rax, 8(%rsp) 5: movq $0, -16(%rsp) 119 = 0111011 1 6: movq -56(%rsp), %rdx 158 = 1001111 0 7: incq %rdx ... 93 = 0101110 1 383: cmpq %rcx, %r10 01 384: jne 0b 80 = 0101000 0 10 385: movq %rdx, -8(%r8, %rcx, 8) 10 : : 386: jmp L26 ·· · ? = ▶ BBS : ∀seed modulus, bbs_fun seed modules = decode (Exec[[bbs_prg]] (encode l seed modulus)) 8 /18
    • 9. ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ 9 /18
    • 10. Parameter code : Code. ▶ code Fixpoint bbs(l:nat)(x M:Z):list bool:= match l with | O => nil ▶ bbs | S l’ => let x’ := x*x mod M in lsb x’ :: bbs l’ x’ end. ▶ sem_code Parameter sem_code : ▶ encode State -> Code -> State. State Parameter encode : nat -> Z -> Z -> State. Parameter decode : ▶ decode State -> list bool. Theorem correct : ▶ correct forall len seed M final_state, sem_code (encode len seed M) code final_state -> decode final_state = bbs len seed. 10 /18
    • 11. Record Store : Set := { ▶ Store get_cf : bool; get_zf : bool; get_regs : list Int64; get_memory : list Int64 }. ▶ (* register definitions *) Definition RAX := 0%nat. Definition RCX := 2%nat. Definition RDX := 3%nat. Definition RSI := 4%nat. ▶ Int64 Definition RDI := 5%nat. (* ... *) ▶ State Definition State := (nat * Store)%type. ▶ Store 11 /18
    • 12. Inductive Cond : Set := | carry : Cond ▶ Cond | zero : Cond | not : Cond -> Cond. ▶ Instr Inductive Instr : Set := | clc : Instr | rcl_a : Addr -> Instr | dec_r : nat -> Instr ▶ BCode ... . Inductive BCode : Set := ▶ | instr : nat -> Instr -> BCode | goto : nat -> nat -> BCode | cgoto : nat -> Cond -> nat -> ▶ Code BCode. Inductive Code : Set := | empty : Code ▶ comp | bcode :> BCode -> Code | comp : Code -> Code -> Code. 12 /18
    • 13. c_instr sem_code(l,s)(instr l i)(S l, sem_insn s i) ▶ l<>l’ c_goto sem_code(l,s)(goto l l’)(l’,s) sem_cond s cond = true l<>l’ c_cgoto_true sem_code(l,s)(cgoto l cond l’)(l’,s) sem_cond s cond = false c_cgoto_false ▶ sem_code(l,s)(cgoto l cond l’)(S l, s) l∈dom c1 sem_code(l,s)c1(l’,s’) c_comp_left sem_code(l’,s’)(comp c1 c2)(l’’,s’’) sem_code(l,s)(comp c1 c2)(l’’,s’’) ▶ l∈dom c2 sem_code(l,s)c2(l’,s’) c_comp_right sem_code(l’,s’)(comp c1 c2)(l’’,s’’) sem_code(l,s)(comp c1 c2)(l’’,s’’) l∉dom c c_end sem_code (l,s)c(l,s) Definition sem_insn (s:s)(i:Instr):s. Definition sem_cond (s:s)(c:Cond):bool. Definition dom (c:Code):list nat. 13 /18
    • 14. mul2 ▶ Definition mul2(l r1 r2 r3:nat):Code:= (* r1 = base, a b c d × a b c d r2 = offset + length, ad bd cd dd r3 = length *) ac bc cc dc (comp(instr l clc) ab bb cb db (comp(instr(1+l)(rcl_a (addr -1 r1 r2)) aa ba ca da (comp(instr(2+l)(dec_r r2)) (comp(instr(3+l)(dec_r r3)) abcd^2=triangle*2+diagonal (cgoto(4+1)(not zero) (1+l)))))). bbs_step abcd M=abcd^2 mod M Definition triangle ... := . ▶ Definition add_diagonal ... := . Definition square ... := ▶ (comp (triangle l ...) (comp (mul2 (l+n) ...) ▶ (add_diagonal (l+n+m) ...))). ▶ Definition div_mod ... := . ▶ Definiton bbs_step ... := (comp (square l ...) ▶ (div_mod (l+k) ...)). ▶ 14 /18
    • 15. mul2 ▶ mul2 ▶ ▶ ▶ 0 ▶ Definition mul2(l r1 r2 r3:nat):Code:= (* r1 = base, r2 = offset + length, ... ... ... r3 = length *) (comp (instr l clc) drop r3 r1 r2 (comp (instr(1+l)(rcl_a (addr -1 r1 r2)) (comp (instr(2+l)(dec_r r2)) (comp (instr(3+l)(dec_r r3)) (cgoto(4+1)(not zero) (1+l)))))). Lemma mul2_correct_r2 : forall l r1 r2 r3 s s’, r2 <> r3 -> sem_code (l,s) (mul2 l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - get_reg s r3. 15 /18
    • 16. mul2 ▶ mul2_correct_r2 mul2 Definition mul2(l r1 r2 r3:nat):Code:= ▶ (comp (instr l clc) (mul2_loop (1+l) r1 r2 r3)). Lemma mul2_correct_r2 : forall l r1 r2 r3 s s’, r2<>r3-> sem_code (l,s) (mul2 l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - get_reg s r3. Proof. ... mul2_loop_correct_r2 ... Qed. Definition mul2_loop(l r1 r2 r3:nat):Code:= (comp (mul2_body l r1 r2 r3) (cgoto (3+1)(not zero) l)). Lemma mul2_loop_correct_r2 : forall l r1 r2 r3 s s’, r2<>r3-> sem_code (l,s) (mul2_loop l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - get_reg s r3. Proof. ... mul2_body_correct_r2 ... Qed. DefinitiDefinition mul2_body(l r1 r2 r3:nat):Code:= (comp (instr l (rcl_a (addr -1 r1 r2)) (comp (instr(1+l)(dec_r r2)) (instr(2+l)(dec_r r3)))). Lemma mul2_body_correct_r2:forall l r1 r2 r3 s s’, r2<>r3 -> sem_code (l,s) (mul2_body l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - 1. Proof. ... Qed. 16 /18
    • 17. ▶ ▶ comp Lemma comp_idem:forall s c s’, sem_code s (comp c c) s'->sem_code s c s'. ▶ Lemma comp_sym:forall s c1 c2 s’, sem_code s (comp c1 c2) s' -> sem_code s (comp c2 c1) s'. ▶ Lemma comp_assoc:forall c0 c1 c2 l l' s s', WellFormed (comp c0 (comp c1 c2)) -> sem_code (l, s) (comp (comp c0 c1) c2) (l', s') <-> sem_code (l, s) (comp c0 (comp c1 c2)) (l', s') ). ▶ ▶ ▶ IntN : positive -> Type ▶ Z mod N 17 /18
    • 18. ▶ ▶ ▶ 18 /18
    • 19. ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ 19 /18