Coq庵での発表資料

1. 1 /18

2. ▶
▶
▶
2 /18

3. ▶
▶
▶
▶
▶
▶
▶
▶
3 /18

4. ▶
•
•
4 /18

5. ▶
▶
, , ...
5 /18

6. ▶
▶
▶
▶
BBS
▶ x0 ← seed; M ← modulus
xi+1 = xi2 mod M; bi = lsb(xi)
▶
6 /18

7. ▶
▶
▶
seed, modulus
BBS 0 1 1 0 1 0 ···
×
guess next
?
1 Pr[guess = next] ≒ 0.5
output
or
2 ?
k Pr[output = ] ≒ 0.5
, Pr
7 /18

8. ▶ BBS Coq
seed, modulus
BBS BBS (x86_64)
seed = 4, modulus=11×19 0: addq %r9, %r9
1: movq %r9, 16(%rsp)
16 = 0001000 0 2: movq -56(%rsp), %rax
xi+1 = xi2 mod M
3: salq $4, %rax
47 = 0010111 1 4: movq %rax, 8(%rsp)
5: movq $0, -16(%rsp)
119 = 0111011 1 6: movq -56(%rsp), %rdx
158 = 1001111 0 7: incq %rdx
...
93 = 0101110 1 383: cmpq %rcx, %r10
01
384: jne 0b
80 = 0101000 0
10
385: movq %rdx, -8(%r8, %rcx, 8)
10
: : 386: jmp L26
··
·
?
=
▶ BBS : ∀seed modulus,
bbs_fun seed modules = decode (Exec[[bbs_prg]] (encode l seed modulus))
8 /18

9. ▶
▶
▶
▶
▶
▶
▶
▶
▶
▶
▶
▶
9 /18

10. Parameter code : Code.
▶ code
Fixpoint bbs(l:nat)(x M:Z):list bool:=
match l with
| O => nil
▶ bbs
| S l’ => let x’ := x*x mod M in
lsb x’ :: bbs l’ x’
end. ▶ sem_code
Parameter sem_code : ▶ encode
State -> Code -> State. State
Parameter encode :
nat -> Z -> Z -> State.
Parameter decode : ▶ decode
State -> list bool.
Theorem correct :
▶ correct
forall len seed M final_state,
sem_code (encode len seed M) code
final_state ->
decode final_state = bbs len seed.
10 /18

11. Record Store : Set := { ▶ Store
get_cf : bool;
get_zf : bool;
get_regs : list Int64;
get_memory : list Int64
}.
▶
(* register definitions *)
Definition RAX := 0%nat.
Definition RCX := 2%nat.
Definition RDX := 3%nat.
Definition RSI := 4%nat. ▶ Int64
Definition RDI := 5%nat.
(* ... *) ▶ State
Definition State := (nat * Store)%type.
▶ Store
11 /18

12. Inductive Cond : Set :=
| carry : Cond ▶ Cond
| zero : Cond
| not : Cond -> Cond.
▶ Instr
Inductive Instr : Set :=
| clc : Instr
| rcl_a : Addr -> Instr
| dec_r : nat -> Instr
▶ BCode
... .
Inductive BCode : Set := ▶
| instr : nat -> Instr -> BCode
| goto : nat -> nat -> BCode
| cgoto : nat -> Cond -> nat -> ▶ Code
BCode.
Inductive Code : Set :=
| empty : Code ▶ comp
| bcode :> BCode -> Code
| comp : Code -> Code -> Code.
12 /18

13. c_instr
sem_code(l,s)(instr l i)(S l, sem_insn s i)
▶
l<>l’ c_goto
sem_code(l,s)(goto l l’)(l’,s)
sem_cond s cond = true l<>l’ c_cgoto_true
sem_code(l,s)(cgoto l cond l’)(l’,s)
sem_cond s cond = false c_cgoto_false ▶
sem_code(l,s)(cgoto l cond l’)(S l, s)
l∈dom c1 sem_code(l,s)c1(l’,s’) c_comp_left
sem_code(l’,s’)(comp c1 c2)(l’’,s’’)
sem_code(l,s)(comp c1 c2)(l’’,s’’)
▶
l∈dom c2 sem_code(l,s)c2(l’,s’) c_comp_right
sem_code(l’,s’)(comp c1 c2)(l’’,s’’)
sem_code(l,s)(comp c1 c2)(l’’,s’’)
l∉dom c
c_end
sem_code (l,s)c(l,s)
Definition sem_insn (s:s)(i:Instr):s.
Definition sem_cond (s:s)(c:Cond):bool.
Definition dom (c:Code):list nat.
13 /18

14. mul2
▶
Definition mul2(l r1 r2 r3:nat):Code:=
(* r1 = base, a b c d
× a b c d
r2 = offset + length,
ad bd cd dd
r3 = length *)
ac bc cc dc
(comp(instr l clc) ab bb cb db
(comp(instr(1+l)(rcl_a (addr -1 r1 r2)) aa ba ca da
(comp(instr(2+l)(dec_r r2))
(comp(instr(3+l)(dec_r r3)) abcd^2=triangle*2+diagonal
(cgoto(4+1)(not zero) (1+l)))))). bbs_step abcd M=abcd^2 mod M
Definition triangle ... := . ▶
Definition add_diagonal ... := .
Definition square ... := ▶
(comp (triangle l ...)
(comp (mul2 (l+n) ...) ▶
(add_diagonal (l+n+m) ...))).
▶
Definition div_mod ... := .
▶
Definiton bbs_step ... :=
(comp (square l ...) ▶
(div_mod (l+k) ...)).
▶
14 /18

15. mul2
▶ mul2
▶
▶
▶
0
▶ Definition mul2(l r1 r2 r3:nat):Code:=
(* r1 = base,
r2 = offset + length, ... ... ...
r3 = length *)
(comp (instr l clc) drop r3
r1 r2
(comp (instr(1+l)(rcl_a (addr -1 r1 r2))
(comp (instr(2+l)(dec_r r2))
(comp (instr(3+l)(dec_r r3))
(cgoto(4+1)(not zero) (1+l)))))).
Lemma mul2_correct_r2 :
forall l r1 r2 r3 s s’,
r2 <> r3 ->
sem_code (l,s) (mul2 l r1 r2 r3) (5+l,s’) ->
get_reg s’ r2 = get_reg s r2 - get_reg s r3.
15 /18

16. mul2
▶ mul2_correct_r2 mul2
Definition mul2(l r1 r2 r3:nat):Code:=
▶ (comp (instr l clc) (mul2_loop (1+l) r1 r2 r3)).
Lemma mul2_correct_r2 : forall l r1 r2 r3 s s’, r2<>r3->
sem_code (l,s) (mul2 l r1 r2 r3) (5+l,s’) ->
get_reg s’ r2 = get_reg s r2 - get_reg s r3.
Proof. ... mul2_loop_correct_r2 ... Qed.
Definition mul2_loop(l r1 r2 r3:nat):Code:=
(comp (mul2_body l r1 r2 r3) (cgoto (3+1)(not zero) l)).
Lemma mul2_loop_correct_r2 : forall l r1 r2 r3 s s’, r2<>r3->
sem_code (l,s) (mul2_loop l r1 r2 r3) (5+l,s’) ->
get_reg s’ r2 = get_reg s r2 - get_reg s r3.
Proof. ... mul2_body_correct_r2 ... Qed.
DefinitiDefinition mul2_body(l r1 r2 r3:nat):Code:=
(comp (instr l (rcl_a (addr -1 r1 r2))
(comp (instr(1+l)(dec_r r2))
(instr(2+l)(dec_r r3)))).
Lemma mul2_body_correct_r2:forall l r1 r2 r3 s s’, r2<>r3 ->
sem_code (l,s) (mul2_body l r1 r2 r3) (5+l,s’) ->
get_reg s’ r2 = get_reg s r2 - 1.
Proof. ... Qed. 16 /18

17. ▶
▶ comp
Lemma comp_idem:forall s c s’, sem_code s (comp c c) s'->sem_code s c s'.
▶
Lemma comp_sym:forall s c1 c2 s’,
sem_code s (comp c1 c2) s' -> sem_code s (comp c2 c1) s'.
▶
Lemma comp_assoc:forall c0 c1 c2 l l' s s',
WellFormed (comp c0 (comp c1 c2)) ->
sem_code (l, s) (comp (comp c0 c1) c2) (l', s') <->
sem_code (l, s) (comp c0 (comp c1 c2)) (l', s') ).
▶
▶
▶ IntN : positive -> Type
▶ Z mod N
17 /18

18. ▶
▶
▶
18 /18

19. ▶
▶
▶
▶
▶
▶
▶
▶
▶
▶
19 /18