This document discusses machine assisted verification tools for cryptography. It describes the Computer Aided Cryptography Engineering project which aims to develop tools for cryptographic software engineering. The author's group is responsible for the formal verification and validation work package. This involves adapting techniques like formal verification to cryptographic software using languages like CAO and CALF. CAO is a domain specific language for cryptography while CALF provides more powerful abstraction. The document outlines the deductive verification approach used on CAO programs as well as work on a compiler from CALF to CAO.

1. Machine Assisted Verification Tools for
Cryptography
Paulo Silva1
Manuel Barbosa1
1 Departamento de Informática
Computer Science and Technology Centre (CCTC/DI)
Universidade do Minho
Portugal
October 13, 2010

2. Computer Aided Cryptography Engineering (CACE)
European FP7 Project
(http://www.cace-project.eu)
Overal objectives:
Design, develop and deploy a toolbox for cryptographic
software engineering
Allow non-experts to develop high-level cryptographic
applications using cryptography-aware programming
languages and tools
Our group is responsible for the Work Package 5 (WP5):
Formal Verification and Validation of Cryptographic
Software

3. Formal Verification and Validation (WP5)
Adapt validation, verification and certification of secure
software techniques to the CACE project
Extend languages and tools to include machine assisted
verification of correctness and conformance to security
policies
Implement a certified shared library core

4. CAO Language

5. CAO Language
Small and simple domain specific language
Geared toward the automatic production of highly efficient
target code subject to security-aware optimizations
Close to cryptographic standards
Type system supports cryptographic types such as bit
strings, matrices and field extensions
We have a complete formalization of CAO’s:
Syntax
Semantics
Type system
We have implemented a fully functional CAO interpreter

6. CAO Language Example (AES fragment)
typedef GF2 := mod[ 2 ];
typedef GF2N :=
mod[ GF2<X> / X**8 + X**4 + X**3 + X + 1 ];
typedef S
:= matrix[4,4] of GF2N;
def mix : matrix[4,4] of GF2N
{[X],[X+1],[1],[1],
[1],[X],[X+1],[1],
[1],[1],[X],[X+1],
[X+1],[1],[1],[X]};
:=
def MixColumns( s : S ) : S {
def r : S;
seq i := 0 to 3 {
r[0..3,i] := mix * s[0..3,i]; }
return r; }

7. Deductive Verification

8. Deductive Verification
Tools based on variations of Hoare logic
Axioms and inference rules capture the semantics of
imperative languages
Programs are bound to contracts: a pre- and a
post-condition
If pre-condition is met at the inputs, program guarantees
post-conditions at the outputs

9. Deductive Verification
Annotation Language (CAO-SL) Properties that must be
proven (specification) and extra information to
facilitate verification are included in source code
as annotations.
Verification condition generator (VCGen) The annotated
program is used to generate a set of proof
obligations. The validity of these proof obligations
will imply that the software is indeed correct with
respect to the specification.
Proof generation Proof obligations are theorems of first-order
logic that must be proven, using a first-order
automatic proof tool (e.g. Simplify) or a proof
assistant (e.g. Coq) to construct the proof.

10. CALF Language

11. CALF Language
Higher-level than CAO
More powerful abstraction to write generic code
A suitable candidate for direct translation and
implementation of cryptographic standards
Static verification and pre-processing tool for enhanced
CAO source code.

12. CALF to CAO compiler
High-assurance compiler that translates CALF to CAO
code
Advanced type system based on dependent types to
ensure that certain properties are met
More manageable than deductive verification
May be used to reduce the number of proof obligations
Example: ensures that the access to a vector position is
within bounds (memory safe)

13. CALF Language Example (RSA fragment)
typedef RSAPub<(n : int)> :=
struct [ def e : int; ];
def RSA<(n : int)>(k : RSAPub<(n)>, m : int ) : int
{
def c : mod[n];
c := (mod[n]) m;
c := c ** k.e;
return (int) c;
}

14. Ongoing Work
Proofs about CAO formalization, namely, type safety
Data type classifiers
Verification of cryptographic libraries (NaCl)
Compiler from CAO to C