1 /18
▶

▶

▶




    2 /18
▶

    ▶

    ▶

    ▶

        ▶

        ▶

▶

▶
            3 /18
▶




    •
    •




        4 /18
▶

    ▶




        ,   , ...




                5 /18
▶

    ▶

        ▶

        ▶



                BBS
    ▶       x0 ← seed; M ← modulus
            xi+1 = xi2 mod M; bi ...
▶

    ▶

    ▶


         seed, modulus

        BBS              0 1 1 0 1               0 ···
                         ...
▶   BBS                      Coq
                                   seed, modulus

        BBS                            ...
▶

▶

    ▶

        ▶

        ▶

        ▶

        ▶

        ▶

    ▶

        ▶

        ▶

▶

            9 /18
Parameter code : Code.
                                         ▶   code
Fixpoint bbs(l:nat)(x M:Z):list bool:=
  match l ...
Record Store    :   Set := {              ▶   Store
   get_cf       :   bool;
   get_zf       :   bool;
   get_regs     : ...
Inductive   Cond : Set :=
| carry :   Cond                    ▶   Cond
| zero :    Cond
| not   :   Cond -> Cond.
        ...
c_instr
sem_code(l,s)(instr l i)(S l, sem_insn s i)
                                                ▶
l<>l’               ...
mul2
                                          ▶
Definition mul2(l r1 r2 r3:nat):Code:=
  (* r1 = base,                   ...
mul2
▶   mul2

    ▶

    ▶

    ▶
                                                                                       ...
mul2
▶   mul2_correct_r2                                   mul2


           Definition mul2(l r1 r2 r3:nat):Code:=
      ...
▶

    ▶   comp


        Lemma comp_idem:forall s c s’, sem_code s (comp c c) s'->sem_code s c s'.
        ▶

           ...
▶

▶

▶




    18 /18
▶

    ▶

▶

    ▶

        ▶

▶

    ▶



        ▶

    ▶

    ▶

            19 /18
Upcoming SlideShare
Loading in …5
×

Coqによる暗号アルゴリズムの実装の安全性検証

4,099 views

Published on

Coq庵での発表資料

Published in: Education
  • Be the first to comment

Coqによる暗号アルゴリズムの実装の安全性検証

  1. 1. 1 /18
  2. 2. ▶ ▶ ▶ 2 /18
  3. 3. ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ 3 /18
  4. 4. ▶ • • 4 /18
  5. 5. ▶ ▶ , , ... 5 /18
  6. 6. ▶ ▶ ▶ ▶ BBS ▶ x0 ← seed; M ← modulus xi+1 = xi2 mod M; bi = lsb(xi) ▶ 6 /18
  7. 7. ▶ ▶ ▶ seed, modulus BBS 0 1 1 0 1 0 ··· × guess next ? 1 Pr[guess = next] ≒ 0.5 output or 2 ? k Pr[output = ] ≒ 0.5 , Pr 7 /18
  8. 8. ▶ BBS Coq seed, modulus BBS BBS (x86_64) seed = 4, modulus=11×19 0: addq %r9, %r9 1: movq %r9, 16(%rsp) 16 = 0001000 0 2: movq -56(%rsp), %rax xi+1 = xi2 mod M 3: salq $4, %rax 47 = 0010111 1 4: movq %rax, 8(%rsp) 5: movq $0, -16(%rsp) 119 = 0111011 1 6: movq -56(%rsp), %rdx 158 = 1001111 0 7: incq %rdx ... 93 = 0101110 1 383: cmpq %rcx, %r10 01 384: jne 0b 80 = 0101000 0 10 385: movq %rdx, -8(%r8, %rcx, 8) 10 : : 386: jmp L26 ·· · ? = ▶ BBS : ∀seed modulus, bbs_fun seed modules = decode (Exec[[bbs_prg]] (encode l seed modulus)) 8 /18
  9. 9. ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ 9 /18
  10. 10. Parameter code : Code. ▶ code Fixpoint bbs(l:nat)(x M:Z):list bool:= match l with | O => nil ▶ bbs | S l’ => let x’ := x*x mod M in lsb x’ :: bbs l’ x’ end. ▶ sem_code Parameter sem_code : ▶ encode State -> Code -> State. State Parameter encode : nat -> Z -> Z -> State. Parameter decode : ▶ decode State -> list bool. Theorem correct : ▶ correct forall len seed M final_state, sem_code (encode len seed M) code final_state -> decode final_state = bbs len seed. 10 /18
  11. 11. Record Store : Set := { ▶ Store get_cf : bool; get_zf : bool; get_regs : list Int64; get_memory : list Int64 }. ▶ (* register definitions *) Definition RAX := 0%nat. Definition RCX := 2%nat. Definition RDX := 3%nat. Definition RSI := 4%nat. ▶ Int64 Definition RDI := 5%nat. (* ... *) ▶ State Definition State := (nat * Store)%type. ▶ Store 11 /18
  12. 12. Inductive Cond : Set := | carry : Cond ▶ Cond | zero : Cond | not : Cond -> Cond. ▶ Instr Inductive Instr : Set := | clc : Instr | rcl_a : Addr -> Instr | dec_r : nat -> Instr ▶ BCode ... . Inductive BCode : Set := ▶ | instr : nat -> Instr -> BCode | goto : nat -> nat -> BCode | cgoto : nat -> Cond -> nat -> ▶ Code BCode. Inductive Code : Set := | empty : Code ▶ comp | bcode :> BCode -> Code | comp : Code -> Code -> Code. 12 /18
  13. 13. c_instr sem_code(l,s)(instr l i)(S l, sem_insn s i) ▶ l<>l’ c_goto sem_code(l,s)(goto l l’)(l’,s) sem_cond s cond = true l<>l’ c_cgoto_true sem_code(l,s)(cgoto l cond l’)(l’,s) sem_cond s cond = false c_cgoto_false ▶ sem_code(l,s)(cgoto l cond l’)(S l, s) l∈dom c1 sem_code(l,s)c1(l’,s’) c_comp_left sem_code(l’,s’)(comp c1 c2)(l’’,s’’) sem_code(l,s)(comp c1 c2)(l’’,s’’) ▶ l∈dom c2 sem_code(l,s)c2(l’,s’) c_comp_right sem_code(l’,s’)(comp c1 c2)(l’’,s’’) sem_code(l,s)(comp c1 c2)(l’’,s’’) l∉dom c c_end sem_code (l,s)c(l,s) Definition sem_insn (s:s)(i:Instr):s. Definition sem_cond (s:s)(c:Cond):bool. Definition dom (c:Code):list nat. 13 /18
  14. 14. mul2 ▶ Definition mul2(l r1 r2 r3:nat):Code:= (* r1 = base, a b c d × a b c d r2 = offset + length, ad bd cd dd r3 = length *) ac bc cc dc (comp(instr l clc) ab bb cb db (comp(instr(1+l)(rcl_a (addr -1 r1 r2)) aa ba ca da (comp(instr(2+l)(dec_r r2)) (comp(instr(3+l)(dec_r r3)) abcd^2=triangle*2+diagonal (cgoto(4+1)(not zero) (1+l)))))). bbs_step abcd M=abcd^2 mod M Definition triangle ... := . ▶ Definition add_diagonal ... := . Definition square ... := ▶ (comp (triangle l ...) (comp (mul2 (l+n) ...) ▶ (add_diagonal (l+n+m) ...))). ▶ Definition div_mod ... := . ▶ Definiton bbs_step ... := (comp (square l ...) ▶ (div_mod (l+k) ...)). ▶ 14 /18
  15. 15. mul2 ▶ mul2 ▶ ▶ ▶ 0 ▶ Definition mul2(l r1 r2 r3:nat):Code:= (* r1 = base, r2 = offset + length, ... ... ... r3 = length *) (comp (instr l clc) drop r3 r1 r2 (comp (instr(1+l)(rcl_a (addr -1 r1 r2)) (comp (instr(2+l)(dec_r r2)) (comp (instr(3+l)(dec_r r3)) (cgoto(4+1)(not zero) (1+l)))))). Lemma mul2_correct_r2 : forall l r1 r2 r3 s s’, r2 <> r3 -> sem_code (l,s) (mul2 l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - get_reg s r3. 15 /18
  16. 16. mul2 ▶ mul2_correct_r2 mul2 Definition mul2(l r1 r2 r3:nat):Code:= ▶ (comp (instr l clc) (mul2_loop (1+l) r1 r2 r3)). Lemma mul2_correct_r2 : forall l r1 r2 r3 s s’, r2<>r3-> sem_code (l,s) (mul2 l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - get_reg s r3. Proof. ... mul2_loop_correct_r2 ... Qed. Definition mul2_loop(l r1 r2 r3:nat):Code:= (comp (mul2_body l r1 r2 r3) (cgoto (3+1)(not zero) l)). Lemma mul2_loop_correct_r2 : forall l r1 r2 r3 s s’, r2<>r3-> sem_code (l,s) (mul2_loop l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - get_reg s r3. Proof. ... mul2_body_correct_r2 ... Qed. DefinitiDefinition mul2_body(l r1 r2 r3:nat):Code:= (comp (instr l (rcl_a (addr -1 r1 r2)) (comp (instr(1+l)(dec_r r2)) (instr(2+l)(dec_r r3)))). Lemma mul2_body_correct_r2:forall l r1 r2 r3 s s’, r2<>r3 -> sem_code (l,s) (mul2_body l r1 r2 r3) (5+l,s’) -> get_reg s’ r2 = get_reg s r2 - 1. Proof. ... Qed. 16 /18
  17. 17. ▶ ▶ comp Lemma comp_idem:forall s c s’, sem_code s (comp c c) s'->sem_code s c s'. ▶ Lemma comp_sym:forall s c1 c2 s’, sem_code s (comp c1 c2) s' -> sem_code s (comp c2 c1) s'. ▶ Lemma comp_assoc:forall c0 c1 c2 l l' s s', WellFormed (comp c0 (comp c1 c2)) -> sem_code (l, s) (comp (comp c0 c1) c2) (l', s') <-> sem_code (l, s) (comp c0 (comp c1 c2)) (l', s') ). ▶ ▶ ▶ IntN : positive -> Type ▶ Z mod N 17 /18
  18. 18. ▶ ▶ ▶ 18 /18
  19. 19. ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ ▶ 19 /18

×