CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives-Reference-Cited by-同舟云学术

CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives

Published:2023-06-06 Issue:PLDI Volume:7 Page:1268-1292
ISSN:2475-1421
Container-title:Proceedings of the ACM on Programming Languages
language:en
Short-container-title:Proc. ACM Program. Lang.

Author:

Kuepper Joel¹^ORCID,Erbsen Andres²^ORCID,Gross Jason²^ORCID,Conoly Owen²^ORCID,Sun Chuyue³^ORCID,Tian Samuel²^ORCID,Wu David¹^ORCID,Chlipala Adam²^ORCID,Chuengsatiansup Chitchanok⁴^ORCID,Genkin Daniel⁵^ORCID,Wagner Markus⁶^ORCID,Yarom Yuval⁷^ORCID

Affiliation:

1. University of Adelaide, Australia

2. Massachusetts Institute of Technology, USA

3. Stanford University, USA

4. University of Melbourne, Australia

5. Georgia Institute of Technology, USA

6. Monash University, Australia

7. Ruhr University Bochum, Germany

Abstract

Most software domains rely on compilers to translate high-level code to multiple different machine languages, with performance not too much worse than what developers would have the patience to write directly in assembly language. However, cryptography has been an exception, where many performance-critical routines have been written directly in assembly (sometimes through metaprogramming layers). Some past work has shown how to do formal verification of that assembly, and other work has shown how to generate C code automatically along with formal proof, but with consequent performance penalties vs. the best- known assembly. We present CryptOpt, the first compilation pipeline that specializes high-level cryptographic functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset of known features of SMT solvers and symbolic-execution engines. The overall prototype is quite practical, e.g. producing new fastest-known implementations of finite-field arithmetic for both Curve25519 (part of the TLS standard) and the Bitcoin elliptic curve secp256k1 for the Intel 12𝑡ℎ and 13𝑡ℎ generations.

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3591272

Reference81 articles.

1. Alfred V. Aho , Ravi Sethi , and Jeffrey D . Ullman . 1986 . Compilers : Principles, Techniques, and Tools. Addison-Wesley . Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley.

2. José Bacelar Almeida Manuel Barbosa Gilles Barthe François Dupressoir and Michael Emmi. 2016. Verifying Constant-Time Implementations. In USENIX Security. 53–70. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida José Bacelar Almeida Manuel Barbosa Gilles Barthe François Dupressoir and Michael Emmi. 2016. Verifying Constant-Time Implementations. In USENIX Security. 53–70. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida

3. Michaël Armand Germain Faure Benjamin Grégoire Chantal Keller Laurent Théry and Benjamin Werner. 2011. A Modular Integration of SAT/SMT Solvers to Coq through Proof Witnesses. In CPP. 135–150. Michaël Armand Germain Faure Benjamin Grégoire Chantal Keller Laurent Théry and Benjamin Werner. 2011. A Modular Integration of SAT/SMT Solvers to Coq through Proof Witnesses. In CPP. 135–150.

4. 2011. Theory of Randomized Search Heuristics: Foundations and Recent Developments Anne Auger and Benjamin Doerr (Eds.) (Series on Theoretical Computer Science Vol. 1). World Scientific. 2011. Theory of Randomized Search Heuristics: Foundations and Recent Developments Anne Auger and Benjamin Doerr (Eds.) (Series on Theoretical Computer Science Vol. 1). World Scientific.

5. Reza Azarderakhsh , Matthew Campagna , Craig Costello , Luca De Feo , Basil Hess, Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Geovandro Pereira, Joost Renes, Vladimir Soukharev, and David Urbanik. 2019 . Supersingular Isogeny Key Encapsulation – Submission to the NIST Post-Quantum Standardization Project , round 2. https://sike.org Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Geovandro Pereira, Joost Renes, Vladimir Soukharev, and David Urbanik. 2019. Supersingular Isogeny Key Encapsulation – Submission to the NIST Post-Quantum Standardization Project, round 2. https://sike.org