research-article

Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations

Authors:

José Bacelar Almeida,

Manuel Barbosa,

François DupressoirAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 1217 - 1230

https://doi.org/10.1145/2508859.2516652

Published: 04 November 2013 Publication History

Abstract

We present a computer-aided framework for proving concrete security bounds for cryptographic machine code implementations. The front-end of the framework is an interactive verification tool that extends the EasyCrypt framework to reason about relational properties of C-like programs extended with idealised probabilistic operations in the style of code-based security proofs. The framework also incorporates an extension of the CompCert certified compiler to support trusted libraries providing complex arithmetic calculations or instantiating idealized components such as sampling operations. This certified compiler allows us to carry to executable code the security guarantees established at the high-level, and is also instrumented to detect when compilation may interfere with side-channel countermeasures deployed in source code.

We demonstrate the applicability of the framework by applying it to the RSA-OAEP encryption scheme, as standardized in PKCS#1 v2.1. The outcome is a rigorous analysis of the advantage of an adversary to break the security of assembly implementations of the algorithms specified by the standard. The example also provides two contributions of independent interest: it bridges the gap between computer-assisted security proofs and real-world cryptographic implementations as described by standards such as PKCS,and demonstrates the use of the CompCert certified compiler in the context of cryptographic software development.

References

[1]

Reynald Affeldt, David Nowak, and Kiyoshi Yamada. Certifying assembly with formal security proofs: The case of BBS. Sci. Comput. Program., 77(10--11):1058--1074, 2012.

Digital Library

[2]

Johan Agat. Transforming out timing leaks. In Proceedings of POPL'00, pages 40--53, 2000.

Digital Library

[3]

Johan Agat and David Sands. On confidentiality and algorithms. In IEEE Symposium on Security and Privacy, pages 64--77. IEEE Computer Society, 2001.

Digital Library

[4]

Mihhail Aizatulin, Andrew D. Gordon, and Jan Jürjens. Computational verification of C protocol implementations by symbolic execution. In ACM Conference on Computer and Communications Security, pages 712--723. ACM, 2012.

Digital Library

[5]

José Bacelar Almeida, Manuel Barbosa, Jorge Sousa Pinto, and Bárbara Vieira. Deductive verification of cryptographic software. Innovations in Systems and Software Engineering, 6(3):203--218, 2010.

Digital Library

[6]

Joël Alwen, Yevgeniy Dodis, and Daniel Wichs. Survey: Leakage resilience and the bounded retrieval model. In Kaoru Kurosawa, editor, ICITS, volume 5973 of Lecture Notes in Computer Science, pages 1--18. Springer, 2009.

Digital Library

[7]

Andrew W. Appel. Verified software toolchain - (invited talk). In ESOP'11, volume 6602 of Lecture Notes in Computer Science, pages 1--17. Springer, 2011.

Digital Library

[8]

Manuel Barbosa, editor. Deliverable 5.4: Certified shared library core. Computer Aided Cryptography Engineering (CACE FP7 EU Project), 2011. http://www.cace-project.eu.

[9]

Gilles Barthe, Benjamin Grégoire, Sylvain Heraud, and Santiago Zanella-Béguelin. Computer-aided security proofs for the working cryptographer. In Advances in Cryptology -- CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science, pages 71--90, Heidelberg, 2011. Springer.

Digital Library

[10]

Gilles Barthe, Benjamin Grégoire, Yassine Lakhnech, and Santiago Zanella-Béguelin. Beyond provable security. Verifiable IND-CCA security of OAEP. In Topics in Cryptology -- CT-RSA 2011, volume 6558 of Lecture Notes in Computer Science, pages 180--196, Heidelberg, 2011. Springer.

Digital Library

[11]

Daniel J. Bernstein, Tanja Lange, and Peter Schwabe. The security impact of a new cryptographic library. In Alejandro Hevia and Gregory Neven, editors, Progress in Cryptology - LATINCRYPT 2012, volume 7533 of Lecture Notes in Computer Science, pages 159--176. Springer Berlin Heidelberg, 2012.

Digital Library

[12]

Yves Bertot, Nicolas Magaud, and Paul Zimmermann. A proof of GMP square root. Journal of Automated Reasoning, 29(3--4):225--252, 2002.

Digital Library

[13]

Bruno Blanchet. Security protocol verification: Symbolic and computational models. In Pierpaolo Degano and Joshua D. Guttman, editors, Principles of Security and Trust - First International Conference, POST 2012, volume 7215 of Lecture Notes in Computer Science, pages 3--29. Springer, 2012.

Digital Library

[14]

Sylvie Boldo, Jacques-Henri Jourdan, Xavier Leroy, and Guillaume Melquiond. A formally-verified C compiler supporting floating-point arithmetic. In Arith - 21st IEEE Symposium on Computer Arithmetic, pages 107--115. IEEE, 2013.

Digital Library

[15]

Billy Bob Brumley, Manuel Barbosa, Dan Page, and Frederik Vercauteren. Practical realisation and elimination of an ECC-related software bug attack. In Orr Dunkelman, editor, CT-RSA, volume 7178 of Lecture Notes in Computer Science, pages 171--186. Springer, 2012.

Digital Library

[16]

David Cadé and Bruno Blanchet. Proved generation of implementations from computationally secure protocol specifications. In POST, volume 7796 of Lecture Notes in Computer Science, pages 63--82. Springer, 2013.

Digital Library

[17]

Jean Paul Degabriele, Kenneth Paterson, and Gaven Watson. Provable security in the real world. Security Privacy, IEEE, 9(3):33--41, may-june 2011.

Digital Library

[18]

François Dupressoir. Proving Cryptographic C Programs Secure with General-Purpose Verification Tools. PhD thesis, Open University, 2013.

[19]

Stefan Dziembowski and Krzysztof Pietrzak. Leakage-resilient cryptography. In 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, pages 293--302, Washington, 2008. IEEE Computer Society.

Digital Library

[20]

Cédric Fournet, Markulf Kohlweiss, and Pierre-Yves Strub. Modular code-based cryptographic verification. In ACM Conference on Computer and Communications Security, pages 341--350. ACM, 2011.

Digital Library

[21]

Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA-OAEP is secure under the RSA assumption. In Advances in Cryptology -- CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 260--274. Springer, 2001.

Digital Library

[22]

Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270--299, 1984.

[23]

Boris Köpf, Laurent Mauborgne, and Martín Ochoa. Automatic quantification of cache side-channels. In Proc. 24th International Conference on Computer Aided Verification (CAV '12), pages 564--580. Springer, 2012.

Digital Library

[24]

Ralf Küsters, Tomasz Truderung, and Juergen Graf. A framework for the cryptographic verification of Java-like programs. In CSF, pages 198--212. IEEE, 2012.

Digital Library

[25]

Xavier Leroy. Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2006, pages 42--54, New York, 2006. ACM.

Digital Library

[26]

Xavier Leroy, editor. The CompCert C verified compiler: Documentation and user's manual. INRIA Paris-Rocquencourt, 2013.

[27]

James Manger. A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS\#1 v2.0. In Advances in Cryptology -- CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 230--238, Heidelberg, 2001. Springer.

Digital Library

[28]

David Molnar, Matt Piotrowski, David Schultz, and David Wagner. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In ICISC, volume 3935 of Lecture Notes in Computer Science, pages 156--168. Springer, 2005.

Digital Library

[29]

Lee Pike, Mark Shields, and John Matthews. A verifying core for a cryptographic language compiler. In ACL2, pages 1--10. ACM, 2006.

Digital Library

[30]

Phillip Rogaway. Practice-oriented provable security and the social construction of cryptography. Unpublished essay, 2009.

[31]

Sabine (formerly Fischer) Schmaltz. Formal verification of a big integer library including division. Master's thesis, Saarland University, 2007.

[32]

Eric Whitman Smith and David L. Dill. Automatic formal verification of block cipher implementations. In FMCAD, pages 1--7. IEEE, 2008.

Digital Library

[33]

Falko Strenzke. Manger's attack revisited. In Miguel Soriano, Sihan Qing, and Javier López, editors, Information and Communications Security, volume 6476 of Lecture Notes in Computer Science, pages 31--45. Springer Berlin Heidelberg, 2010.

Digital Library

[34]

Danfeng Zhang, Aslan Askarov, and Andrew C. Myers. Language-based control and mitigation of timing channels. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '12), pages 99--110. ACM, 2012.

Digital Library

Cited By

Morio KKünnemann RLuo BLiao XXu JKirda ELie D(2024)SpecMon: Modular Black-Box Runtime Monitoring of Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690197(2741-2755)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690197
Delignat-Lavaud AFournet CParno BProtzenko JRamananandro TBosamiya JLallemand JRakotonirina IZhou Y(2021)A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00039(1162-1178)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00039
Barbosa MBarthe GBhargavan KBlanchet BCremers CLiao KParno B(2021)SoK: Computer-Aided Cryptography2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00008(777-795)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00008
Show More Cited By

Index Terms

Recommendations

Automation in computer-aided cryptography: proofs, attacks and designs
CPP'12: Proceedings of the Second international conference on Certified Programs and Proofs

CertiCrypt [3] and EasyCrypt [2] are machine-checked frameworks for proving the security of cryptographic constructions. Both frameworks adhere to the gamebased approach [9,6,8] to provable security [7], but revisit its realization from a formal ...
Practical convertible authenticated encryption schemes using self-certified public keys

A convertible authenticated encryption scheme allows a designated receiver to recover and verify a message simultaneously, during which the recipient can prove the dishonesty of the sender to any third party if the sender repudiates her signature later. ...
Self-certified proxy convertible authenticated encryption: formal definitions and a provably secure scheme

In 2009, Wu and Lin introduced the concept of self-certified proxy convertible authenticated encryption SP-CAE by integrating self-certified public-key system and designated verifier proxy signature with message recovery. They also presented the first ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

formal methods

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
514
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Morio KKünnemann RLuo BLiao XXu JKirda ELie D(2024)SpecMon: Modular Black-Box Runtime Monitoring of Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690197(2741-2755)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690197
Delignat-Lavaud AFournet CParno BProtzenko JRamananandro TBosamiya JLallemand JRakotonirina IZhou Y(2021)A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00039(1162-1178)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00039
Barbosa MBarthe GBhargavan KBlanchet BCremers CLiao KParno B(2021)SoK: Computer-Aided Cryptography2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00008(777-795)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00008
Dupressoir FZain S(2021)Machine-Checking Unforgeability Proofs for Signature Schemes with Tight Reductions to the Computational Diffie-Hellman Problem2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00014(1-15)Online publication date: Jun-2021
https://doi.org/10.1109/CSF51468.2021.00014
Baumann CDam MGuanciale RNemati H(2021)On Compositional Information Flow Aware Refinement2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00010(1-16)Online publication date: Jun-2021
https://doi.org/10.1109/CSF51468.2021.00010
Barthe GBetarte GCampo JLuna CPichardie D(2020)System-Level Non-interference of Constant-Time Cryptography. Part II: Verified Static Analysis and Stealth MemoryJournal of Automated Reasoning10.1007/s10817-020-09548-xOnline publication date: 17-Feb-2020
https://doi.org/10.1007/s10817-020-09548-x
Almeida JBarbosa MBarthe GLaporte VOliveira T(2020)Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time VerificationProgress in Cryptology – INDOCRYPT 202010.1007/978-3-030-65277-7_6(107-127)Online publication date: 8-Dec-2020
https://doi.org/10.1007/978-3-030-65277-7_6
Almeida JBaritel-Ruet CBarbosa MBarthe GDupressoir FGrégoire BLaporte VOliveira TStoughton AStrub PCavallaro LKinder JWang XKatz J(2019)Machine-Checked Proofs for Cryptographic StandardsProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3363211(1607-1622)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3363211
Baek JSusilo WKim JChow Y(2019)Subversion in Practice: How to Efficiently Undermine SignaturesIEEE Access10.1109/ACCESS.2019.29185507(68799-68811)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2918550
K. KRebeiro CHazra A(2018)An Algorithmic Approach to Formally Verify an ECC LibraryACM Transactions on Design Automation of Electronic Systems10.1145/322420523:5(1-26)Online publication date: 25-Aug-2018
https://dl.acm.org/doi/10.1145/3224205
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten