research-article

Open access

HACL*: A Verified Modern Cryptographic Library

Authors:

Jean-Karim Zinzindohoué,

Karthikeyan Bhargavan,

Jonathan Protzenko,

Benjamin BeurdoucheAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 1789 - 1806

https://doi.org/10.1145/3133956.3134043

Published: 30 October 2017 Publication History

Abstract

HACL* is a verified portable C cryptographic library that implements modern cryptographic primitives such as the ChaCha20 and Salsa20 encryption algorithms, Poly1305 and HMAC message authentication, SHA-256 and SHA-512 hash functions, the Curve25519 elliptic curve, and Ed25519 signatures.

HACL* is written in the F* programming language and then compiled to readable C code. The F* source code for each cryptographic primitive is verified for memory safety, mitigations against timing side-channels, and functional correctness with respect to a succinct high-level specification of the primitive derived from its published standard. The translation from F* to C preserves these properties and the generated C code can itself be compiled via the CompCert verified C compiler or mainstream compilers like GCC or CLANG. When compiled with GCC on 64-bit platforms, our primitives are as fast as the fastest pure C implementations in OpenSSL and libsodium, significantly faster than the reference C code in TweetNaCl, and between 1.1x-5.7x slower than the fastest hand-optimized vectorized assembly code in SUPERCOP.

HACL* implements the NaCl cryptographic API and can be used as a drop-in replacement for NaCl libraries like libsodium and TweetNaCl. HACL* provides the cryptographic components for a new mandatory ciphersuite in TLS 1.3 and is being developed as the main cryptographic provider for the miTLS verified implementation. Primitives from HACL* are also being integrated within Mozilla's NSS cryptographic library. Our results show that writing fast, verified, and usable C cryptographic libraries is now practical.

Supplemental Material

MP4 File

Download
2394.20 MB

References

[1]

Danel Ahman, Cuatualin Hrictcu, Kenji Maillard, Guido Martínez, Gordon Plotkin, Jonathan Protzenko, Aseem Rastogi, and Nikhil Swamy. 2017. Dijkstra Monads for Free. In 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL). ACM, 515--529. https://doi.org/10.1145/3009837.3009878

Digital Library

[2]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, and Franccois Dupressoir. 2015. Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. IACR Cryptology ePrint Archive Vol. 2015 (2015), 1241. http://eprint.iacr.org/2015/1241

[3]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Franccois Dupressoir, and Michael Emmi 2016. Verifying Constant-Time Implementations. In USENIX Security Symposium. 53--70.

[4]

Andrew W Appel. 2015. Verification of a cryptographic primitive: SHA-256. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 37, 2 (2015), 7.

Digital Library

[5]

Gilles Barthe, Gustavo Betarte, Juan Campo, Carlos Luna, and David Pichardie 2014. System-level non-interference for constant-time cryptography Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1267--1279.

[6]

Gilles Barthe, Benjamin Grégoire, Sylvain Heraud, and Santiago Zanella Béguelin. 2011. Computer-aided security proofs for the working cryptographer Annual Cryptology Conference. 71--90.

[7]

David Benjamin. 2016. poly1305-x86.pl produces incorrect output. https://mta.openssl.org/pipermail/openssl-dev/2016-March/006161. (2016).

[8]

Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel 2015. Verified Correctness and Security of OpenSSL HMAC USENIX Security Symposium. 207--221.

[9]

Daniel J. Bernstein. 2005. The Poly1305-AES Message-Authentication Code. In Fast Software Encryption (FSE). 32--49.

[10]

Daniel J Bernstein. 2006. Curve25519: new Diffie-Hellman speed records. Public Key Cryptography-PKC 2006. Springer, 207--228.

[11]

Daniel J Bernstein. 2008. ChaCha, a variant of Salsa20.

[12]

Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. High-speed high-security signatures. Journal of Cryptographic Engineering (????), 1--13.

[13]

Daniel J Bernstein, Tanja Lange, and Peter Schwabe. 2012. The security impact of a new cryptographic library International Conference on Cryptology and Information Security in Latin America (LATINCRYPT). Springer, 159--176.

[14]

Daniel J Bernstein and Peter Schwabe 2012. NEON crypto International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 320--339.

[15]

Daniel J Bernstein, Bernard Van Gastel, Wesley Janssen, Tanja Lange, Peter Schwabe, and Sjaak Smetsers 2014. TweetNaCl: A crypto library in 100 tweets. In International Conference on Cryptology and Information Security in Latin America (LATINCRYPT). Springer, 64--83.

[16]

Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Catalin Hritcu, Jonathan Protzenko, Tahina Ramananandro, Aseem Rastogi, Nikhil Swamy, Peng Wang, Santiago Zanella-Béguelin, and Jean-Karim Zinzindohoué. 2017. Verified Low-Level Programming Embedded in F*. ACM SIGPLAN International Conference on Functional Programming (ICFP).

[17]

Karthikeyan Bhargavan, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, and Pierre-Yves Strub 2013. Implementing TLS with Verified Cryptographic Security IEEE Symposium on Security & Privacy (Oakland). 445--462.

[18]

Hanno Böck. 2016. Wrong results with Poly1305 functions. https://mta.openssl.org/pipermail/openssl-dev/2016-March/006413. (2016).

[19]

Barry Bond, Chris Hawblitzel, Manos Kapritsos, K. Rustan M. Leino, Jacob R. Lorch, Bryan Parno, Ashay Rane, Srinath Setty, and Laure Thompson 2017. Vale: Verifying High-Performance Cryptographic Assembly Code Proceedings of the USENIX Security Symposium.

[20]

Billy B Brumley, Manuel Barbosa, Dan Page, and Frederik Vercauteren 2012. Practical realisation and elimination of an ECC-related software bug attack. Topics in Cryptology--CT-RSA 2012. Springer, 171--186.

[21]

Yu-Fang Chen, Chang-Hong Hsu, Hsin-Hung Lin, Peter Schwabe, Ming-Hsien Tsai, Bow-Yaw Wang, Bo-Yin Yang, and Shang-Yi Yang. 2014. Verifying Curve25519 Software. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 299--309.

Digital Library

[22]

Quynh H Dang. 2008. The Keyed-Hash Message Authentication Code (HMAC). NIST FIPS-198--1. (2008).

[23]

A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, J. Protzenko, A. Rastogi, N. Swamy, S. Zanella-Beguelin, K. Bhargavan, J. Pan, and J. K. Zinzindohoue 2017. Implementing and Proving the TLS 1.3 Record Layer IEEE Symposium on Security and Privacy (Oakland). 463--482.

[24]

Martin Goll and Shay Gueron 2014. Vectorization on ChaCha stream cipher. In Information Technology: New Generations (ITNG). 612--615.

[25]

Chris Hawblitzel, Jon Howell, Jacob R Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill 2014. Ironclad apps: End-to-end security via automated full-system verification 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). 165--181.

[26]

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et almbox. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 207--220.

Digital Library

[27]

Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM Vol. 52, 7 (2009), 107--115.

Digital Library

[28]

Erick Nascimento, Łukasz Chmielewski, David Oswald, and Peter Schwabe 2016. Attacking embedded ECC implementations through cmov side channels Selected Areas in Cryptology -- SAC 2016 (Lecture Notes in Computer Science).

[29]

Pierre-Yves Strub, Nikhil Swamy, Cedric Fournet, and Juan Chen. 2012. Self-Certification: Bootstrapping Certified Typecheckers in F* with Coq ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 571--584.

[30]

Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzindohoue, and Santiago Zanella-Béguelin. Dependent Types and Multi-Monadic Effects in F*. ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 256--270.

Digital Library

[31]

A. Tomb 2016. Automated Verification of Real-World Cryptographic Implementations. IEEE Security and Privacy Vol. 14, 6 (2016), 26--33.

Digital Library

[32]

National Institute of Standards US Department of Commerce and Technology (NIST). 2012. Federal Information Processing Standards Publication 180--4: Secure hash standard (SHS). (2012).

[33]

Jean Karim Zinzindohoue, Evmorfia-Iro Bartzia, and Karthikeyan Bhargavan 2016. A Verified Extensible Library of Elliptic Curves. IEEE Computer Security Foundations Symposium (CSF). 296--309. endthebibliography

Cited By

Zhou ZAnjali Chen WGong SHawblitzel CCui WGavrilovska ATerry D(2024)VERISMOProceedings of the 18th USENIX Conference on Operating Systems Design and Implementation10.5555/3691938.3691970(599-614)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691938.3691970
Chiang YChang WLi STu J(2024)Securing a Multiprocessor KVM Hypervisor with RustProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698562(650-667)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698562
Xu SZhou QZhang ZJia XLiu DHuang HDu HSong Z(2024)ConMonitor: Lightweight Container Protection with Virtualization and VM FunctionsProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698520(755-773)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698520
Show More Cited By

Index Terms

Recommendations

HACLxN: Verified Generic SIMD Crypto (for all your favourite platforms)
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

We present a new methodology for building formally verified cryptographic libraries that are optimized for multiple architectures. In particular, we show how to write and verify generic crypto code in the F* programming language that exploits single-...
A Formally Verified Compiler Back-end

This article describes the development and formal verification (proof of semantic preservation) of a compiler back-end from Cminor (a simple imperative intermediate language) to PowerPC assembly code, using the Coq proof assistant both for programming ...
Fully-abstract compilation by approximate back-translation
POPL '16

A compiler is fully-abstract if the compilation from source language programs to target language programs reflects and preserves behavioural equivalence. Such compilers have important security benefits, as they limit the power of an attacker ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 Owner/Author.

This work is licensed under a Creative Commons Attribution-NoDerivatives International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

ERC

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

135
Total Citations
View Citations
1,531
Total Downloads

Downloads (Last 12 months)355
Downloads (Last 6 weeks)72

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou ZAnjali Chen WGong SHawblitzel CCui WGavrilovska ATerry D(2024)VERISMOProceedings of the 18th USENIX Conference on Operating Systems Design and Implementation10.5555/3691938.3691970(599-614)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691938.3691970
Chiang YChang WLi STu J(2024)Securing a Multiprocessor KVM Hypervisor with RustProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698562(650-667)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698562
Xu SZhou QZhang ZJia XLiu DHuang HDu HSong Z(2024)ConMonitor: Lightweight Container Protection with Virtualization and VM FunctionsProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698520(755-773)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698520
Cebeci CZou YZhou DCandea GPit-Claudel CWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)Practical Verification of System-Software Components Written in Standard CProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695980(455-472)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695980
Athalye ACorrigan-Gibbs HKaashoek FTassarotti JZeldovich NWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)Modular Verification of Secure and Leakage-Free Systems: From Application Specification to Circuit-Level ImplementationProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695956(655-672)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695956
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
Erbsen APhilipoom JJamner DLin AGruetter SPit-Claudel CChlipala A(2024)Foundational Integration Verification of a Cryptographic ServerProceedings of the ACM on Programming Languages10.1145/36564468:PLDI(1704-1729)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656446
Haselwarter PHvass BHansen LWinterhalter THriţcu CSpitters BTimany ATraytel DPientka BBlazy S(2024)The Last Yard: Foundational End-to-End Verification of High-Speed CryptographyProceedings of the 13th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3636501.3636961(30-44)Online publication date: 9-Jan-2024
https://dl.acm.org/doi/10.1145/3636501.3636961
Röckl JBernsdorf NMüller TQuek TGao DZhou JCardenas A(2024)TeeFilter: High-Assurance Network Filtering Engine for High-End IoT and Edge Devices based on TEEsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637643(1568-1583)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637643
Andrici CCiobâcă ȘHriţcu CMartínez GRivas ETanter ÉWinterhalter T(2024)Securing Verified IO Programs Against Unverified Code in F*Proceedings of the ACM on Programming Languages10.1145/36329168:POPL(2226-2259)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632916
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents