Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS Electronic Communications of the EASST Volume 23 (2009) Proceedings of the Ninth International Workshop on Automated Verification of Critical Systems (AVOCS 2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS Reynald Affeldt, David Nowak and Kiyoshi Yamada 15 pages Guest Editor: Markus Roggenbach Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS Reynald Affeldt, David Nowak and Kiyoshi Yamada Research Center for Information Security, AIST, Japan Abstract: With today’s dissemination of embedded systems manipulating sensi- tive data, it has become important to equip low-level programs with strong security guarantees. Unfortunately, security proofs as done by cryptographers are about algo- rithms, not about concrete implementations running on hardware. In this paper, we show how to perform security proofs to guarantee the security of assembly language implementations of cryptographic primitives. Our approach is based on a framework in the Coq proof assistant that integrates correctness proofs of assembly programs with game-playing proofs of provable security. We demonstrate the usability of our approach using the Blum-Blum-Shub (BBS) pseudorandom number generator, for which a MIPS implementation for smartcards is shown cryptographically secure. Keywords: Hoare logic, Assembly language, Coq, PRNG, Provable security 1 Introduction With today’s dissemination of embedded systems manipulating sensitive data, it has become important to equip low-level programs with strong security guarantees. However, despite the fact that most security claims implicitly assume correct implementation of cryptography, this assumption is never formally enforced in practice. The main problem of formal verification of embedded cryptographic software is that, in the current state of research, formal verification remains a major undertaking: (a) Most cryptographic primitives rely on number theory and their pervasive usage calls for efficient implementations. As a result, we face many advanced algorithms with low-level imple- mentations in assembly language. This already makes formal proof technically difficult. (b) Security guarantees about cryptographic primitives is the matter of cryptographic proofs, as practiced by cryptographers. In essence, these proofs aim at showing the security of crypto- graphic primitives by reduction to computational assumptions. Formal proofs of such reductions also involve probability theory or group theory. In addition, formal verification of embedded cryptographic software is even more challenging in that it requires a formal integration of (a) and (b). In fact, to the best of our knowledge, no such integration has ever been attempted so far. In this paper, we address the issue of formal verification of cryptographic assembly code with cryptographic proofs. As pointed out above, formal verification of cryptographic assembly code and formal verification of cryptographic proofs are not the same matter, even though both deals with cryptography. As an evidence of this mismatch, one can think of a cryptographic function such as encryption: its security proof typically relies on a high-level mathematical description, 1 / 15 Volume 23 (2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS but when laid down in terms of assembly code such a function exhibits restrictions due to the choice of implementation. We are therefore essentially concerned about the integration of these two kinds of formal proofs. We do not question here the theoretical feasibility of such an integra- tion; rather, we investigate its practical aspects. Indeed, various frameworks for formal verifica- tion of cryptography using proof assistants based on proof theory already exist ([AM06, MG07] for cryptographic assembly code, [ATM07, BBU08, BGZ09, Now07] for cryptographic proofs), but it is not clear how to connect them in practice. Whatever connection is to be provided, it has to be developed in a clear way, both understandable by cryptographers and implementers, and in a reusable fashion, so that new verification efforts can build upon previous ones. Our main contribution is to propose a concrete approach, supported by a reusable formal framework on top of the Coq proof assistant, for verification of assembly code together with cryptographic proofs. As a concrete evidence of usability, we formally verify a pseudoran- dom number generator written in assembly for smartcards with a proof of unpredictability. This choice of application is not gratuitous: this is the first step before verifying more cryptographic primitives, since many of them actually rely on pseudorandom number generation. To achieve our goal, we integrate two existing frameworks: one for formal verification of assembly code, and another for formal verification of cryptographic primitives. More precisely, our technical contributions consist in the following: • We propose an integration in terms of game-playing [Sho04], a popular setting to represent cryptographic proofs. We introduce a new kind of game transformation to serve as a bridge between assembly code and algorithms as dealt with by cryptographers. This allows for a clear integration, that paves the way for a modular framework, understandable by both cryptographers and implementers. • We extend the formal framework for assembly code of [AM06] to connect with the formal framework for cryptographic proofs of [Now07]. Various technical extensions are called for, that range from the natural issue of encoding mathematical objects such as arbitrarily-large integers into computer memory, to technical issues such as composition of assembly snippets to achieve verification of large programs. All in all, it turns out that it is utterly important to provide efficient ways to deal with low-level details induced by programs being written in assembly. Here, we explain in particular how we deal with arbitrary jumps in assembly. Concretely, we provide a formalization of the proof-carrying code framework of [SU07], that allows us to verify assembly with jumps through standard Hoare logics proofs. • We provide the first assembly program for a pseudorandom number generator that is formally verified with a cryptographic proof. The generator in question is the Blum-Blum-Shub pseudo- random number generator [BBS86] that we implement in the SmartMIPS smartcard assembly. Alternative Approaches and Related Work Our approach is oriented towards practical appli- cation, and this goal includes formal verification of hand-written assembly. For this purpose, extension of [AM06] is appropriate because it already provides much material for reasonably short proof scripts. One may think of alternative approaches to verify cryptographic assembly code, such as proof-producing compilation or refinement from a functional specification. How- ever, a proof-producing compiler (such as the one of [MSG09]) would need to be extended with custom support for cryptography-specific instructions in order to produce efficient code. Regard- ing the approach by refinement from a functional specification, the application to cryptographic Proc. AVOCS 2009 2 / 15 ECEASST assembly code in [MG07] does not seem to lead to shorter proof scripts and compact assembly code. Addressing these issues would still be not enough for our overall goal, for HOL (the proof assistant used in [MSG09] and [MG07]) lacking a framework for formal cryptographic proofs. The two existing frameworks ([AM06] and [Now07]) that we integrate in this paper turn out to be a good fit for they are both based on shallow encodings. On the one hand, shallow encoding is used in [AM06] to encode Hoare logic assertions, and on the other hand, it is used in [Now07] to represent games. Therefore, algorithms written as Coq functions can simply appear in Hoare logic assertions, making for an easy integration. In contrast, games in [BBU08, BGZ09] are represented as deep-encoded code. In addition, our use-case directly relies on properties of arith- metic (including an encoding of the quadratic residuosity problem) an originality of [Now08]. Outline In Sect. 2, we introduce the BBS algorithm and provide an assembly implementation. In Sect. 3, we explain how we integrate formally proofs of functional correctness for assembly code with game-based cryptographic proofs. In Sect. 4, we explain our formalization of the proof-carrying code framework of [SU07], that facilitates formal proof of functional correctness of assembly code. In Sect. 5, we explain the formal proof of functional correctness of BBS and the lemmas relevant to the integration with its cryptographic proof. In Sect. 6, we comment on technical aspects of the Coq formalization. We conclude and comment on future work in Sect. 7. 2 The BBS Pseudorandom Number Generator 2.1 The BBS Algorithm The Blum-Blum-Shub pseudorandom number generator [BBS86] (hereafter, BBS) exploits the quadratic residuosity problem. This problem is to decide whether integers have square roots in modular arithmetic. This is believed to be intractable for multiplicative group of integers mod- ulo m where m is the product of two distinct odd primes. BBS exploits the quadratic residuosity problem in the particular case of m being a Blum integer, i.e., the product of two distinct odd primes congruent to 3 modulo 4. Here follows an implementation of BBS as a Coq function. It performs iteratively squaring bbs(len ∈ N, seed ∈ Z∗m) =def bbs rec(len, seed2) bbs rec(len ∈ N, x ∈ QRm) =def match len with | 0 ⇒ [] | len′ + 1 ⇒ parity(x) :: bbs rec(len′, x2) end modulo and outputs the result of parity tests. The input is the desired number of pseudorandom bits (len) and a random seed (seed) for initialization. Z∗m is the multi- plicative group of integers modulo m and QRm is the set of quadratic residues mod- ulo m. BBS is one of the rare pseudorandom number generators that is cryptographically secure, i.e., it passes all polynomial-time statistical tests (no polynomial-time algorithm can distinguish between an output sequence of the generator and a truly random sequence). This strong property is not required of most applications of pseudorandom numbers, except cryptography. In practice, BBS can be proved left-unpredictable (hereafter, “unpredictable”) under the assumption that the quadratic residuosity problem is intractable (this is equivalent to prove that BBS passes all polynomial-time statistical tests [Yao82].) 3 / 15 Volume 23 (2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS 2.2 Implementation of BBS in Assembly The assembly code bbs asm in Fig. 1 implements BBS. It is written with MIPS instructions (actually, we use SmartMIPS, a superset of MIPS32 with additional instructions for smart- cards [Mips]). It consists of a loop with a nested loop. Each iteration of the nested loop produces bbs asm =def 0: addiu i gpr zero 016 (* init counter for outer loop *) 1: addiu L l 016 (* init pointer to result *) 2: beq i n 240 (* repeat n times *) 3: addiu j gpr zero 016 (* init counter for inner loop *) 4: addiu w gpr zero 016 (* init word of temporary storage *) 5: beq j thirtytwo 236 (* repeat 32 times *) 6: mul mod k x x m . . . (* compute X 2 (mod M) *) 222: lw w′ 016 x (* load least significant word *) 223: andi w′ w′ 116 (* extract parity bit *) 224: sllv w′ w′ j (* shift parity bit to jth position *) 225: cmd or w w w′ (* store parity bit in temporary storage *) 226: addiu j j 116 (* increment inner loop counter *) 227: jmp 5 (* end of the inner loop *) 228: sw w 016 L (* store the last 32 parity bits in memory *) 229: addiu L L 416 (* increment pointer to result *) 230: addiu i i 116 (* increment outer loop counter *) 231: jmp 2 (* end of the outer loop *) 232: Figure 1: The Blum-Blum-Shub pseudorandom number generator in assembly one word of pseudorandom bits by performing a square modulo, extracting the parity bit (of the least significant word), and storing this bit in a temporary word of storage in an appropriate position using bitwise operations. These temporary words of storage are then stored in mem- ory contiguously by the outer loop so as to produce a pseudorandom number. The names of registers (in italic font) are parameters; only the null register gpr_zero is hardwired in the program. Magic numbers are indexed with their length in bits (e.g., 016 stands for 0 represented as a half-word). mul mod is an inlined assembly program explained in the next section. 2.3 Implementation of Modular Multiplication in Assembly We implement multi-precision square modulo using the Montgomery multiplication [Mon85]. This is not the fastest way to implement multi-precision square modulo but, still, this is rea- sonable: like the natural multi-precision multiplication/division, it has a quadratic complexity. Moreover, we already have a formal proof for an optimized version of the Montgomery multipli- cation [AM06], whereas, to the best of our knowledge, such a formal proof for multi-precision division does not exist yet. Using Montgomery, modular multiplication is performed as follows. Given three k-word integers M, X ,Y , the Montgomery multiplication computes a k + 1-word integer Z such that Proc. AVOCS 2009 4 / 15 ECEASST β kZ = X .Y (mod M) and Z < 2M (β = 232). This is almost a multiplication modulo except for the parasite value β k and because Z 6< M in general. To turn it into a genuine multiplication modulo, one needs (1) an additional subtraction to reduce Z by M when necessary and (2) two passes to eliminate the parasite value. The second pass requires as an additional input a k-word A = β 2k (mod M); given Z such that β kZ = X .Y (mod M), it suffices to compute Z′ such that β kZ′ = Z.A (mod M): if M is odd (this is generally the case for cryptographic applications), one obtains as desired Z′ = X .Y (mod M). The assembly code mont mul strict init in Fig. 2 implements the Montgomery multiplication extended with comparison and subtraction. It makes use of the functions montgomery (the mont mul strict init =def 6: multi zero ext k Z z (* output initialization *) 13: mflhxu gpr_zero (* multiplier inialization *) 14: mthi gpr_zero 15: mtlo gpr_zero 16: montgomery k alpha x y z m one ext int X Y M Z quot C t s 54: beq C gpr_zero 79 (* is the output k + 1-word long? *) 55: addiu t t 416 56: sw C 016 t 57: addiu ext k 116 58: multisub ext one z m z M int quot C Z X Y X 78: jmp 114 79: multi lt prg k z m X Y int ext Z M 91: beq int gpr_zero 94 (* is the output bigger than the modulus? *) 92: skip 93: jmp 114 94: multisub k one z m z ext int quot C Z X Y X 114: mul mod =def 6: mont mul strict init k alpha x x y m one ext int X B2K Y M quot C t s 114: mont mul strict init k alpha y b2k x m one ext int X B2K Y M quot C t s 222: Figure 2: The Montgomery multiplication extended with comparison and subtraction function verified in [AM06]), (in-place) subtraction multi sub (derived from [AM06]), multi- precision comparison multi lt and an initialization function multi zero (see [Code] for the details). The assembly code mul mod in Fig. 2 perform a square modulo by using twice mont mul strict init, provided we assume that the register b2k points to the pre-computed k-word A = β 2k (mod M). 3 Game-based Proofs for Assembly Cryptographic proofs usually apply to algorithms without any consideration for implementa- tion. In order to prove unpredictability directly on assembly code, we propose to lift a standard definition borrowed from game-playing [Sho04]. Game-playing is a methodology to write cryp- tographic proofs that are easier to verify; it lends itself well to formalization [ATM07, BBU08, 5 / 15 Volume 23 (2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS BGZ09, Now07]. A security property is modeled as a game (a program) to be solved by an at- tacker, the latter being modeled as some probabilistic procedure. A cryptographic proof consists in showing that any attacker has only little advantage over a random player, by (1) stating the security property for the cryptographic primitive to be verified, and (2) reducing it to a computa- tional assumption through game transformations. Regarding unpredictability for a function f , the game unpredictability( f ) is defined as fol- lows [Now08]: a seed is picked at random in the set of seeds G (Z∗n in the case of BBS); a sequence of bits [b0, . . . , blen] is computed by f ; this sequence, deprived of its first bit b0, is passed to the attacker A; the latter returns its guess b̂0. The result of the game is whether the guess is right or not. To define unpredictability for assembly code, one needs to lift the previous definition because it applies to mathematical functions without any consideration for their implementation. This makes a difference because, contrary to mathematical functions, as- sembly code does not work as intended for arbitrary input, due to restrictions imposed by the choice of implementation. The basic idea is thus to extract from the assembly code its seman- tics in terms of a mathematical function and to inject it into the definition of unpredictability: unpredictability assembly(c) =def unpredictability(JcK). For JcK to be well-defined, the assem- bly code c has to be deterministic and terminating, and, more importantly, one needs to make clear under which restrictions the assembly code behaves as intended (the correctness property). The advantage of the lifting explained above is that it makes clear how to organize formal verification of assembly code with cryptographic proofs. Games for assembly connect to stan- dard games through implementation steps, that are justified formally by ensuring determinism, termination, and correctness. Since implementation steps come in addition to the other game transformations [Sho04], this makes it easier to develop a formal framework for verification of assembly with cryptographic proofs: pick up a formal framework for game-based proofs and a formal framework for assembly, and add the machinery for implementation steps. 4 Verification of Functional Correctness of Assembly To perform cryptographic proofs of an implementation, we need in particular to prove its func- tional correctness. This is technically difficult for assembly because handling of jumps results in non-standard logics, usually verbose, and thus less practical than standard Hoare logic. To over- come this difficulty, we formalize the proof-carrying code framework of [SU07] that provides not only a compositional operational semantics and Hoare logic for assembly with jumps, but also shows that derivations for this non-standard operational semantics and this Hoare logic can be obtained from standard operational semantics and standard Hoare logic by compilation. The following is an overview of our formalization of [SU07]; it includes a formalization of standard Separation Logic that is actually a revision of [AM06] recalled for the sake of self-containedness. 4.1 Operational Semantics Formalization of States A state is a pair of a store and a heap: state =def store × heap. A store is a collection of registers containing integers of finite size. Let intn be the type of machine integers encoded with n bits. Most registers contain values of type int32 (the exception is the Proc. AVOCS 2009 6 / 15 ECEASST extended accumulator of type intn with n ≥ 8). We have the following notations: JrKs is the value of register r in store s; s{v/r} is the store resulting from updating register r with value v in store s. A heap is a finite map from locations to integers of type int32. The heap is tailored to word-accesses because most memory accesses in our applications are word-aligned. We have the following notation: h[l] is the contents of location l of the heap h; it is None when the location is undefined. States are extended with a label (that represents the value of the program counter of the instruction being currently executed) and can be error states (because some instructions may trap). We distinguish error states using an option type, hence the definition of labelled states: lstate =def option (label × state). One-step, Non-branching Instructions The semantics of non-branching MIPS instructions is a predicate noted s − i −→ s′ where i is a MIPS instruction, s (resp. s′) is the state before (resp. after) its execution. When formalizing the semantics of instructions, we need to express conditions such as word-alignment, absence of arithmetic overflow, etc. These conditions require manipulations such as sign-extending int16 integers to int32 integers, checking for divisibility by 4, etc. For this purpose, we introduce various operators: (v)int16→int32 sign-extends the value v from 16 to 32 bits, (v)int32→N interprets the value v as an unsigned integer, etc. Figure 3 illustrates the semantics of MIPS instructions with the rules for the instruction lw (“load word”). There are two rules depending on whether the memory access is word-aligned and the accessed location is defined. (The notation +h is the addition of finite-size integers.) ( JbaseKs +h (off )int16→int32 ) int32→N = 4 × p h[p] = Some z Some (s, h) − lw rt off base −→ Some (s{z/rt}, h) exec0 lw ∀p. ( JbaseKs +h (off )int16→int32 ) int32→N 6= 4 × p ∨ h[p] = None Some (s, h) − lw rt off base −→ None exec lw error Figure 3: Semantics of lw Big-step Operational Semantics of Assembly with Jumps Following [SU07], an assembly program is formalized as a set of labelled instructions. The latter are either labelled MIPS in- structions or jump instructions (unconditional jumps jmp l or conditional jumps cjmp b l). Conditional jumps comprise MIPS instructions such as bne (“branch if not equal”), etc; these instructions are parameterized by conditions noted b. dom(c) is the set of the labels of the in- structions of the assembly program c. Labelled instructions are assembled using ⊕. The operational semantics of assembly programs is a predicate noted s � c _ s′ where c is a set of labelled instructions, s (resp. s′) is the state before (resp. after) its execution. It is defined inductively by the rules of Fig. 4. These rules are a generalization of [SU07] with more instructions and with error states. The originality of this semantics can be appreciated by looking at the two rules for sequences using ⊕; intuitively, they are a mix of the rules for sequence and while-loops of traditional Hoare logic. 7 / 15 Volume 23 (2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS Some s − i −→ Some s′ Some (l, s) � l : i _ Some (l + 1, s′) Some s − i −→ None Some (l, s) � l : i _ None l 6= l′ Some (l, s) � l : jmp l′ _ Some (l′, s) JbKs l 6= l′ Some (l, s) � l : cjmp b l′ _ Some (l′, s) ¬JbKs Some (l, s) � l : cjmp b l′ _ Some (l + 1, s) l ∈ dom(c1) Some (l, s) � c1 _ s′ s′ � c1 ⊕ c2 _ s′′ Some (l, s) � c1 ⊕ c2 _ s′′ l ∈ dom(c2) Some (l, s) � c2 _ s′ s′ � c1 ⊕ c2 _ s′′ Some (l, s) � c1 ⊕ c2 _ s′′ None � c _ None l /∈ dom(c) Some (l, s) � c _ Some (l, s) Figure 4: Big-step Operational Semantics of Assembly with Jumps 4.2 Hoare Logics The non-standard operational semantics of the previous section gives rise to a non-standard Hoare logic for assemblies with jumps. We now formalize the Hoare logics from [SU07] (actu- ally, extensions known as Separation Logic [Rey02]). Assertions Properties of states are specified using a shallow-encoding of the logical connectives of Separation Logic, i.e., assertions are functions from states to the type Prop of propositions in Coq: assertion =def store � heap � Prop. The satisfiability of an assertion can depend on the value of the current label: assn =def label � assertion. Standard Separation Logic A triple in this logic is noted {P}c{Q} where P and Q are assertions and c is an assembly program with while-loops instead of jumps. Let us introduce a function that computes the weakest precondition of one-step, non-branching MIPS instructions. Here is an excerpt of this function for the “load word” instruction: WP i Q =def match i with | lw rt off base ⇒ λ s, h.∃p. ( JbaseKs +h (Joff Ks)int16→int32 ) int32→N = 4×p ∧ ∃z.h[p] =Some z ∧ Q s{z/rt} | . . . end Using the above function, the standard separation logic is defined by the following rules: {WP i Q}i{Q} {P}c1 {R} {R}c2 {Q} {P}c1;c2 {Q} {λ s, h.P ∧JbKs}c{P} {P}while b c{λ s, h.P ∧¬JbKs} {λ s, h.P ∧JbKs}c1 {Q} {λ s, h.P ∧¬JbKs}c2 {Q} {P}if b then c1 else c2 {Q} P � P′ { P′ } c { Q′ } Q′ � Q {P}c{Q} Proc. AVOCS 2009 8 / 15 ECEASST This logic is formally proved sound and complete w.r.t. standard big-step operational seman- tics, where assembly code with while-loops is built out of MIPS instructions (Sect. 4.1), se- quences (c1;c2), structured branching (if b then c1 else c2), and while-loops (while b c): None − c _ None s − c −→ s′ s − c _ s′ s − c1 _ s′′ s′′ − c2 _ s′ s − c1;c2 _ s′ JbKs Some (s, h) − c1 _ s′ Some (s, h) − if b then c1 else c2 _ s′ ¬JbKs Some (s, h) − c2 _ s′ Some (s, h) − if b then c1 else c2 _ s′ JbKs Some (s, h) − c _ s′ s′ − while b c _ s′′ Some (s, h) − while b c _ s′′ ¬JbKs Some (s, h) − while b c _ Some (s, h) Separation Logic based on the compositional Hoare logic of [SU07] A triple in this logic is noted [P] c [Q] where P and Q are labelled assertions (type assn) and c is an assembly program with jumps. We introduce predicate transformers that enforce assertions to be satisfiable for labels inside (resp. outside) a domain: P|d =def λ l.P l ∧l ∈ d, P|d =def λ l.P l ∧l /∈ d. Using above predicate transformers and the above weakest-precondition function, we formalize the rules for the compositional Hoare logic below. This logic is formally proved sound and complete w.r.t. the big-step operational semantics of Sect. 4.1. [ λ pc.λ s. pc = l ∧(P j s ∨ j = l) ∨ pc 6= l ∧P pc s ] l : jmp j [P] [ λ pc.λ s. pc = l ∧(¬JbKs ∧P (l + 1) s ∨JbKs ∧(P j s ∨ j = l)) ∨ pc 6= l ∧P pc s ] l : cjmp b j [P] [P] nop [P] [ λ pc.λ s. pc = l ∧WP c (P (l + 1)) s ∨ pc 6= l ∧P pc s ] l : c [P] [ P|dom(c1) ] c1 [P] [ P|dom(c2) ] c2 [P] [P] c1 ⊕ c2 [ P|dom(c1⊕c2) ] ∀l.P l � P′ l [P′] c [Q′] ∀l.Q′ l � Q l [P] c [Q] 4.3 Compilation from Standard Semantics and Hoare Logic [SU07] shows that derivations for the previous non-standard operational semantics and Hoare logic can also be obtained from standard operational semantics and Hoare logic through compi- lation. This is a result of interest because it allows us to work with standard operational semantics and Hoare logic (that are more practical to deal with formally) while still being able to recover formal proofs for assembly with jumps (these are the formal proofs that we really want, for example for shipping in a proof-carrying code scenario). The compilation procedure turns if-then-else’s and while-loops into conditional and uncondi- tional jumps. The compilation of program c with while-loops to an assembly program c′ with jumps is noted c l ↘l′ c′ where l (resp. l′) is the start (resp. end) label of the compiled program: 9 / 15 Volume 23 (2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS i l ↘l+1 l : i c1 l1+1 ↘l2 c ′ 1 c2 l+1 ↘l1 c ′ 2 if b then c1 else c2 l ↘l2 l : cjmp b (l1 + 1)⊕((c ′ 2 ⊕ l1 : jmp l2)⊕ c ′ 1) c1 l ↘l1 c ′ 1 c2 l1 ↘l2 c ′ 2 c1;c2 l ↘l2 c ′ 1 ⊕ c ′ 2 c l+1 ↘l1 c ′ while b c l ↘l1+1 l : cjmp (¬b) (l1 + 1)⊕(c ′ ⊕ l1 : jmp l) Through compilation, derivations of operational semantics can be compiled from the stan- dard one to the non-standard one of Sect. 4.1, and, similarly, proofs in Separation Logic can be compiled from the standard one to the non-standard one of Sect. 4.2: Lemma preservation of evaluations : for all c s l c′ s′ l′, if c l ↘l′ c′ and Some s − c _ Some s′, then Some (l, s) � c′ _ Some (l + card(dom(c′)), s′). Lemma preservation hoare : for all P, Q, c such that {P}c{Q} and for all l, c′, l′ such that c l ↘l′ c′ then [λ pc.λ s. pc = l ∧P s] c′ [λ pc.λ s. pc = l′ ∧Q s] . 5 Extraction of the Semantics of BBS in Assembly 5.1 The Functional Correctness of BBS in Assembly Let us provide two functions encode and decode such that: encode (n, k, seed, m) builds a state from the requested number n of pseudoramdom 32-bits words, the number k of 32-bits words re- served for the encoding of the seed and the modulus, the seed, and the modulus m; and decode (s) is the list of pseudorandom bits stored in the state s. These functions impose a specific memory layout depicted in Fig. 5. Besides the encoding of the seed (in memory area X ) and the modu- X 032 M 032 L Y 032 β 2kmemory before execution: k+1 words k+1 words n words k+1 words k words n, k, seed, m encode X′ 032 M 032 L′ Y ′ 032 β 2kmemory after execution: [b0, . . . , b32n−1] decode � bbs asm _ Figure 5: Encoding and decoding of input/output lus (in M) as multi-precision integers, and initialization of the list of pseudorandom bits (in L) to an appropriate length, encode provides additional storage (Y , β 2k, trailing words initialized to 032) specific to our implementation (this stems from our Montgomery multiplication). Note Proc. AVOCS 2009 10 / 15 ECEASST that, as long as 4(4k + n + 2) < 232, n and k can be very large, k effectively covering lengths for which the quadratic residuosity problem is indeed believed to be intractable. This is one desirable side-effect of our approach to precisely pinpoint the range of k. Using above functions, the verification goal is stated as follows: 4(4k + n + 2) < 232 →[ λ pc.λ s. pc = 0 ∧ encode (n, k, seed, m) = s ] bbs asm [ λ pc.λ s. pc = 232 ∧ decode (s) = bbs fun(32×n, seed, m) ] Starting from an appropriate encoding of the inputs, the execution of bbs asm leads to a final state from which one can extract the intended list of pseudorandom bits (see [Code] for details). It is here that the restrictions imposed by the choice of implementation mentioned in Sect. 3 appear, for the above triple cannot be proved for arbitrary values of n and k. In practice, we conduct formal proof using standard Separation Logic and obtain the triple above by applying the lemma preservation hoare of Sect. 4.3. The effort therefore concen- trates on the following triple where the assembly program with jumps has been replaced by its “decompiled” version with if-then-else’s and while-loops (manual decompilation proved correct w.r.t. the compilation predicate of Sect. 4.3): 4(4k + n + 2) < 232 → {λ s. encode (n, k, seed, m) = s}bbs asm decompile{λ s. decode (s) = bbs fun(32×n, seed, m)} (1) Note that we are dealing with a generalized version of the BBS algorithm (bbs fun takes the modulus m in Z, whereas bbs in Sect. 2.1 uses the types Z∗m and QRm): bbs fun(len ∈ N, seed ∈ Z, m ∈ Z) =def bbs fun rec(len, seed2 (mod m), m) bbs fun rec(len ∈ N, x ∈ Z, m ∈ Z) =def match len with 0 ⇒ [] | len′ + 1 ⇒ parity(x) :: bbs fun rec(len′, x2 (mod m), m) end This is a sound generalization because the information that Z∗m is a cyclic group is not needed in the proof of functional correctness (only in the cryptographic proof). 5.2 Extraction of the Semantics of BBS in Assembly First, we prove that bbs asm is terminating and deterministic, i.e., for all n, k, seed and m, there exists a unique state s′ such that Some (0, encode (n, k, seed, m)) � bbs asm _ s′. From the Separation Logic triple of the previous section, we derive by soundness of Separation Logic: Lemma correctness : if Some (0, encode (n, k, seed, m)) � bbs asm _ Some (l′, s′) and 4(4k + n + 2) < 232, then l′ = 232 and decode (s′) = bbs fun(32×n, seed, m) Then comes the proof of termination. First, we prove that there is a final state, without proving whether it is an error state or not: Lemma execution bbs asm : if 4(4k + n + 2) < 232, then there exists s′ s. t. Some (0, encode (n, k, seed, m)) � bbs asm _ s′ 11 / 15 Volume 23 (2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS This is proved by induction on the variant of the outermost loop, and then on nested loops. Second, by the triple (1), we derive the fact that this final state cannot be an error state. The lemmas above allow us to define a function execbbs asm that maps a number n of 32 bits words, a number k of 32 bits words, a seed and a modulus m to a state from which one can extract the desired pseudorandom bits, so that the semantics of bbs asm can be written as a mathematical function: Jbbs asmK =def prefixlen+1 ( decode ( execbbs asm (⌈ len + 1 32 ⌉ ,dlog232 (m)e, seed, m ))) Since bbs asm always return a number of pseudorandom bits that is a multiple of 32, we need to take a prefix of its output; len + 1 is the length requested by the unpredictability game. Putting it All Together The Figure below summarizes how we organize the complete game- based proof of BBS in assembly. bbs_encode_decode.v contains the encode/decode func- tions and the formal proof of correctness and termination, derived from the formal proof of the Separation Logic triple for bbs asm. BBS_Asm_CryptoProof.v contains the game-based proof, making use of the correctness and termination lemmas and of the cryptographic proof of the BBS algorithm provided by BBS.v, taken directly from [Now08]. Framework for Assembly [AM06] � � � � � � � � Framework for Games [Now08] bbs prg.v (Sect. 2.2) uukkk k **UUU UU BBS.v yy bbs triple.v (Sect. 5.1) ))SSS SS bbs termination.v (Sect. 5.2) ttiiii i bbs encode decode.v (Sect. 5.2) 33 BBS Asm CryptoProof.v (Sect. 3) 6 Technical Aspects of the Coq Formalization The formalization of assembly programs, operational semantics, Separation Logic, as well as all supporting lemmas is the result of a revision of our previous work [AM06]. This revision was made necessary to address scalability issues. We do not comment extensively about this revision except to say that we used SSREFLECT [GM07], a recently publicized Coq extension, that favors a proof style that naturally led to shorter proof scripts (for illustration, proof scripts of experiments in [AM06] shrank by 70% in terms of lines of code). The new aspect of our framework is the formalization of the proof-carrying code framework of [SU07], that we instantiate to Separation Logic and MIPS instructions and extend to deal with error-states. Table 1 makes it clear what is formalized w.r.t. [SU07]. In brief, what we do not do: we do not formalize Section 5 of [SU07] and we formalize only the so-called “non-constructive proofs” of Theorems 17 and 18 (indeed, for these two theorems, the proofs come in two flavors). The formal proof of the Separation Logic triple of Sect. 5.1 is technically the most demanding part of the proof effort. Our assembly program of BBS is large (at least by the current standards Proc. AVOCS 2009 12 / 15 ECEASST Reference in [SU07] Reference in [Code] and status Proof script size Section 2 file goto.v 462 lines Figure 1, Lemma 1, 3 Done Lemma 2 Particular cases only Section 3 file sgoto.v 747 lines Section 3.1: Figure 2, Lemmas 4–5, Done Theorems 6–8, Corollary 9 Section 3.2: Figure 3, Theorem 10, Done Lemma 11, Theorem 12 Section 4 file compile.v 1279 lines Section 4.1: Figure 5, Done Lemmas 13–14, Theorems 15–16 Section 4.2: Theorems 17–18 Done Section 4.3 Done, file sgoto_hoare.v 369 lines Section 5 Not done Appendix A Done (revision of [AM06]) file mips_biple.v 927 lines file mips_cmd.v 710 lines file mips_hoare.v 783 lines Appendix B Theorems 6–7, 15–18 Done (spread over above files) Table 1: Formalization of [SU07] of proof assistant-based verification [AM06, MG07]): 239 instructions that spread over several snippets of code. Table 2 makes it precise which snippets are used and their respective size. Function Reference in [Code] Program size BBS bbs_prg.v 14 commands Montgomery strict (Fig. 2) mont_mul_strict_prg.v 9 commands Montgomery raw ([AM06]) mont_mul_prg.v 36 commands Multi-precision subtraction multi_sub_prg.v 18 commands Multi-precision comparison multi_lt_prg.v 11 commands Array initialization multi_zero_prg.v 6 commands Table 2: The assembly code of BBS in Coq Table 3 summarizes the size of proof scripts used in the proof of the Separation Logic triple of BBS. It is always difficult to comment about the size of proof scripts because we are lacking good metrics for comparison. Yet, looking at related work, it is fair to claim that our frame- work for formal proof of assembly programs allows for short proof scripts: this can be appre- ciated by looking at several similar experiments in common among the work in this paper and [AM06, MG07] (verification of multi-precision arithmetic, Montgomery multiplication, but also Montgomery exponentiation, not used in this paper though). 13 / 15 Volume 23 (2009) Certifying Assembly with Formal Cryptographic Proofs: the Case of BBS Function Reference in [Code] Size BBS bbs_triple.v 845 lines Montgomery strict mont_{mul,square}_strict_init_triple.v 608 lines Montgomery raw mont_{mul,square}_triple.v 1198 lines Multi-precision subtraction multi_sub_inplace_left_triple.v 439 lines Multi-precision comparison multi_lt_triple.v 408 lines Array initialization multi_zero_triple.v 129 lines Total 3627 lines Table 3: Formal proof of the Separation Logic triple of BBS 7 Conclusion We addressed the problem of formal verification of assembly code with cryptographic proofs. We proposed an approach that extends game-based proofs to integrate formal proofs of functional correctness with formal cryptographic proofs in a clear way, understandable by both cryptogra- phers and implementers. Our proposition is supported by a concrete framework developed in the Coq proof assistant. As an illustration, we provided the first assembly program for a pseudoran- dom number generator that is certified with a cryptographic proof. Future Work The cryptographic proof of BBS on which we rely is asymptotic: the probability that an attacker predicts the next bit can be made arbitrarily small, but it does not give any concrete value for the security parameter. A possible extension of our approach would be to link our assembly implementation of BBS to a cryptographic proof of the concrete security of BBS. Our certified implementation of BBS could be used as the source of pseudorandomness in the implementation of further cryptographic primitives. Indeed, even though it is probabilistic, such a primitive is still deterministic in the sense that for any two equal inputs it outputs the same distribution; one can thus extract its semantics as a mathematical function and inject it into the appropriate standard definition of security (such as semantic security in the case of ElGamal). Acknowledgements: This work was partially supported by KAKENHI 21700048 and 21500046. The authors are grateful to an anonymous reviewer for his/her comments. Bibliography [ATM07] Affeldt, R., Tanaka, M., Marti, N.: Formal Proof of Provable Security by Game- Playing in a Proof Assistant. Int. Conf. on Provable Security. LNCS, vol. 4784, pp. 151–168. Springer (2007). [AM06] Affeldt, R., Marti, N.: An Approach to Formal Verification of Arithmetic Functions in Assembly. Annual Asian Computing Science Conference, Dec. 2006. LNCS, vol. 4435, pp. 346–360. Springer, Heidelberg (2008). [BBU08] Backes, M., Berg, M., Unruh D.: A Formal Language for Cryptographic Pseu- docode. Int. Conf. on Logic for Programming, Artificial Intelligence, and Reasoning. LNCS, vol. 5330, , pp. 353–376. Springer (2008). Proc. AVOCS 2009 14 / 15 ECEASST [BGZ09] Barthe, G., Grégoire, B., Zanella, S.B.: Formal certification of code-based cryp- tographic proofs. ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages, pp.90–101. ACM Press. [BR04] Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. Cryptology ePrint Archive, Report 2004/331, 2004. [BBS86] Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo random number generator. SIAM Journal on Computing, 15(2):364–383. Society for Industrial and Applied Mathematics, 1986. [Code] Affeldt, R., Nowak D., Yamada K.: Certifying Assembly with Cryptographic Proofs: the Case of BBS. http://staff.aist.go.jp/reynald.affeldt/bbs [GM07] Gonthier, G., Mahboubi, A.: A Small Scale Reflection Extension for the Coq Sys- tem. Technical Report 6455, Dec. 2007. INRIA. [Mips] MIPS Technologies. MIPS32 4KS Processor Core Family Software User’s Manual MIPS Technologies, Inc., 1225 Charleston Road, Mountain View, CA 94043-1353. [Mon85] Montgomery, P.L.: Modular multiplication without trial division. Mathematics of Computation, 44(170):519–521, 1985. [MG07] Myreen, M.O., Gordon, M.J.C.: Verification of Machine Code Implementations of Arithmetic Functions for Cryptography. Theorem Proving in Higher Order Logics: Emerging Trends Proceedings. Internal Report 364/07, Aug. 2007. Department of Computer Science, University of Kaiserslautern. [MSG09] Myreen, M.O., Slind, K., Gordon, M.J.C.: Extensible proof-producing compilation. Int. Conf. on Compiler Construction. LNCS, vol. 5501, pp. 2–16. Springer (2009). [Now07] Nowak, D.: A framework for game-based security proofs. Int. Conf. on Information and Communications Security. LNCS, vol. 4861, pp. 319–333. Springer (2007). [Now08] Nowak, D.: On formal verification of arithmetic-based cryptographic primitives. Int. Conf. on Information Security and Cryptology, Dec. 2008. LNCS, vol. 5461, pp. 368-382. Springer (2009). [Rey02] Reynolds, J.C.: Separation Logic: A Logic for Shared Mutable Data Structures. IEEE Symp. on Logic in Computer Science, pp. 55–74 (2002). Invited lecture. [SU07] Saabas, A., Uustalu, T.: A compositional natural semantics and Hoare logic for low- level languages. Theoretical Computer Science 373(3), 273–302. Elsevier (2007). [Sho04] Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332, 2004. [Yao82] Yao, A.C.: Theory and applications of trapdoor functions. IEEE Annual Symp. on Foundations of Computer Science. pp. 80–91. IEEE (1982). 15 / 15 Volume 23 (2009) http://staff.aist.go.jp/reynald.affeldt/bbs Introduction The BBS Pseudorandom Number Generator The BBS Algorithm Implementation of BBS in Assembly Implementation of Modular Multiplication in Assembly Game-based Proofs for Assembly Verification of Functional Correctness of Assembly Operational Semantics Hoare Logics Compilation from Standard Semantics and Hoare Logic Extraction of the Semantics of BBS in Assembly The Functional Correctness of BBS in Assembly Extraction of the Semantics of BBS in Assembly Technical Aspects of the Coq Formalization Conclusion