Cryptology ePrint Archive: Report 2013/316
Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations
José Bacelar Almeida and Manuel Barbosa and Gilles Barthe and François Dupressoir
Abstract: We present a computer-aided framework for proving concrete security bounds for cryptographic machine code implementations. The front-end of the framework is an interactive verification tool that extends the EasyCrypt framework to reason about relational properties of C-like programs extended with idealised probabilistic operations in the style of code-based security proofs. The framework also incorporates an extension of the CompCert certified compiler to support trusted libraries providing complex arithmetic calculations or instantiating idealised components such as sampling operations. This certified compiler allows us to carry to executable code the security guarantees established at the high-level, and is also instrumented to detect when compilation may interfere with side-channel countermeasures deployed in source code.
We demonstrate the applicability of the framework with the RSA-OAEP encryption scheme, as standardized in PKCS#1 v2.1. The outcome is a rigorous analysis of the advantage of an adversary to break the security of assembly implementations of the algorithms specified by the standard. The example also provides two contributions of independent interest: it is the first application of computer-aided cryptographic tools to real-world security, and the first application of CompCert to cryptographic software.
Category / Keywords: public-key cryptography / RSA, OAEP, implementation, computer-aided cryptography, side-channels, compilation
Date: received 24 May 2013
Contact author: fdupress at gmail com
Available format(s): PDF | BibTeX Citation
Note: Associated material (EasyCrypt libraries and proofs, C code and modified CompCert) is not yet available publicly.
Version: 20130528:214352 (All versions of this report)
Short URL: ia.cr/2013/316
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]