jasmin high assurance and high speed cryptography
play

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar - PowerPoint PPT Presentation

Jan 11, 2024 •129 likes •440 views

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

  1. Jasmin: High-Assurance and High-Speed Cryptography José Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grégoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS’17 — 2017-11-02 Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 0 / 22

  2. Implementing “crypto”: a subtle equilibrium ◮ Correct ◮ Fast ◮ Secure (side-channel free) Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 1 / 22

  3. A gap between C and assembly C ◮ Portable ◮ Convenient software-engineering abstractions ◮ Readable, maintainable Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 2 / 22

  4. A gap between C and assembly C ◮ Portable ◮ Convenient software-engineering abstractions ◮ Readable, maintainable Assembly ◮ Efficiency ◮ Control (instruction selection and scheduling) ◮ Precise semantics Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 2 / 22

  5. Jasmin: the blossoming programming language A language A formal semantics A (correct) compiler Tooling for proof of safety and leakage-freedom Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 3 / 22

  6. Jasmin by example Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 4 / 22

  7. Jasmin “Hello World!” (constant-time swapping) Zero-cost abstractions param int n = 4; inline ◮ Variable names fn cswap (stack b64[n] x, stack b64[n] y, reg b64 swap) → stack b64[n], stack b64[n] { ◮ Global parameters − reg b64 tmp1, tmp2, mask; inline int i; ◮ Arrays mask = swap * 0xffffffffffffffff; ◮ Loops for i = 0 to n { tmp1 = x[i]; ◮ Inline functions (with custom tmp1 ^= y[i]; tmp1 &= mask; calling conventions) tmp2 = x[i]; tmp2 ^= tmp1; x[i] = tmp2; tmp2 = y[i]; tmp2 ^= tmp1; y[i] = tmp2; } return x, y; } Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 5 / 22

  8. Control down to the instruction-set architecture level reg bool cf; reg b64 addt0, addt1, t10, t11, t12, t13; // . . . t10 = [workp + 4 * 8]; t11 = [workp + 5 * 8]; t12 = [workp + 6 * 8]; t13 = [workp + 7 * 8]; // . . . cf, t10 += [workp + 8 * 8]; cf, t11 += [workp + 9 * 8] + cf; cf, t12 += [workp + 10 * 8] + cf; cf, t13 += [workp + 11 * 8] + cf; addt0 = 0; addt1 = 38; addt1 = addt0 if ! cf; ◮ Direct memory access ◮ The carry flag is an ordinary boolean variable Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 6 / 22

  9. Control down to the instruction-set architecture level reg bool cf; reg b64 i, j; reg b64 addt0, addt1, t10, t11, t12, t13; stack b64 is, js; // . . . // . . . t10 = [workp + 4 * 8]; j = 62; t11 = [workp + 5 * 8]; i = 3; t12 = [workp + 6 * 8]; while (i >=s 0) { t13 = [workp + 7 * 8]; is = i; // . . . // . . . cf, t10 += [workp + 8 * 8]; while (j >=s 0) { cf, t11 += [workp + 9 * 8] + cf; js = j; cf, t12 += [workp + 10 * 8] + cf; // . . . cf, t13 += [workp + 11 * 8] + cf; j = js; j -= 1; addt0 = 0; } addt1 = 38; j = 63; i = is; i -= 1; addt1 = addt0 if ! cf; } ◮ Direct memory access ◮ Control over loop unrolling ◮ The carry flag is an ordinary boolean ◮ Control over spilling variable Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 6 / 22

  10. The Jasmin compiler Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 7 / 22

  11. Goals / Features ◮ Predictability and control of the generated assembly ◮ Zero-cost abstractions ◮ Correct (Coq proofs, machine-checked) ◮ Preserves constant-time Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 8 / 22

  12. Compilation passes ◮ For loop unrolling ◮ Function inlining ◮ Constant-propagation ◮ Redundancy elimination ◮ Sharing of stack variables ◮ Register array expansion ◮ Lowering ◮ Register allocation ◮ Linearization Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 9 / 22

  13. A correctness theorem Each pass proved on its own Maximal use of validation Reuse of a single checker (core) for various passes Suitable theorem for libraries (aka separate compilation) Theorem (Jasmin compiler correctness) ∀ p p ′ · compile ( p ) = ok ( p ′ ) − → ∀ f · f ∈ exports ( p ) − → ∀ v a m v r m ′ · enough-stack-space ( f , p ′ , m ) − → → f , v a , m ⇓ p ′ v r , m ′ f , v a , m ⇓ p v r , m ′ − Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 10 / 22

  14. Beyond correctness Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 11 / 22

  15. Automatic proof of memory safety fn pack (reg u64 rp, reg u64[4] xa) //@ requires valid(rp, 0 * 8, 4 * 8 - 1); { inline int i; ◮ Goal: prove that all memory accesses are valid. ◮ Require user annotations: function xa = freeze(xa); preconditions, loop invariants. for i = 0 to 3 ◮ Translate to Dafny //@ invariant valid(rp, 0 * 8, 4 * 8 - 1); { ◮ Reuse the Dafny · Boogie infrastructure [rp + (i * 8)] = xa[i]; } } Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 12 / 22

  16. Automatic proof of constant-time fn mladder (stack u64[4] xr, reg u64 sp) ◮ Goal: prove that a function is “constant-time” → (stack u64[4], stack u64[4]) − ◮ Require user annotations: function //@ security requires public(sp); { preconditions, loop invariants. . . . ◮ Translate to Dafny then Boogie while (i >=s 0) ◮ Build a product program and check that the //@ security invariant public(i); product is safe (technique adapted from the { . . . CT-verif tool) Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 13 / 22

  17. Jasmin for secure programming ◮ Infrastructure for automatic checks ◮ The compiler preserves functional correctness, safety, constant-time ◮ Known verification techniques apply to Jasmin programs ◮ Jasmin high-level features make automatic verification easier: arbitrary while loops and pointer arithmetic are seldom used. Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 14 / 22

  18. Running Jasmin programs Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 15 / 22

  19. Jasmin programs as libraries ◮ Compliant with standard ABI ◮ Link with your own programs written in assembly, C, OCaml, Rust. . . Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 16 / 22

  20. Experiment: from qhasm to Jasmin qhasm ◮ A high-level assembly language by D. Bernstein ◮ “Included” in Jasmin ◮ . . . hence easy automatic translation from qhasm to Jasmin Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 17 / 22

  21. Experiment: from qhasm to Jasmin qhasm ◮ A high-level assembly language by D. Bernstein ◮ “Included” in Jasmin ◮ . . . hence easy automatic translation from qhasm to Jasmin Supercop ◮ A cool infrastructure for testing and comparing crypto implementations ◮ Includes various examples written in qhasm ◮ A nice supply of Jasmin programs (since there are not many Jasmin programmers yet) Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 17 / 22

  22. Jasmin in Supercop which compilation Implementation qhasm Jasmin Ratio variables X25519-4limb-base 147 084 148 914 1 . 012 come X25519-4limb 147 890 148 922 1 . 006 on X25519-4limb-jasmin 143 982 X25519-5limb-base 148 354 147 200 0 . 992 prop- X25519-5limb 148 572 147 090 0 . 990 opti- ed25519-5limb-keypair 55 364 56 594 1 . 022 constant- ed25519-5limb-sign 83 430 85 038 1 . 019 anal- ed25519-5limb-open 182 520 188 180 1 . 031 and design, salsa20 12 322 12 460 1 . 011 compiler. In salsa20-xor 12 208 12 252 1 . 004 should impose Figure 1: Supercop cycle count Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 18 / 22

  23. Conclusions Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 19 / 22

  24. Present ◮ The Jasmin language ◮ Correct compiler for x64 ◮ Automatic checkers for safety and constant-time ◮ Programs obtained from qhasm Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 20 / 22

  25. Future ◮ More target architectures ◮ Vector instructions ◮ Logic and verification tools ◮ Write more programs Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 21 / 22

  26. Thanks ¿ Questions ? https://github.com/jasmin-lang/jasmin Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 22 / 22

  27. Extra Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 23 / 22

  28. Jasmin vs. qhasm qhasm ◮ Multi-platform ◮ Vector instructions Jasmin ◮ Loops ◮ Arrays ◮ Functions ◮ Formal semantics ◮ Proof of correctness Vincent Laporte et alii Jasmin: High-Assurance and High-Speed Cryptography 2017-11-02 24 / 22

Recommend

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B. Almeida, M. Barbosa, G. Barthe, B. Grgoire, A. Koutsos , V. La- porte, T. Oliveira, P-Y. Strub Octobre 9th, 2019 1 Context 2 Context Cryptographic

985 views • 57 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides
High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Picture credits: geeky-gadgets.com ; Star Trek The Internet of Things Andrew Myers, Stanford Report, 2011.02.11:

543 views • 36 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin

A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin

A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) Thanks to Peter Schwabe (Radboud University) NEXTLEAP (nextleap.eu) Harry Halpin Harry.halpin@inria.fr Prosecco @harryhalpin High Assurance

490 views • 16 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder Interface for Overview New linear position/velocity sensor Non-contact High resolution High speed Based on proven

320 views • 27 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

956 views • 57 slides
CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

1 CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410 Ken Birman, Cornell University High Assurance in Cloud Settings 2 A wave of applications that need high assurance is fast approaching

672 views • 40 slides
1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High Speed UK Connecting the Nation Who are we? Colin Elliff BSc CEng MICE Civil Engineering Principal, HSUK Quentin Macdonald

899 views • 85 slides
Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for Transportation Co., Ltd. (JIC) Index Trend of the HSR Project HSR Project in The World Superiority of Introducing HSR Transport Needs

1.02k views • 25 slides
High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor Corporation Belgium Vision 2006 P E R F O R M Outline Introduction Architecture Analog high speed CIS Digital high speed CIS

593 views • 32 slides
Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory Center for High-Assurance Computer Systems http:/ / chacs.nrl.navy.mil Xenon Xen Beyond Buffer Overflows high-assurance Policy flaws Use the

565 views • 24 slides
RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power Integrated Circuits 2009. 04. 27 Kwangseok Seo Seoul National University Outline Outline Introduction RTD/HEMT Integration Technology

369 views • 22 slides
High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber Newcastle, 7 December 2012 What is high speed rail? High speed rail refers to passenger trains travelling at 250 km/h or more, on purpose-built tracks.

354 views • 11 slides

More recommend