Exploring the Cryptol Toolset

Exploring the Cryptol Toolset

Pedro Pereira Ulisses Costa

Formal Methods in Software Engineering

April 30, 2009

Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset

Previously in last month’s Episode!

We had to
Learn the Cryptol language
Build a high-level specification of SNOW3G

We showed you
The language was a combination of arithmetics and sequence
manipulation
Some of its wonderful features: infinite and recursive streams,
polymorphism
The SNOW3G algorithm
A complete (and compact, and elegant!) specification of a
stream cipher in Cryptol


This time

We had to
Derive an implementation from the speciﬁcation
Generate (fast) C source code using Cryptol’s C-backend
Use the evaluation version ⇒ access to the complete toolset

We will show you
A user’s perspective of the toolset so far
Cryptol → C conversion
Safety + Theorems in Cryptol ⇒ Formal Methods Galore!


Cryptol Interpreter

The interpreter provides various environments and so far we’ve
used a few of them to:
Bit mode
Run Cryptol programs
C mode
Generate C source code
Symbolic Bit-Vector mode
Apply formal methods


Bit Mode - useful commands

Usage
:set bit

Base display
:set base=N

Little/Big endianness
:set -/+B


Base display

Example
Cryptol > [0 1 2 3]
[0x0 0x1 0x2 0x3]
Cryptol > :set base=10
Cryptol > [0 1 2 3]
[0 1 2 3]


Little/Big endianness

hexbyte.cry
HexByte : [4] Bit ;
HexByte = [ True False False False ];

Example
Cryptol > :load hexbyte.cry
Loading ”hexbyte.cry”.. Checking types.. Processing.. Done!
hexbyte> :set base=2
hexbyte> HexByte
0b0001
hexbyte> :set +B
hexbyte> HexByte
0b1000


C Mode - useful commands

Usage
:set C

Generation of source code
:compile <ﬁlename>

Out-of-bounds checking
:set +b

Specialize polymorphic deﬁnitions (automatically on)
:set +S


Generation of source code

Cryptol → C conversion depends on:
Cryptol .h
Contains all the necessary prototypes, macros and a few
standard C includes.
CryAlloc.o
Implements a custom memory allocator/deallocator for
Cryptol run-time.
CryPrim.o
Implements C-equivalents of Cryptol ’s built-in functions.
CryStream.o
C library for representing/manipulating inﬁnite streams.


Out-of-bounds checking
lookup.cry
lookup : ([4] , [2]) -> Bit ;
lookup ( xs , i ) = xs @ i ;

lookup.c without bounds checking
...
lookup res = GETBIT(xs lookup, i lookup);
...

lookup.c with bounds checking
...
lookup res = GETBIT CHECKED(xs lookup, i lookup, 0x3);
...

NB: It incurs a performance cost.


Specialize polymorphic deﬁnitions I
size.cry
size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ];
size ss = ls ! 0
where ls = [0] # [| ( l +1) || l <- ls || s <- ss |];

Example
size> :set C
size> :compile size.c

size.c
#include ”Cryptol .h”
#include ”size.h”

It’s empty!

Specialize polymorphic deﬁnitions II

Because
Cryptol generates monomorphic deﬁnitions ⇒ We must provide
arguments

size.cry
size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ];
size ss = ls ! 0
where ls = [0] # [| ( l +1) || l <- ls || s <- ss |];

force_size = size [0 1 2 3 4];


Generated size.c
size.c
# include quot; cryptol . h quot;
# include quot; size . h quot;

static uint8 const [5] = {0 x0 , 0 x1 , 0 x2 , 0 x3 , 0 x4 };
uint8 size_5 ( uint8 * ss_size ) {
uint32 local4 = 0 x0 ;
uint8 size_5_res = 0 x0 ;
uint32 * mrk = getAllocMark () ;

size_5_res = 0 x0 ;
for ( local4 = 0 x0 ; local4 < 0 x5 ; local4 += 0 x1 ) {
local8 = size_5_res + 0 x1 ;
local5 = local8 & 0 x1f ;
size_5_res = local5 ;
}
freeUntil ( mrk ) ;
return size_5_res ;
}


Optimizing the C code?

We found out
Not much, the documentation didn’t even address this
specifically
Infinite streams take a heavy toll on performance (it figures...
besides, an implementation isn’t suposed to have these)

But!
Hand-made implementation wasn’t much better
We aren’t done with this yet, it’s just that other stuff grabbed
our attention


SBV Mode - useful commands

Usage
:set sbv

Safety checks
:safe <expression>

Quickcheck
:check <expression>

Theorem prover
:prove <expression>

Satisﬁability
:sat <expression>


Safety checks

Statically catches
Index out-of-bounds;
Division/modulus by 0;
...and more!

Safe programs really don’t crash!


Safety checking I

lookup.cry
lookup : ([4] , [2]) -> Bit ;
lookup ( xs , i ) = xs @ i ;

Example
lookup> :set sbv
lookup> :safe lookup
”lookup” is safe; no safety violations exist.


Safety checking II

lookup2.cry
lookup2 : ([4] , [3]) -> Bit ;
lookup2 ( xs , i ) = xs @ i ;

Example
lookup2> :safe lookup2
*** 1 safety condition to be checked.
*** Violation detected:
lookup (0, 4) = ”lookup2.cry”, line 2, col 20: index of 4 is out of
bounds (valid range is 0 thru 3).
*** 1 problem found.


Safety checking III

lookup3.cry
lookup3 : ([4] , [3]) -> Bit ;
lookup3 ( xs , i ) = if i >= 3 then False else xs @ i ;

Example
lookup3> :safe lookup3
*** 1 safety condition to be checked.
*** Veriﬁed safe.
*** All safety checks pass, safe to execute.


Quickcheck

The :check command
Cryptol ’s implementation of Quickcheck
Consists in randomly generating test-cases and running
property deﬁnitions on these
Validity of theorems


Quickchecking theorems
Plaintext ⇔ Decrypt . Encrypt
theorem EncDec : { pt k i }. pt == decrypt ( encrypt ( pt , k , i ) , k
, i);

Example
Cryptol > :set quickCheckCount=100
Cryptol > :load SNOW 3G v0.93.cry
Loading ”SNOW 3G v0.93.cry”.. Checking types.. Processing..
Done!
*** Auto quickchecking 1 theorems.
*** Checking ”EncDec” [”SNOW 3G v0.93.cry”, line 23, col 1]
Checking case 100 of 100 (100.00%)
100 tests passed OK
[Coverage : 0.00%.[(100/3940200619639447921227904010014...)]
SNOW 3G v0.93>

Test coverage

EncDec coverage
[Coverage: 0.00%. [(100/3940200619639447921227904010014...)]

2(128+128+128) diferent cases = insane number above


Theorems are boolean functions!
In First Order Logic
∀x : 2x ⇔ x + x

In Cryptol
double : [8] -> Bit ;
theorem double : { x }. 2* x == x + x ;

Example
double> :prove double
Q.E.D.

The :prove command
Shows they’re equivalent to the constant function that always
returns True
Finds counter-examples

Counter-example

FG.cry
f , g : [8] -> [8];
f x = (x -1) *( x +1) ;
g x = x * x + 1;

theorem FG : { x }. f x == g x ;

Example
FG> :prove FG
*** Proving ”FG” [”FG.cry”, line 5, col 1]
Falsiﬁable.
FG 0 = False


Satisﬁability

Deﬁnition
Determining if the variables of a given Boolean formula can be
assigned in such a way as to make the formula evaluate to True.

FH.cry
f , h : [8] -> [8];
f x = (x -1) *( x +1) ;
h x = x * x - 1;

theorem FH : { x }. f x == h x ;

Example
FH> :sat FH
FH 0 = True


Oveview of formal methods subset

Highs:
Fully automated ⇒ it’s a ”push button” package
If not automated, there’s manual ⇒ Isabelle/HOL translation
(:isabelle)
Fast enough

Lows:
Doesn’t cover the entire Cryptol language:
Finiteness restriction ⇒ incapable of induction
Monomorphic restriction
First order restriction (not really a problem, can be rewritten)
Symbolic termination ⇒ cant’t use recursive functions (again
not really a problem, use recursive streams instead)


Conclusions

Cryptol provides a vast and truly useful toolset for
cryptographers
Formal methods are ”free” in Cryptol ⇒ No need to learn an
external language or tool


Coming up!

Field-programmable gate arrays!
VHDL!
Space-time tradeoﬀs!

Stay tuned!


Acknowledgments

A special thanks to Mr. Levent for his patience.

We also ripped oﬀ some ideas from his papers about Cryptol for
this presentation!


Questions

?


Exploring the Cryptol Toolset

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to Exploring the Cryptol Toolset

Similar to Exploring the Cryptol Toolset (20)

More from Ulisses Costa

More from Ulisses Costa (8)

Recently uploaded

Recently uploaded (20)

Exploring the Cryptol Toolset