exploring the cryptol toolset
DESCRIPTION
A view over the cryptol toolsetTRANSCRIPT
![Page 1: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/1.jpg)
Exploring the Cryptol Toolset
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
April 30, 2009
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 2: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/2.jpg)
Previously in last month’s Episode!
We had to
Learn the Cryptol language
Build a high-level specification of SNOW3G
We showed you
The language was a combination of arithmetics and sequencemanipulation
Some of its wonderful features: infinite and recursive streams,polymorphism
The SNOW3G algorithm
A complete (and compact, and elegant!) specification of astream cipher in Cryptol
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 3: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/3.jpg)
This time
We had to
Derive an implementation from the specification
Generate (fast) C source code using Cryptol’s C-backend
Use the evaluation version ⇒ access to the complete toolset
We will show you
A user’s perspective of the toolset so far
Cryptol → C conversion
Safety + Theorems in Cryptol ⇒ Formal Methods Galore!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 4: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/4.jpg)
Cryptol Interpreter
The interpreter provides various environments and so far we’veused a few of them to:
Bit mode
Run Cryptol programs
C mode
Generate C source code
Symbolic Bit-Vector mode
Apply formal methods
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 5: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/5.jpg)
Bit Mode - useful commands
Usage
:set bit
Base display
:set base=N
Little/Big endianness
:set -/+B
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 6: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/6.jpg)
Base display
Example
Cryptol > [0 1 2 3][0x0 0x1 0x2 0x3]Cryptol > :set base=10Cryptol > [0 1 2 3][0 1 2 3]
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 7: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/7.jpg)
Little/Big endianness
hexbyte.cry
HexByte : [4]Bit;
HexByte = [True False False False];
Example
Cryptol > :load hexbyte.cryLoading ”hexbyte.cry”.. Checking types.. Processing.. Done!hexbyte> :set base=2hexbyte> HexByte0b0001hexbyte> :set +Bhexbyte> HexByte0b1000
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 8: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/8.jpg)
C Mode - useful commands
Usage
:set C
Generation of source code
:compile <filename>
Out-of-bounds checking
:set +b
Specialize polymorphic definitions (automatically on)
:set +S
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 9: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/9.jpg)
Generation of source code
Cryptol → C conversion depends on:
Cryptol .h
Contains all the necessary prototypes, macros and a fewstandard C includes.
CryAlloc.o
Implements a custom memory allocator/deallocator forCryptol run-time.
CryPrim.o
Implements C-equivalents of Cryptol ’s built-in functions.
CryStream.o
C library for representing/manipulating infinite streams.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 10: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/10.jpg)
Out-of-bounds checking
lookup.cry
lookup : ([4], [2]) -> Bit;
lookup(xs, i) = xs @ i;
lookup.c without bounds checking...lookup res = GETBIT(xs lookup, i lookup);...
lookup.c with bounds checking...lookup res = GETBIT CHECKED(xs lookup, i lookup, 0x3);...
NB: It incurs a performance cost.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 11: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/11.jpg)
Specialize polymorphic definitions I
size.cry
size : {a b} (fin a, c >= 1) -> [a]b -> [c];
size ss = ls ! 0
where ls = [0] # [| (l+1) || l <- ls || s <- ss |];
Example
size> :set Csize> :compile size.c
size.c
#include ”Cryptol .h”#include ”size.h”
It’s empty!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 12: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/12.jpg)
Specialize polymorphic definitions II
Because
Cryptol generates monomorphic definitions ⇒ We must providearguments
size.cry
size : {a b} (fin a, c >= 1) -> [a]b -> [c];
size ss = ls ! 0
where ls = [0] # [| (l+1) || l <- ls || s <- ss |];
force_size = size [0 1 2 3 4];
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 13: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/13.jpg)
Generated size.c
size.c
#include "cryptol.h"
#include "size.h"
static uint8 const [5] = {0x0, 0x1 , 0x2, 0x3, 0x4};
uint8 size_5 (uint8* ss_size) {
uint32 local4 = 0x0;
uint8 local5 = 0x0;
uint8 size_5_res = 0x0;
uint8 local8 = 0x0;
uint32* mrk = getAllocMark ();
size_5_res = 0x0;
for ( local4 = 0x0 ; local4 < 0x5 ; local4 += 0x1 ) {
local8 = size_5_res + 0x1;
local5 = local8 & 0x1f;
size_5_res = local5;
}
freeUntil(mrk);
return size_5_res;
}
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 14: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/14.jpg)
Optimizing the C code?
We found out
Not much, the documentation didn’t even address thisspecifically
Infinite streams take a heavy toll on performance (it figures...besides, an implementation isn’t suposed to have these)
But!
Hand-made implementation wasn’t much better
We aren’t done with this yet, it’s just that other stuff grabbedour attention
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 15: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/15.jpg)
SBV Mode - useful commands
Usage
:set sbv
Safety checks
:safe <expression>
Quickcheck
:check <expression>
Theorem prover
:prove <expression>
Satisfiability
:sat <expression>
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 16: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/16.jpg)
Safety checks
Statically catches
Index out-of-bounds;
Division/modulus by 0;
...and more!
Safe programs really don’t crash!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 17: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/17.jpg)
Safety checking I
lookup.cry
lookup : ([4], [2]) -> Bit;
lookup(xs, i) = xs @ i;
Example
lookup> :set sbvlookup> :safe lookup”lookup” is safe; no safety violations exist.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 18: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/18.jpg)
Safety checking II
lookup2.cry
lookup2 : ([4], [3]) -> Bit;
lookup2(xs, i) = xs @ i;
Example
lookup2> :safe lookup2*** 1 safety condition to be checked.*** Violation detected:lookup (0, 4) = ”lookup2.cry”, line 2, col 20: index of 4 is out ofbounds (valid range is 0 thru 3).*** 1 problem found.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 19: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/19.jpg)
Safety checking III
lookup3.cry
lookup3 : ([4], [3]) -> Bit;
lookup3 (xs, i) = if i >= 3 then False else xs @ i;
Example
lookup3> :safe lookup3*** 1 safety condition to be checked.*** Verified safe.*** All safety checks pass, safe to execute.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 20: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/20.jpg)
Quickcheck
The :check command
Cryptol ’s implementation of Quickcheck
Consists in randomly generating test-cases and runningproperty definitions on these
Validity of theorems
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 21: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/21.jpg)
Quickchecking theorems
Plaintext ⇔ Decrypt . Encrypt
theorem EncDec: {pt k i}. pt == decrypt(encrypt(pt, k, i), k
, i);
Example
Cryptol > :set quickCheckCount=100Cryptol > :load SNOW 3G v0.93.cryLoading ”SNOW 3G v0.93.cry”.. Checking types.. Processing..Done!*** Auto quickchecking 1 theorems.*** Checking ”EncDec” [”SNOW 3G v0.93.cry”, line 23, col 1]Checking case 100 of 100 (100.00%)100 tests passed OK[Coverage : 0.00%.[(100/3940200619639447921227904010014...)]SNOW 3G v0.93>
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 22: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/22.jpg)
Test coverage
EncDec coverage
[Coverage: 0.00%. [(100/3940200619639447921227904010014...)]
2(128+128+128) diferent cases = insane number above
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 23: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/23.jpg)
Theorems are boolean functions!
In First Order Logic
∀x : 2x ⇔ x + x
In Cryptol
double : [8] -> Bit;
theorem double: {x}. 2*x == x+x;
Example
double> :prove doubleQ.E.D.
The :prove command
Shows they’re equivalent to the constant function that alwaysreturns True
Finds counter-examples
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 24: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/24.jpg)
Counter-example
FG.cry
f, g : [8] -> [8];
f x = (x-1)*(x+1);
g x = x*x + 1;
theorem FG: {x}. f x == g x;
Example
FG> :prove FG*** Proving ”FG” [”FG.cry”, line 5, col 1]Falsifiable.FG 0 = False
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 25: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/25.jpg)
Satisfiability
Definition
Determining if the variables of a given Boolean formula can beassigned in such a way as to make the formula evaluate to True.
FH.cry
f, h : [8] -> [8];
f x = (x-1)*(x+1);
h x = x*x - 1;
theorem FH: {x}. f x == h x;
Example
FH> :sat FHFH 0 = True
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 26: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/26.jpg)
Oveview of formal methods subset
Highs:
Fully automated ⇒ it’s a ”push button” package
If not automated, there’s manual ⇒ Isabelle/HOL translation(:isabelle)
Fast enough
Lows:
Doesn’t cover the entire Cryptol language:
Finiteness restriction ⇒ incapable of inductionMonomorphic restrictionFirst order restriction (not really a problem, can be rewritten)Symbolic termination ⇒ cant’t use recursive functions (againnot really a problem, use recursive streams instead)
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 27: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/27.jpg)
Conclusions
Cryptol provides a vast and truly useful toolset forcryptographers
Formal methods are ”free” in Cryptol ⇒ No need to learn anexternal language or tool
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 28: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/28.jpg)
Coming up!
Field-programmable gate arrays!
VHDL!
Space-time tradeoffs!
Stay tuned!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 29: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/29.jpg)
Acknowledgments
A special thanks to Mr. Levent for his patience.
We also ripped off some ideas from his papers about Cryptol forthis presentation!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
![Page 30: Exploring the Cryptol Toolset](https://reader033.vdocuments.mx/reader033/viewer/2022042623/5496ac14ac795982318b4600/html5/thumbnails/30.jpg)
Questions
?
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset