Abstract
Most software domains rely on compilers to translate high-level code to multiple different machine languages, with performance not too much worse than what developers would have the patience to write directly in assembly language. However, cryptography has been an exception, where many performance-critical routines have been written directly in assembly (sometimes through metaprogramming layers). Some past work has shown how to do formal verification of that assembly, and other work has shown how to generate C code automatically along with formal proof, but with consequent performance penalties vs. the best- known assembly. We present CryptOpt, the first compilation pipeline that specializes high-level cryptographic functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset of known features of SMT solvers and symbolic-execution engines. The overall prototype is quite practical, e.g. producing new fastest-known implementations of finite-field arithmetic for both Curve25519 (part of the TLS standard) and the Bitcoin elliptic curve secp256k1 for the Intel 12𝑡ℎ and 13𝑡ℎ generations.
- Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley. Google ScholarDigital Library
- José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, François Dupressoir, and Michael Emmi. 2016. Verifying Constant-Time Implementations. In USENIX Security. 53–70. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida Google Scholar
- Michaël Armand, Germain Faure, Benjamin Grégoire, Chantal Keller, Laurent Théry, and Benjamin Werner. 2011. A Modular Integration of SAT/SMT Solvers to Coq through Proof Witnesses. In CPP. 135–150. Google Scholar
- 2011. Theory of Randomized Search Heuristics: Foundations and Recent Developments, Anne Auger and Benjamin Doerr (Eds.) (Series on Theoretical Computer Science, Vol. 1). World Scientific. Google Scholar
- Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Geovandro Pereira, Joost Renes, Vladimir Soukharev, and David Urbanik. 2019. Supersingular Isogeny Key Encapsulation – Submission to the NIST Post-Quantum Standardization Project, round 2. https://sike.org Google Scholar
- Sorav Bansal and Alex Aiken. 2006. Automatic generation of peephole superoptimizers. In ASPLOS. 394–403. Google Scholar
- Gilles Barthe, Benjamin Grégoire, and Vincent Laporte. 2018. Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time”. In CSF. 328–343. Google Scholar
- Dmitry Belyavsky, Billy Bob Brumley, Jesús-Javier Chi-Domínguez, Luis Rivera-Zamarripa, and Igor Ustinov. 2020. Set It and Forget It! Turnkey ECC for Instant Integration. In ACSAC. 760–771. Google Scholar
- Seth D. Bergmann. 2003. Compilers. In Encyclopedia of Information Systems. 141–170. Google Scholar
- Daniel J. Bernstein. 2005. The Poly1305-AES Message-Authentication Code. In FSE. 32–49. Google Scholar
- Daniel J. Bernstein. 2006. Curve25519: New Diffie-Hellman Speed Records. In PKC. 207–228. Google Scholar
- Daniel J. Bernstein, Tung Chou, and Peter Schwabe. 2013. McBits: Fast Constant-Time Code-Based Cryptography. In CHES. 8086, 250–272. Google Scholar
- Daniel J. Bernstein, Chitchanok Chuengsatiansup, and Tanja Lange. 2014. Curve41417: Karatsuba Revisited. In CHES. 316–334. Google Scholar
- Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Peter Schwabe. 2014. Kummer Strikes Back: New DH Speed Records. In ASIACRYPT. 317–337. Google Scholar
- Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. 2017. NTRU Prime: Reducing Attack Surface at Low Cost. In SAC. 235–260. Google Scholar
- Daniel J. Bernstein and Tanja Lange. 2022. eBACS: ECRYPT benchmarking of cryptographic systems. http://bench.cr.yp.to/supercop/supercop-20221005.tar.xz Google Scholar
- Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. 2017. Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate. In IEEE SP. 483–502. Google Scholar
- Karthikeyan Bhargavan, Barry Bond, Antoine Delignat-Lavaud, Cédric Fournet, Chris Hawblitzel, Catalin Hritcu, Samin Ishtiaq, Markulf Kohlweiss, Rustan Leino, Jay Lorch, Kenji Maillard, Jianyang Pang, Bryan Parno, Jonathan Protzenko, Tahina Ramananandro, Ashay Rane, Aseem Rastogi, Nikhil Swamy, Laure Thompson, Peng Wang, Santiago Zanella-Béguelin, and Jean-Karim Zinzindohoué. 2017. Everest: Towards a Verified and Drop-in Replacement of HTTPS. In Proc. SNAPL. https://project-everest.github.io/assets/snapl2017.pdf Google Scholar
- Bitcoin Core. 2021. libsecp256k1 - Optimized C Library for ECDSA Signatures and Secret/Public Key Operations on Curve secp256k1. https://github.com/bitcoin-core/secp256k1/blob/9526874d1406a13193743c605ba64358d55a8785/src/field_5x52_int128_impl.h Google Scholar
- Jay Bosamiya, Sydney Gibson, Yao Li, Bryan Parno, and Chris Hawblitzel. 2020. Verified Transformations and Hoare Logic: Beautiful Proofs for Ugly Assembly Language. In VSTTE. 106–123. Google Scholar
- Christopher Celio, Palmer Dabbelt, David A. Patterson, and Krste Asanovic. 2016. The Renewed Case for the Reduced Instruction Set Computer: Avoiding ISA Bloat with Macro-Op Fusion for RISC-V. arXiv 1607.02318. Google Scholar
- Certicom Research. 2000. SEC 2: Recommended elliptic curve domain parameters, version 1.0. http://www.secg.org/SEC2-Ver-1.0.pdf Google Scholar
- Lakshmi N. Chakrapani, John Gyllenhaal, Wen-mei W. Hwu, Scott A. Mahlke, Krishna V. Palem, and Rodric M. Rabbah. 2005. Trimaran: An Infrastructure for Research in Instruction-Level Parallelism. In Languages and Compilers for High Performance Computing. 32–41. Google Scholar
- Yu-Fang Chen, Chang-Hong Hsu, Hsin-Hung Lin, Peter Schwabe, Ming-Hsien Tsai, Bow-Yaw Wang, Bo-Yin Yang, and Shang-Yi Yang. 2014. Verifying Curve25519 Software. In CCS. 299–309. Google Scholar
- Tung Chou. 2015. Sandy2x: New Curve25519 Speed Records. In SAC. 145–160. Google Scholar
- Tung Chou. 2016. QcBits: Constant-Time Small-Key Code-Based Cryptography. In CHES. 9813, 280–300. Google Scholar
- Chitchanok Chuengsatiansup, Michael Naehrig, Pance Ribarski, and Peter Schwabe. 2013. PandA: Pairings and Arithmetic. In Pairing. 8365, 229–250. Google Scholar
- Chitchanok Chuengsatiansup and Damien Stehlé. 2019. Towards Practical GGM-Based PRF from (Module-) Learning-with-Rounding. In SAC. 693–713. Google Scholar
- Clang. 2022. Clang: a C language family frontend for LLVM. https://clang.llvm.org Google Scholar
- Keith D. Cooper and Linda Torczon. 2012. Chapter 11 - Instruction Selection. In Engineering a Compiler (Second Edition). 597–638. Google Scholar
- Leonardo Mendonça de Moura and Nikolaj S. Bjørner. 2008. Z3: An Efficient SMT Solver. In TACAS. 337–340. Google Scholar
- David Detlefs, Greg Nelson, and James B. Saxe. 2005. Simplify: a theorem prover for program checking. J. ACM, 52, 3 (2005), 365–473. Google ScholarDigital Library
- Benjamin Doerr and Frank Neumann. 2019. Theory of evolutionary computation: Recent developments in discrete optimization. Springer. Google Scholar
- Vijay D’Silva, Mathias Payer, and Dawn Xiaodong Song. 2015. The Correctness-Security Gap in Compiler Optimization. In IEEE SP Workshops. 73–87. Google Scholar
- Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, and Adam Chlipala. 2019. Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises. In IEEE SP. 1202–1219. Google Scholar
- Jean-Christophe Filliâtre and Andrei Paskevich. 2013. Why3 - Where Programs Meet Provers. In ESOP. 125–128. Google Scholar
- Matteo Fischetti and Michele Monaci. 2014. Exploiting Erraticism in Search. Operations Research, 62, 1 (2014), 114–122. Google ScholarDigital Library
- Aymeric Fromherz, Nick Giannarakis, Chris Hawblitzel, Bryan Parno, Aseem Rastogi, and Nikhil Swamy. 2019. A verified, efficient embedding of a verifiable assembly language. In POPL. 63:1–63:30. Google Scholar
- Yu-Fu Fu, Jiaxiang Liu, Xiaomu Shi, Ming-Hsien Tsai, Bow-Yaw Wang, and Bo-Yin Yang. 2019. Signed Cryptographic Program Verification with Typed CryptoLine. In CCS. ACM, 1591–1606. Google Scholar
- GCC. 2022. GCC, the GNU Compiler Collection. https://gcc.gnu.org Google Scholar
- Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2018. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng., 8, 1 (2018), 1–27. Google ScholarCross Ref
- HACL. 2022. HACL. https://github.com/hacl-star/hacl-star Google Scholar
- Mike Hamburg. 2015. Ed448-Goldilocks, a new elliptic curve. IACR Cryptology ePrint Archive, 2015 (2015), 625. Google Scholar
- Saemundur O. Haraldsson, John R. Woodward, Alexander E. I. Brownlee, and Kristin Siggeirsdottir. 2017. Fixing bugs in your sleep: how genetic improvement became an overnight success. In GECCO (Companion). 1513–1520. Google Scholar
- Mark Harman and Bryan F. Jones. 2001. Software engineering using metaheuristic innovative algorithms: workshop report. Inf. Softw. Technol., 43, 14 (2001), 905–907. Google ScholarCross Ref
- Rodney E. Hooker and Collin Eddy. 2013. Store-to-load forwarding based on load/store address computation source information comparisons. US Patent 8533438. Google Scholar
- Rajeev Joshi, Greg Nelson, and Keith H. Randall. 2002. Denali: A Goal-directed Superoptimizer. In PLDI. ACM, 304–314. Google Scholar
- Matthias J. Kannwischer, Joost Rijneveld, and Peter Schwabe. 2019. Faster Multiplication in Z_2^m[x] on Cortex-M4 to Speed up NIST PQC Candidates. In ACNS. 281–301. Google Scholar
- Thierry Kaufmann, Hervé Pelletier, Serge Vaudenay, and Karine Villegas. 2016. When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015. In CANS. 573–582. Google Scholar
- William B. Langdon, Brian Yee Hong Lam, Justyna Petke, and Mark Harman. 2015. Improving CUDA DNA Analysis Software with Genetic Programming. In GECCO. 1063–1070. Google Scholar
- Adam Langley. 2022. Curve25519-donna. https://github.com/agl/curve25519-donna Google Scholar
- Kevin M. Lepak and Mikko H. Lipasti. 2000. On the value locality of store instructions. In ISCA. 182–191. Google Scholar
- Xavier Leroy. 2009. A Formally Verified Compiler Back-end. J. Autom. Reason., 43, 4 (2009), 363–446. Google ScholarDigital Library
- Xavier Leroy, Sandrine Blazy, Daniel Kästner, Bernhard Schommer, Markus Pister, and Christian Ferdinand. 2016. CompCert — A Formally Verified Optimizing Compiler. In ERTS. Google Scholar
- Nuno P. Lopes, Juneyoung Lee, Chung-Kil Hur, Zhengyang Liu, and John Regehr. 2021. Alive2: bounded translation validation for LLVM. In PLDI. 65–79. Google Scholar
- Henry Massalin. 1987. Superoptimizer - A Look at the Smallest Program. In ASPLOS. ACM Press, 122–126. Google Scholar
- NIST. 2000. FIPS PUB 186-2: Digital signature standard. Google Scholar
- OpenSSL. 2022. OpenSSL. https://www.openssl.org/ Google Scholar
- Hannah Peeler, Shuyue Stella Li, Andrew N. Sloss, Kenneth N. Reid, Yuan Yuan, and Wolfgang Banzhaf. 2022. Optimizing LLVM Pass Sequences with Shackleton: A Linear Genetic Programming Framework. arXiv 2201.13305. Google Scholar
- Gennady Pekhimenko and Angela Demke Brown. 2010. Efficient Program Compilation Through Machine Learning Techniques. In Software Automatic Tuning, From Concepts to State-of-the-Art Results. Springer, 335–351. Google Scholar
- Justyna Petke, Saemundur O. Haraldsson, Mark Harman, William B. Langdon, David Robert White, and John R. Woodward. 2018. Genetic Improvement of Software: A Comprehensive Survey. IEEE Trans. Evol. Comput., 22, 3 (2018), 415–432. Google ScholarCross Ref
- Amir Pnueli, Michael Siegel, and Eli Singerman. 1998. Translation Validation. In TACAS. 151–166. Google Scholar
- Andy Polyakov, Ming-Hsien Tsai, Bow-Yaw Wang, and Bo-Yin Yang. 2018. Verifying Arithmetic Assembly Programs in Cryptographic Primitives (Invited Talk). In CONCUR (LIPIcs, Vol. 118). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 4:1–4:16. Google Scholar
- Jonathan Protzenko, Bryan Parno, Aymeric Fromherz, Chris Hawblitzel, Marina Polubelova, Karthikeyan Bhargavan, Benjamin Beurdouche, Joonwon Choi, Antoine Delignat-Lavaud, Cédric Fournet, Natalia Kulatova, Tahina Ramananandro, Aseem Rastogi, Nikhil Swamy, Christoph M. Wintersteiger, and Santiago Zanella Béguelin. 2020. EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider. In IEEE SP. 983–1002. Google Scholar
- Jonathan Protzenko, Jean Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago Zanella Béguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified low-level programming embedded in F*. Proceedings of the ACM on Programming Languages, 1 (2017), 1 – 29. Google ScholarDigital Library
- Frédéric Recoules, Sébastien Bardin, Richard Bonichon, Laurent Mounier, and Marie-Laure Potet. 2019. Get Rid of Inline Assembly through Verification-Oriented Lifting. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). 577–589. https://doi.org/10.1109/ASE.2019.00060 Google ScholarDigital Library
- John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In LICS. Google ScholarDigital Library
- Ronny Ronen, Alexander Peleg, and Nathaniel Hoffman. 2004. System and method for fusing instructions. US Patent 6675376B2. Google Scholar
- Raimondas Sasnauskas, Yang Chen, Peter Collingbourne, Jeroen Ketema, Jubi Taneja, and John Regehr. 2017. Souper: A Synthesizing Superoptimizer. CoRR, abs/1711.04422 (2017). Google Scholar
- Eric Schkufza, Rahul Sharma, and Alex Aiken. 2013. Stochastic superoptimization. In ASPLOS. ACM, 305–316. Google Scholar
- Eric Schkufza, Rahul Sharma, and Alex Aiken. 2014. Stochastic optimization of floating-point programs with tunable precision. In PLDI. ACM, 53–64. Google Scholar
- Marc Schoolderman, Jonathan Moerman, Sjaak Smetsers, and Marko C. J. D. van Eekelen. 2021. Efficient Verification of Optimized Code - Correct High-Speed X25519. In NFM. 304–321. Google Scholar
- Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. In PLDI. 471–482. Google Scholar
- Rahul Sharma, Eric Schkufza, Berkeley R. Churchill, and Alex Aiken. 2013. Data-driven equivalence checking. In OOPSLA. ACM, 391–406. Google Scholar
- Rahul Sharma, Eric Schkufza, Berkeley R. Churchill, and Alex Aiken. 2015. Conditionally correct superoptimization. In OOPSLA. ACM, 147–162. Google Scholar
- Mark Stephenson, Una-May O’Reilly, Martin C. Martin, and Saman P. Amarasinghe. 2003. Genetic Programming Applied to Compiler Heuristic Optimization. In EuroGP. 238–253. Google Scholar
- Samantika Subramaniam and Gabriel H. Loh. 2006. Fire-and-Forget: Load/Store Scheduling with No Store Queue at All. In MICRO. 273–284. Google Scholar
- Jean-Baptiste Tristan and Xavier Leroy. 2008. Formal verification of translation validators: a case study on instruction scheduling optimizations. In POPL. 17–27. Google Scholar
- Ming-Hsien Tsai, Bow-Yaw Wang, and Bo-Yin Yang. 2017. Certified Verification of Algebraic Properties on Low-Level Mathematical Constructs in Cryptographic Programs. In CCS. ACM, 1973–1987. Google ScholarDigital Library
- Pepe Vila, Pierre Ganty, Marco Guarnieri, and Boris Köpf. 2020. CacheQuery: learning replacement policies from hardware caches. In PLDI. 519–532. Google Scholar
- Thomas Weise, Zijun Wu, and Markus Wagner. 2019. An Improved Generic Bet-and-Run Strategy with Performance Prediction for Stochastic Local Search. In AAAI. 2395–2402. Google Scholar
Index Terms
- CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives
Recommendations
HACL*: A Verified Modern Cryptographic Library
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityHACL* is a verified portable C cryptographic library that implements modern cryptographic primitives such as the ChaCha20 and Salsa20 encryption algorithms, Poly1305 and HMAC message authentication, SHA-256 and SHA-512 hash functions, the Curve25519 ...
Verified Density Compilation for a Probabilistic Programming Language
This paper presents ProbCompCert, a compiler for a subset of the Stan probabilistic programming language (PPL), in which several key compiler passes have been formally verified using the Coq proof assistant. Because of the probabilistic nature of PPLs,...
Verified compilation on a verified processor
PLDI 2019: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and ImplementationDeveloping technology for building verified stacks, i.e., computer systems with comprehensive proofs of correctness, is one way the science of programming languages furthers the computing discipline. While there have been successful projects verifying ...
Comments