Simple High-Level Code For Cryptographic Arithmetic With Proofs, Without Compromises

Author(s)

Erbsen, Andres; Philipoom, Jade D.; Gross, Jason S.; Sloan, Robert Hal; Chlipala, Adam

Abstract

We introduce an unusual approach for implementing cryptographic arithmetic in short high-level code with machinechecked proofs of functional correctness. We further demonstrate that simple partial evaluation is sufficient to transform such initial code into highly competitive C code, breaking the decades-old pattern that the only fast implementations are those whose instruction-level steps were written out by hand. These techniques were used to build an elliptic-curve library that achieves competitive performance for a wide range of prime fields and multiple CPU architectures, showing that implementation and proof effort scales with the number and complexity of conceptually different algorithms, not their use cases. As one outcome, we present the first verified highperformance implementation of P-256, the most widely used elliptic curve. Implementations from our library were included in BoringSSL to replace existing specialized code, for inclusion in several large deployments for Chrome, Android, and CloudFlare. This is an abridged version of the full paper originally presented in IEEE S&P 2019 [10]. We have omitted most proof-engineering details in favor of a focus on the system's functional capabilities.

Date issued

2020-07

URI

https://hdl.handle.net/1721.1/131080

Department

Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Journal

ACM SIGOPS Operating Systems Review

Publisher

Association for Computing Machinery (ACM)

Citation

Erbsen, Andres et al. "Simple High-Level Code For Cryptographic Arithmetic With Proofs, Without Compromises." ACM SIGOPS Operating Systems Review 54, 1 (July 2020): 23-30. © 2020 Author(s).

Version: Author's final manuscript

ISSN

0163-5980