CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives

Kuepper, Joel; Erbsen, Andres; Gross, Jason; Conoly, Owen; Sun, Chuyue; Tian, Samuel; Wu, David; Chlipala, Adam; Chuengsatiansup, Chitchanok; Genkin, Daniel; Wagner, Markus; Yarom, Yuval

Author(s)

Kuepper, Joel; Erbsen, Andres; Gross, Jason; Conoly, Owen; Sun, Chuyue; ... Show more

Download3591272.pdf (357.8Kb)

Publisher with Creative Commons License

Terms of use

Creative Commons Attribution https://creativecommons.org/licenses/by/4.0/

Metadata

Show full item record

Abstract

Most software domains rely on compilers to translate high-level code to multiple different machine languages, with performance not too much worse than what developers would have the patience to write directly in assembly language. However, cryptography has been an exception, where many performance-critical routines have been written directly in assembly (sometimes through metaprogramming layers). Some past work has shown how to do formal verification of that assembly, and other work has shown how to generate C code automatically along with formal proof, but with consequent performance penalties vs. the best- known assembly. We present CryptOpt, the first compilation pipeline that specializes high-level cryptographic functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset of known features of SMT solvers and symbolic-execution engines. The overall prototype is quite practical, e.g. producing new fastest-known implementations of finite-field arithmetic for both Curve25519 (part of the TLS standard) and the Bitcoin elliptic curve secp256k1 for the Intel 12&#55349;&#56417;ℎ and 13&#55349;&#56417;ℎ generations.

Date issued

2023-06-06

URI

https://hdl.handle.net/1721.1/150988

Department

Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory

Journal

Proceedings of the ACM on Programming Languages

Publisher

ACM

Citation

Kuepper, Joel, Erbsen, Andres, Gross, Jason, Conoly, Owen, Sun, Chuyue et al. 2023. "CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives." Proceedings of the ACM on Programming Languages, 7 (PLDI).

Version: Final published version

ISSN

2475-1421

Collections

MIT Open Access Articles

The following license files are associated with this item:

Creative Commons