coq-club AT inria.fr

Subject: The Coq mailing list

List archive

[Coq-Club] [ANN] Coq-generated crypto code in Chrome

From: Adam Chlipala <adamc AT csail.mit.edu>
To: coq-club <coq-club AT inria.fr>
Subject: [Coq-Club] [ANN] Coq-generated crypto code in Chrome
Date: Sun, 15 Jul 2018 10:04:13 -0400
Authentication-results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=adamc AT csail.mit.edu; spf=Pass smtp.mailfrom=adamc AT csail.mit.edu; spf=None smtp.helo=postmaster AT outgoing-stata.csail.mit.edu
Ironport-phdr: 9a23:cPzHIBJJ1zXIDj8uedmcpTZWNBhigK39O0sv0rFitYgeIvrxwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhicaOTAn82/ZhMJ/g61Hrx+6vRNz35TZbZuJOPdwfK7Qe84RS2pbXsZWUixMGp+xYJYVAOoEIO1VsYn9p18PrRumHwasAPngwSJPi3DswKI1yeEhHh3d0QM8BNIBqnXUrNHvOKcXUOC10LPEwiveYPNLwDrw7pXDfB4mofGJR71wcMzRxFE1GAPDk1qQs5LqPyiP2uQWs2mb9PZgWvyqi248sw1xrTmvxtssionUnY0Z0EzL9SJ8wIotIN24T1N0YcK+HJtRsCGWL5d5QsMmQ2FpoCY10LkGtoShcCgM1psn2wbTa/mAc4mJ4xLjUOKRLi1iiHJiYrK/iA6+8U2hyu3gTMW7zktFrjdDn9LRtX4NzwTe5tWZRvZ+5Eus1yqD2xrN5u1eP0w4iLbXJ4Yjz7ItjJYfr0rOEyHslEnrjKKbdF8o9va15+npZLjtu4WSOJVuig7kN6Qjgsy/Dvo8MggJR2Wb/vm81KHs/U3+QbVKiPI2nrDCsJDGP8sburS2DxVJ3YY48Rm/DjOm3M4dnXkGMFJJYgyIgJX0O13WIfD4C+mwg0i0nTt22fzLPaftD5vRInTZjrvtZ6hx51NAxAYryNBQ/ZNUCrUPIPLpXU/xscTVAQUkPAOuxuboFM5w2Z8FWW2VA6+ZNLnesVqJ5uIzOeWDepIauCvlJ/g/+/HulWM5mUMafaSxwZQXb2m4Eu16LEWdfHrjmcwMEXwKvwo7VOzlkkeOUT9VZ3aoXqIz/Cs3CIy8DdSLeof4i7uYmSy/A5ceMmtBExWHFWriX4SCQfYFLiyIdJxPiDsBAJGtQopp/hGqtRfzz7MveuPY8ygTnZn43dlxoejSiVc/+SEiXJfV6H2EU2whxjBAfDQxxq0q+RUsmGfG6rBxhrljLfIW4vpIVgkgMpuFkr5xENnzXkTEf8vPRVq7EIz/XWMBC+kpytpLWH5TXs24h0mejSGxCr4R0bmKGNo5/r+OhyGsdfY48G7P0ewat3djQsZLMjb+1Kli6wfUBojG1l6FnrqjM68H1S/JsmKC0SyDsFwKCAM=

I'm writing to share a bit of progress in real-world use of Coq, which I hope will be helpful to anyone who needs to make a case for the value of the Coq system or specific uses of it. Much more detail is found in our upcoming paper on the project.

Background: cryptography is an interesting area for algorithmic challenges because we need crucial operations to be fast for legitimate participants and slow for bad guys who don't know the right secrets. Some of the most widely used algorithms are quite challenging to implement efficiently on commodity processors. Elliptic curves are one of the most popular approaches to public-key crypto today, and practice there has been to rewrite the code from scratch in assembly (or C, if we're lucky), not just for every interestingly different hardware family, but also for every different set of numeric parameters. Yes, it really has been traditional to rewrite the code from scratch when you change the one large prime number used as modulus of arithmetic.

With our Fiat Cryptography project, we show how the important algorithms can be written as Gallina programs, such that their partial evaluation to specific parameters gives us performance-competitive low-level code. And, of course, we prove the crypto algorithms and the compilation phases in Coq.

This code-generation pipeline is now used for Google's BoringSSL library, to generate the finite-field arithmetic for the two most widely used elliptic curves, P-256 and Curve25519. BoringSSL is used in a few high-profile places, most notably the Chrome browser. As a result, a back-of-the-envelope market-share calculation suggests that about half of all HTTPS connections from browsers worldwide now use our correct-by-construction field arithmetic, generated and proved with Coq. Probably many of you saw the earlier news about inclusion in Firefox of handwritten code verified with F*, which handles some of the same parts of TLS; so formal verification is really making some inroads in this area, where security bugs are genuinely scary.

Most of the work on this project was done by the student team members, all of whom have spent some time working on it at Google by now. Following the author order from the paper: they are Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan.

[Coq-Club] [ANN] Coq-generated crypto code in Chrome, Adam Chlipala, 07/15/2018