Compiling CAO: From Cryptographic Specifications to C Implementations
-
Upload
paulo-silva -
Category
Science
-
view
54 -
download
1
description
Transcript of Compiling CAO: From Cryptographic Specifications to C Implementations
![Page 1: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/1.jpg)
Compiling CAO: from CryptographicSpecifications to C ImplementationsManuel Barbosa David Castro Paulo Silva
HASLab/INESC TECUniversidade do Minho
Braga, Portugal
April 8, 2014Grenoble
![Page 2: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/2.jpg)
Motivation
⟩ Developing cryptographic software is challenging⟩ Performance is usually critical
⟩ Many implementations are done directly in assembly⟩ Aggressive optimizations must not change the semantics⟩ Error prone and time consuming
Manuel Barbosa, David Castro, Paulo Silva 1/14
![Page 3: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/3.jpg)
CAO Language
⟩ Started in the CACE project (FP7) in collaboration with Univ. Bristol⟩ Domain specific language for core cryptographic components
⟩ Hash functions, authentication algorithms, signatures, . . .⟩ High level features closer to standards⟩ Supported by a tool chain to assist development
Manuel Barbosa, David Castro, Paulo Silva 2/14
![Page 4: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/4.jpg)
CAO Language
⟩ Main design goals:⟩ Flexible and configurable for a wide range of platforms (machinearchitecture + operating system + compiler + extra libraries)
⟩ Incorporate domain specific optimizations early in the compilationprocess
⟩ Oriented to the implementation of cryptographic APIs
Manuel Barbosa, David Castro, Paulo Silva 3/14
![Page 5: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/5.jpg)
CAO Features
⟩ Call by value semantics⟩ No input/output support⟩ No language construct to dynamically allocate memory⟩ Highly expressive native types and operators
Manuel Barbosa, David Castro, Paulo Silva 4/14
![Page 6: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/6.jpg)
CAO Types⟩ Booleans
def b1 : bool;def b2 : bool := true;
⟩ Integers (arbitrary precision)def i1 : int;def i2 : int := 10;
⟩ Machine integersdef ri1 : register int;def ri2 : register int := 1;
⟩ Bit stringsdef ubs1 : unsigned bits [32];def ubs2 : unsigned bits [4] := 0 b0101 ;def sbs1 : signed bits [16];def sbs2 : signed bits [8] := 1 b01010010 ;
Manuel Barbosa, David Castro, Paulo Silva 5/14
![Page 7: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/7.jpg)
CAO Types⟩ Booleans
def b1 : bool;def b2 : bool := true;
⟩ Integers (arbitrary precision)def i1 : int;def i2 : int := 10;
⟩ Machine integersdef ri1 : register int;def ri2 : register int := 1;
⟩ Bit stringsdef ubs1 : unsigned bits [32];def ubs2 : unsigned bits [4] := 0 b0101 ;def sbs1 : signed bits [16];def sbs2 : signed bits [8] := 1 b01010010 ;
Manuel Barbosa, David Castro, Paulo Silva 5/14
![Page 8: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/8.jpg)
CAO Types⟩ Booleans
def b1 : bool;def b2 : bool := true;
⟩ Integers (arbitrary precision)def i1 : int;def i2 : int := 10;
⟩ Machine integersdef ri1 : register int;def ri2 : register int := 1;
⟩ Bit stringsdef ubs1 : unsigned bits [32];def ubs2 : unsigned bits [4] := 0 b0101 ;def sbs1 : signed bits [16];def sbs2 : signed bits [8] := 1 b01010010 ;
Manuel Barbosa, David Castro, Paulo Silva 5/14
![Page 9: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/9.jpg)
CAO Types⟩ Booleans
def b1 : bool;def b2 : bool := true;
⟩ Integers (arbitrary precision)def i1 : int;def i2 : int := 10;
⟩ Machine integersdef ri1 : register int;def ri2 : register int := 1;
⟩ Bit stringsdef ubs1 : unsigned bits [32];def ubs2 : unsigned bits [4] := 0 b0101 ;def sbs1 : signed bits [16];def sbs2 : signed bits [8] := 1 b01010010 ;
Manuel Barbosa, David Castro, Paulo Silva 5/14
![Page 10: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/10.jpg)
CAO Types (cont.)⟩ Rings or fields defined by an integer
def mo1 : mod [5];def mo2 : mod [2] := [1];
⟩ Extension fields defined by a type and a polynomialdef mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ];def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1];
⟩ Vectorsdef v1 : vector [10] of register int;def v2 : vector [4] of unsigned bits [2] := {
0b00 , 0b01 , 0b10 , 0b11 };
⟩ Matricesdef m1 : matrix [2, 3] of int;def m2 : matrix [2, 2] of mod [2] := {
[1] , [0] , [0] , [1] };
Manuel Barbosa, David Castro, Paulo Silva 6/14
![Page 11: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/11.jpg)
CAO Types (cont.)⟩ Rings or fields defined by an integer
def mo1 : mod [5];def mo2 : mod [2] := [1];
⟩ Extension fields defined by a type and a polynomialdef mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ];def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1];
⟩ Vectorsdef v1 : vector [10] of register int;def v2 : vector [4] of unsigned bits [2] := {
0b00 , 0b01 , 0b10 , 0b11 };
⟩ Matricesdef m1 : matrix [2, 3] of int;def m2 : matrix [2, 2] of mod [2] := {
[1] , [0] , [0] , [1] };
Manuel Barbosa, David Castro, Paulo Silva 6/14
![Page 12: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/12.jpg)
CAO Types (cont.)⟩ Rings or fields defined by an integer
def mo1 : mod [5];def mo2 : mod [2] := [1];
⟩ Extension fields defined by a type and a polynomialdef mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ];def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1];
⟩ Vectorsdef v1 : vector [10] of register int;def v2 : vector [4] of unsigned bits [2] := {
0b00 , 0b01 , 0b10 , 0b11 };
⟩ Matricesdef m1 : matrix [2, 3] of int;def m2 : matrix [2, 2] of mod [2] := {
[1] , [0] , [0] , [1] };
Manuel Barbosa, David Castro, Paulo Silva 6/14
![Page 13: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/13.jpg)
CAO Types (cont.)⟩ Rings or fields defined by an integer
def mo1 : mod [5];def mo2 : mod [2] := [1];
⟩ Extension fields defined by a type and a polynomialdef mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ];def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1];
⟩ Vectorsdef v1 : vector [10] of register int;def v2 : vector [4] of unsigned bits [2] := {
0b00 , 0b01 , 0b10 , 0b11 };
⟩ Matricesdef m1 : matrix [2, 3] of int;def m2 : matrix [2, 2] of mod [2] := {
[1] , [0] , [0] , [1] };
Manuel Barbosa, David Castro, Paulo Silva 6/14
![Page 14: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/14.jpg)
Simple Example: Bubble Sort
typedef int_vector := vector [10] of int;
def bubble_sort (v : int_vector ) : int_vector {
def temp : int;seq i := 8 to 0 by -1 {
seq j := 0 to i {if (v[j] > v[j+1]) {
temp := v[j];v[j] := v[j+1];v[j+1] := temp;
}}
}return v;
}
Manuel Barbosa, David Castro, Paulo Silva 7/14
![Page 15: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/15.jpg)
Simple Example: Bubble Sort
def bubble_sort ( const n : register int {1 < n}, v : vector [n] of int): vector [n] of int {
def temp : int;seq i := n - 2 to 0 by -1 {
seq j := 0 to i {if (v[j] > v[j+1]) {
temp := v[j];v[j] := v[j+1];v[j+1] := temp;
}}
}return v;
}
Manuel Barbosa, David Castro, Paulo Silva 8/14
![Page 16: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/16.jpg)
Complete Algorithm: SHA1
⟩ (example sha1.cao)
Manuel Barbosa, David Castro, Paulo Silva 9/14
![Page 17: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/17.jpg)
Exploring Intermediate CAO Code
⟩ Source to source transformations⟩ (demo)
Manuel Barbosa, David Castro, Paulo Silva 10/14
![Page 18: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/18.jpg)
Platform Specification
⟩ (demo)
Manuel Barbosa, David Castro, Paulo Silva 11/14
![Page 19: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/19.jpg)
Using the Generated Code
⟩ (demo)
Manuel Barbosa, David Castro, Paulo Silva 12/14
![Page 20: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/20.jpg)
Protection Against Side-channel Attacks
⟩ Popular countermeasure against side-channel attacks⟩ Indistinguishable functions:
⟩ Vulnerable functions execute the same sequence of native CAOoperations
⟩ (demo)
Manuel Barbosa, David Castro, Paulo Silva 13/14
![Page 21: Compiling CAO: From Cryptographic Specifications to C Implementations](https://reader036.fdocuments.in/reader036/viewer/2022081401/5596f0a61a28ab19778b47a1/html5/thumbnails/21.jpg)
Conclusions
⟩ The code of the compiler is reasonably stable⟩ The source code is available from the Hackage repository:
http://hackage.haskell.org/package/cao⟩ Future work:
⟩ Improve efficiency of the generated code (more aggressiveoptimizations are possible)
⟩ Additional protection countermeasures against side-channel attacks⟩ Provide support for other platforms (ongoing work for ARMarchitecture)
⟩ Provide additional guarantees when compiling C using CompCert(ongoing work)
Manuel Barbosa, David Castro, Paulo Silva 14/14