Entries in Cryptography (14)

Monday
Apr112011

Galois to Help DARPA PROCEED to Change the Game

AuthorGalois, Inc. | DateMonday, April 11, 2011 at 11:42AM | in , , ,

Portland, OR (April 11, 2011) - The Defense Advanced Research Projects Agency (DARPA) has awarded up to $4.7M to Galois, Inc., as research integrator for the PROCEED program (Programming Computation on Encrypted Data) whose goal is to make it feasible to execute programs on encrypted data without having to decrypt the data first. 

DARPA Program Manager Dr. Drew Dean has assembled a diverse group of researchers on PROCEED with the challenging goal of making fundamental progress in the science and mathematics of computing on encrypted data, while at the same time increasing the efficiency of implementations of the new techniques by several orders of magnitude. The researchers are working at many different levels of abstraction: on the design of programming languages that support encrypted data; on building efficient libraries of operations over encrypted data structures; on compilation techniques that exploit programmable hardware; and on fundamental breakthroughs in the cryptographic approach itself. 

Over the next four years, Galois will draw the many threads of research together into a coherent whole. Galois brings extensive existing infrastructure and technological support for multi-use cryptography compilation and analysis, and a decade of experience supporting and connecting cryptographers in research, government, and industry. 

To meet the critical technical challenge of a shared technical infrastructure, Galois offers the Cryptol® tool suite, leveraging the existing framework for specifying, designing, implementing, and verifying cryptographic algorithms for a variety of hardware and software platforms. The toolset will be extended to showcase the breakthroughs in homomorphic encryption produced across the PROCEED research team. 

About Galois: Galois (http://www.galois.com/) was founded in 1999 to provide a unique R&D capability for government and commercial clients. Galois applies revolutionary mathematical, computer science and engineering approaches to solve critical problems in software security, safety, privacy and performance. Galois has been instrumental in bringing cutting edge research into practice for the DoD, DoE, Intelligence, pharmaceutical and aerospace communities. 

Contact: Leah Daniels leah@galois.com 503/808-7152 

Approved for Public Release, Distribution Unlimited

 

Monday
Oct252010

Cryptol course: High assurance Cryptographic Development using the Cryptol workbench

AuthorGalois, Inc. | DateMonday, October 25, 2010 at 5:38PM | in , , , ,

Galois is offering a four‐day Cryptol course for those interested in exploring the capabilities of the Cryptol workbench.The course is highly participatory: we will work on a series of exercises for each new topic, using the Cryptol toolset interactively. Prospective participants should have experience writing programs and some knowledge of cryptography. Those who complete the course will have the skills necessary to develop high‐assurance, high‐performance cryptographic algorithms in Cryptol.A tentative outline and further information can be found in the course flyer.Interested parties should contact Dr. Sally Browning via e-mail at sally@galois.com, or call her at (503) 808 7151.

Click to read more ...

Thursday
Oct072010

Tech Talk: Application of Computer Algebra Techniques in Verification of Galois Field Multipliers: Potential + Challenges

AuthorGalois, Inc. | DateThursday, October 7, 2010 at 1:57PM | in , ,

Galois is pleased to host the following tech talk. These talks are open to the interested public. Please join us!

title:
Application of Computer Algebra Techniques in Verification of Galois Field Multipliers: Potential + Challenges
speaker:
Priyank Kalla
time:
10:30am, Tuesday 12 October 2010
location:
Galois Inc.421 SW 6th Ave. Suite 300, Portland, OR, USA(3rd floor of the Commonwealth building)
abstract:
Applications in Cryptography require multiplication and exponentiation operations to be performed over Galois fields GF(2^k). Therefore, there has been quite an interest in the hardware design and optimization of such multipliers. This has led to impressive advancements in this area -- such as the use of composite field decomposition techniques, use of Montgomery multiplication, among others.My research group has recently begun investigations in the verification of such Galois Field multipliers. Unfortunately, the word-length (k) in such multipliers can be very large: typically, k = 256. Due to such large word-lengths, verification techniques based on decision diagrams, SAT and contemporary SMT solvers are infeasible. We are exploring the use of Computer Algebra techniques, mainly Groebner bases theory, to tackle this problem. In this talk, we will see why Groebner bases techniques look promising, while at the same time also studying the challanges that have to be overcome.
bio:
Priyank Kalla recieved the Bachelors degree in Electronics engineering from Sardar Patel University in India in 1993; and Masters and PhD from University of Massachusetts Amherst in 1998 and 2002, respectively. Since 2002, he is a faculty member in the ECE Dept. at the Univ. of Utah. His research interests are in the general areas of Logic Synthesis and Design Verification. Over the past few years, he has been investigating the use of computer algebra techniques over finite integer rings (Z/mZ) and finite fields (GF(2^m)) for optimization and verification of arithmetic datapaths. He is a recepient of the NSF CAREER award and the ACM TODAES 2009 best paper award. For more information, visit http://www.ece.utah.edu/~kalla

Click to read more ...

Sunday
Apr112010

Solving n-Queens in Cryptol

AuthorGalois, Inc. | DateSunday, April 11, 2010 at 10:20PM | in , , , , ,

The eight queens puzzle asks how to place eight queens on a chess board such that none of them attacks any other. The problem easily generalizes to n queens, using an nxn board. In this post, we'll see how to solve the n-Queens puzzle in Cryptol, without lifting a finger!

Representing the board

It is easy to see that any solution to the n-Queens puzzle will have precisely one queen on each row and column of the board. Therefore, we can represent the solution as a sequence of n row numbers, corresponding to subsequent columns. For instance, the board pictured below (taken from the wikipedia page), can be represented by the sequence3  7  0  2  5  1  6  4recording the row of the queen appearing in each consecutive column, starting from the top-left position. (And yes, we always count from 0!)

Recognizing a valid solution

Let us start by asking a simpler question. How can we recognize that a given sequence of n row indices constitute a valid solution? We have to verify that the followings hold:
  • The numbers must be between 0 and n-1. (Sanity checking.)
  • The numbers should not be duplicated. (Ensures that there is exactly one queen per row.)
  • For any pair of numbers in the sequence, their row-value difference should be different than their column-value difference. (Ensures that there are no diagonal conflicts.)
The first two conditions are fairly trivial. The last one simply says that if two queens are positioned such that their vertical and horizontal displacements are the same, then they are on the same diagonal: A situation we must avoid for all pairs of queens given.

Writing a Cryptol predicate

Having described how we will recognize an alleged solution, let us now consider how we can code this in Cryptol.First, we will need a helper function that applies a given predicate to all the elements of a sequence and returns True if all elements satisfy the predicate. Naturally, we call this function all:
 all : {n a} (fin n) => (a -> Bit,[n]a) -> Bit;all (f, xs) = [|f x || x <- xs|] == ~zero;
The type of this function is worth spending a few moments looking at, as it demonstrates some crucial aspects of  Cryptol's type system that sets it apart from other languages. In particular, it says that the function all takes a sequence of n elements, each of some arbitrary size a. However, it also restricts n to be  finite, i.e., the type system will complain if you pass all an infinite sequence. Then, we apply the predicate f to each element in the sequence, and check that the result consists of all True bits. (The polymorphic Cryptol value zero represents a value with an arbitrary shape with all bits set to False. The complement operator (~) flips all those bits to True.)The second utility function we will need is a predicate that checks whether the elements of a given sequence are all distinct:
 distinct : {a b} (fin a,fin b) => [a]b -> Bit;distinct xs = diff == ~zerowhere {n = width xs;diff = [|check (x, i)|| x <- xs|| i <- [0 .. (n-1)]|];check (x, start) = walk (start + 1)where walk cur =if cur == nthen Trueelse if xs @ cur == xthen Falseelse walk (cur + 1);};
The function distinct is fairly simple: For each element in the sequence, it walk's through the rest to make sure that none of the remaining elements are the same as that particular element. Note how Cryptol's width function allows us to determine the size of the input sequence, and recurse properly.Having done the heavy-lifting above, we can now write the predicate that recognizes a valid n-Queens solution in Cryptol:
type Solution(n) = [n][1+width n] -> Bit;nQueens : {n} (fin n) => Solution(n);nQueens qs = all(inRange, qs)& distinct qs& all(checkDiag, ijs)where {n = width qs;inRange x = x < n;ijs = [| (i, j) || i <- [0 .. n-1], j <- [0 .. n-1] |];checkDiag (i, j) =(i >= j) | (diffR != diffC)where { qi = qs @ i;qj = qs @ j;diffR = if qi >= qjthen qi-qjelse qj-qi;diffC = j - i;};};
The nQueens function simply executes our checks as we described above. It first makes sure that all the elements are inRange. (Note that we do not have to check for negative numbers since all Cryptol numbers are non-negative.) Then, we check that all the elements are distinct. Following this, we generate the pairs of indices ijs, and call checkDiag on all these pairs to make sure that the row and column differences do not match.We can test this function in Cryptol, by providing sample input:
 NQueens> nQueens [3 7 0 2 5 1 6 4]TrueNQueens> nQueens [3 7 0 2 5 6 1 4]False
In the second example, I swapped the elements 1 and 6; effectively putting the 6th queen on row 6 and the 7th on row 1. This creates a diagonal conflict  as the reader can easily verify.

Solving n-Queens

It appears that all we have done so far is to write a Cryptol program to recognize whether a given solution to the n-Queens problem is valid. But, how do we actually solve the puzzle?Remember that I promised to solve n-Queens without lifting a finger, and this is where Cryptol's formal methods based tools come into the picture. Given any predicate (like nQueens above), Cryptol can find inputs that will satisfy it automatically, at the push of a button! (We have briefly described how this works in our previous post on Sudoku, so I shall not go into any details. Suffice it to say that one can exploit modern SAT/SMT solvers to generate automatic solvers for validity problems, and Cryptol provides just the right framework for doing so.)Without further ado, here is how we solve n-Queens in Cryptol, without writing any additional code on top of what we have already seen:
 NQueens> :set sbvNQueens> :set base=10NQueens> :sat nQueens : Solution(8)(nQueens : Solution(8)) [2 7 3 6 0 5 1 4]= True
The first command puts Cryptol in the sbv mode, which allows for the use of SAT/SMT solvers. The second command tells Cryptol to print results in base 10. Finally, the :sat command finds satisfying assignments for predicates. The type-signature on the :sat command indicates that we are interested in solutions for 8-queens, for which we are given a solution almost instantaneously!If you look at the wiki-page for n-queens, you will see that they claim there is always a solution when n=1 and n>=4. We can indeed verify that there are no solutions when n is 2 or 3, using Cryptol:
NQueens> :sat nQueens : Solution(2)No variable assignment satisfies this functionNQueens> :sat nQueens : Solution(3)No variable assignment satisfies this function
While these two properties are easy to see, it's quite valuable to get independent verification!In practice..We would be remiss if we didn't mention some of the actual uses of the satisfiability checker in the Cryptol tool chain. The most important application is in verifying functional equivalence of two functions. If f and g are two functions, then they are functionally equivalent exactly when the predicate (\x -> f x != g x) is not satisfiable. (Conversely, if this predicate is satisfiable then the satisfying value is where f and g disagree, indicating a potential bug.) More importantly, f and g need not be both written in Cryptol. The toolchain allows performing equivalence checking between functions written in VHDL, C, and Java (with varying degrees of "seamless" integration!). Furthermore, this is also how we make sure our compiler produces correct code: The function g can be generated code, for instance in one of Cryptol's intermediate languages as we compile Cryptol to FPGA descriptions. In summary, we can check the equivalence of 3rd party code (generated or hand-written) against "gold" Cryptol specifications, increasing assurance in the correctness of crypto-implementations.DownloadYou can download the Cryptol solution for n-Queens. Cryptol licenses are also available free of charge at www.cryptol.net, although I should note that the SAT/SMT based backends are only available in the full-releases of Cryptol, which requires a simple form to be filled before downloading. Enjoy!

Click to read more ...

Monday
Aug242009

Substitution ciphers in Cryptol

AuthorGalois, Inc. | DateMonday, August 24, 2009 at 12:56PM | in , , ,

Substitution ciphers are one of the oldest encryption methods, dating back to at least the 15th century. In a substitution cipher, each character in the plain-text is simply "substituted" according to a predefined map. Decryption is simply the substitution in the reverse direction. Wikipedia has a nice description of these ciphers. Obviously, you wouldn't want your bank to use such a cipher when executing your web-based transactions! But they are fun to play around, especially when entertaining kids in hot summer days. In this post, we'll see how to code simple substitution ciphers in Cryptol, and go a step further and actually prove that our implementation is correct.

Preliminaries

The simplest form of substitution ciphers use a permutation of the input alphabet. That is, each letter in the input alphabet gets mapped to another in the same  alphabet. (Strictly speaking, input and output alphabets need not be the same, but nothing essential changes by making that assumption.) For instance, you might decide that your substitution will map 'a' to 'q', and 'b' to 'd', ..., etc., making sure no two letters are mapped to the same target. Once this mapping is agreed on, all you have to do to encrypt a given message is to map each character to the corresponding element according to your predefined mapping rules.Here's our Cryptol encoding of these ciphers. First, some preliminary declarations:
type Char = [8];type String(l) = [l]Char;type Table(n) = [n](Char, Char);
We'll simply assume that the input consist of "characters," each of which will be 8-bit quantities (i.e., numbers from 0 to 255). We will simply use ASCII encoding for normal English characters. This is captured by the Char type declaration above, which simply gives a convenient name for 8-bit wide words. The second type declaration captures sized-strings: For any given size l, the type String(l) represents a sequence of length l, containing 8-bit words. For instance, String(16) is the type of all sequences of length 16, containing numbers from 0 to 255 as elements. Finally a Table of size n is simply n-pairings of characters that form a substitution. Here's the example table we will use:
cipherTable : Table(28);cipherTable = [| (x, y) || x <- plain || y <- cipher |]where { plain = "abcdefghijklmnopqrstuvwxyz .";cipher = "oebxa.cdf hijklmnzpqtuvwrygs"};
Note that our table has 28 entries (the lower-case English alphabet, plus space and the dot). A simple Cryptol sequence-comprehension succinctly zips the sequences up, forming our example table.

Performing the substitution

Given a table and a character, the function subst returns the element that the table maps the character to:
subst : {n} (fin n) => (Table(n), Char) -> Char;subst (table, chr) = find 0where find i = if i == width tablethen '?'else if chr == chr' then codeelse find (i+1)where (chr', code) = table @ i;
To do the search, we simply start from index 0 and walk through the given table recursively, returning the mapped element if we have a match. If the given table does not have the corresponding element,  we simply return the character '?', which will indicate failure.  (Aside: Note how the predicate "fin n" ensures we're given a finite table, ensured by Cryptol's type-system. Haskell enthusiasts can gripe about receiving an infinite list when they didn't ask for one!)

Encryption and Decryption

Having defined subst, encryption and decryption are mere maps:
encrypt (table, msg) = [| subst (table, c) || c <- msg |];decrypt (table, msg) = [| subst (table', c) || c <- msg |]where table' = [| (y, x) || (x, y) <- table |];
where we simply swap the elements in the table for decryption.

Substitution in action

That's pretty much all there is to it for substitution ciphers. To illustrate, let us create specialized versions of encrypt and decrypt for our example table, together with some test data:
enc, dec : {l} String(l) -> String(l);enc msg = encrypt (cipherTable, msg);dec msg = decrypt (cipherTable, msg);plainText, cipherText, decodedText : String(51);plainText= "the quick brown fox jumped over the lazy black dog.";cipherText = enc plainText;decodedText = dec cipherText;
Here's Cryptol in action:
SubstCipher> :p plainTextthe quick brown fox jumped over the lazy black dog.SubstCipher> :p cipherTextqdagntfbhgezlvkg.lwg tjmaxgluazgqdagioyrgeiobhgxlcsSubstCipher> :p decodedTextthe quick brown fox jumped over the lazy black dog.
Volia! The secret is now safe, thanks to our substitution cipher.. (Note that we're using Cryptol's :p command which prints its argument as a string, as opposed to a sequence of 8-bit words.)

Correctness

Substitution ciphers are dead-simple, but it would be nice to have further assurance that our implementation is indeed correct. This is where Cryptol's verification tools come into play. Let us first try to write a simple theorem, stating that encryption followed by decryption does not alter the message:
theorem checkEncDec: {msg}.dec (enc msg) == (msg : String(16));
Note that we have restricted the theorem to messages of size 16 only, in order to create a  monomorphic theorem that Cryptol's verification engine can check/prove automatically. (While polymorphic theorems can be stated in Cryptol, they cannot be proven automatically.)Before attempting a proof, it's always good to get a quick-check evidence that we're on safe ground. Here's what happens when I try to quick-check the above theorem using Cryptol:
SubstCipher> :check checkEncDecChecking case 1 of 1000 (0.10%)Falsifiable.checkEncDec [0x15 0x3e 0xf2 0x4f 0x34 0xc4 0x69 0x5a0x64 0x9e 0xb0 0xe2 0x6f 0xf8 0x6a 0x4a]= False
Oops! Something went terribly wrong, Cryptol found a counter-example without even really trying. Let's use Cryptol's ":p" command to see what the counter-example really is:
SubstCipher> :p [0x15 0x3e 0xf2 0x4f 0x34 0xc4 0x69 0x5a0x64 0x9e 0xb0 0xe2 0x6f 0xf8 0x6a 0x4a]>?O4?iZd???o?jJ
Ah, it contains characters that we have not mapped! Since our input accepts any 8-bit word, all values from 0 to 255 are valid "characters." But we clearly have not mapped most of these to anything, causing Cryptol to rightfully reject our theorem!

Conditional theorems

What we need is a conditional theorem, one that has a hypothesis that says "for all good messages." That is, we need to consider only those messages that our cipher knows how to map. Here's a helper function to do just this:
all, any : {n a} (fin n) => (a -> Bit, [n]a) -> Bit;all (f, xs) = [| f x || x <- xs |] == ~zero;any (f, xs) = [| f x || x <- xs |] != zero;checkMessage (table, msg) = all (isMapped, msg)where isMapped c = any (\(c', _) -> c == c', table);
[Aside: Cryptol's polymorphic constant zero is simply the value that is False at every point. Thus, checking against its negation (~zero) ensures all the elements are True, and checking inequivalence against it (i.e., != zero), ensures at least one element is True.]
Having defined checkMessage, we can now express our correctness theorem (again constrained to strings of size 16):
theorem cipherIsCorrect: {msg}.if checkMessage(cipherTable, (msg : String(16)))then dec (enc msg) == msgelse True;
If you try the :check command on this theorem, you will find that Cryptol is now happy with it:
SubstCipher> :check cipherIsCorrectChecking case 1000 of 1000 (100.00%)1000 tests passed OK[Coverage: 0.00%.(1000/340282366920938463463374607431768211456)]
The coverage info suggests we have not even barely scratched the test state-space in this case, as one can expect. However, that's the least of our worries in this case. More importantly, quick-check's OK is not  satisfactory at all for conditional theorems. How do we know that the random test data generated by Cryptol will pass the checkMessage test? In fact, it is very likely that very few of the test cases actually executed the actual equality check itself, as the "randomly-generated" messages are unlikely to pass the checkMessage filter.

Verification

Luckily, we can do better. Using Cryptol's automated theorem prover, we can rigorously prove that the theorem is indeed true for all possible messages:
SubstCipher> :prove cipherIsCorrectQ.E.D.
Cryptol proves this theorem on my 3 year old laptop in less than a second!  (We  should also note that the :prove command is available in the symbolic and SBV backends of Cryptol that comes with the full release. It uses off-the-shelf SAT/SMT solvers to prove Cryptol theorems automatically.)Now we can rest assured that our implementation of substitution ciphers in Cryptol is indeed correct!

For the curious

As the alert reader would have no doubt noticed, we have only proved our implementation correct with respect to our example translation map cipherTable. A more general theorem would have proved the cipher correct with respect to all possible tables. Such a theorem is indeed easy to express in Cryptol, but you'll also need to add the condition that the table is well defined. (That is, it should be a one-to-one map and no letter should be mapped to the special invalid marker '?'.) We invite the curious reader to play with this variant. Note that the automated proof will be more complicated in this case, and the backend prover might need more time before returning the final Q.E.D.

Download

The Cryptol source file implementing the substitution cipher is available for download. The Cryptol toolset licenses are freely available at www.cryptol.net. Enjoy!

Click to read more ...

Page 1 2 3 Next 5 Entries »