Formally verifying Kyber Episode IV: Implementation correctness

José Bacelar Almeida; Manuel Barbosa; Gilles Barthe; Benjamin Grégoire; Vincent Laporte; Jean Christophe Léchenet; Tiago Oliveira; Hugo Pacheco; Miguel Quaresma; Peter Schwabe; Antoine Séré; Pierre Yves Strub

doi:10.46586/tches.v2023.i3.164-193

Formally verifying Kyber Episode IV: Implementation correctness

José Bacelar Almeida
, Manuel Barbosa
, Gilles Barthe
, Benjamin Grégoire
, Vincent Laporte
, Jean Christophe Léchenet
, Tiago Oliveira
, Hugo Pacheco
, Miguel Quaresma
, Peter Schwabe
, Antoine Séré
, Pierre Yves Strub

Research output: Contribution to journal › Article › peer-review

Abstract

In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.

Original language	English
Pages (from-to)	164-193
Number of pages	30
Journal	IACR Transactions on Cryptographic Hardware and Embedded Systems
Volume	2023
Issue number	3
DOIs	https://doi.org/10.46586/tches.v2023.i3.164-193
Publication status	Published - 9 Jun 2023
Externally published	Yes

Keywords

EasyCrypt
High-assurance cryptography
Jasmin
NIST PQC
lattice-based KEMs

Access to Document

10.46586/tches.v2023.i3.164-193

Cite this

Almeida, J. B., Barbosa, M., Barthe, G., Grégoire, B., Laporte, V., Léchenet, J. C., Oliveira, T., Pacheco, H., Quaresma, M., Schwabe, P., Séré, A., & Strub, P. Y. (2023). Formally verifying Kyber Episode IV: Implementation correctness. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(3), 164-193. https://doi.org/10.46586/tches.v2023.i3.164-193

@article{489b9e2335b44a81af114b6a33b33b1f,

title = "Formally verifying Kyber Episode IV: Implementation correctness",

abstract = "In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.",

keywords = "EasyCrypt, High-assurance cryptography, Jasmin, NIST PQC, lattice-based KEMs",

author = "Almeida, \{Jos{\'e} Bacelar\} and Manuel Barbosa and Gilles Barthe and Benjamin Gr{\'e}goire and Vincent Laporte and L{\'e}chenet, \{Jean Christophe\} and Tiago Oliveira and Hugo Pacheco and Miguel Quaresma and Peter Schwabe and Antoine S{\'e}r{\'e} and Strub, \{Pierre Yves\}",

note = "Publisher Copyright: {\textcopyright} 2023 Ruhr-University of Bochum.",

year = "2023",

month = jun,

day = "9",

doi = "10.46586/tches.v2023.i3.164-193",

language = "English",

volume = "2023",

pages = "164--193",

journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems",

issn = "2569-2925",

number = "3",

}

TY - JOUR

T1 - Formally verifying Kyber Episode IV

T2 - Implementation correctness

AU - Almeida, José Bacelar

AU - Barbosa, Manuel

AU - Barthe, Gilles

AU - Grégoire, Benjamin

AU - Laporte, Vincent

AU - Léchenet, Jean Christophe

AU - Oliveira, Tiago

AU - Pacheco, Hugo

AU - Quaresma, Miguel

AU - Schwabe, Peter

AU - Séré, Antoine

AU - Strub, Pierre Yves

PY - 2023/6/9

Y1 - 2023/6/9

N2 - In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.

AB - In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.

KW - EasyCrypt

KW - High-assurance cryptography

KW - Jasmin

KW - NIST PQC

KW - lattice-based KEMs

U2 - 10.46586/tches.v2023.i3.164-193

DO - 10.46586/tches.v2023.i3.164-193

M3 - Article

AN - SCOPUS:85163223028

SN - 2569-2925

VL - 2023

SP - 164

EP - 193

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems

IS - 3

ER -

Formally verifying Kyber Episode IV: Implementation correctness

Abstract

Keywords

Access to Document

Fingerprint

Cite this