TY - GEN
T1 - Probabilistic relational verification for cryptographic implementations
AU - Barthe, Gilles
AU - Fournet, Cédric
AU - Grégoire, Benjamin
AU - Strub, Pierre Yves
AU - Swamy, Nikhil
AU - Zanella-Béguelin, Santiago
PY - 2014/2/11
Y1 - 2014/2/11
N2 - Relational program logics have been used for mechanizing formal proofs of various cryptographic constructions. With an eye towards scaling these successes towards end-to-end security proofs for implementations of distributed systems, we present RF*, a relational extension of F*, a general-purpose higher-order stateful programming language with a verification system based on refinement types. The distinguishing feature of F*is a relational Hoare logic for a higher-order, stateful, probabilistic language. Through careful language design, we adapt the F*typechecker to generate both classic and relational verification conditions, and to automatically discharge their proofs using an SMT solver. Thus, we are able to benefit from the existing features of F*, including its abstraction facilities for modular reasoning about program fragments. We evaluate RF*experimentally by programming a series of cryptographic constructions and protocols, and by verifying their security properties, ranging from information flow to unlinkability, integrity, and privacy. Moreover, we validate the design of RF*by formalizing in Coq a core probabilistic λ-calculus and a relational refinement type system and proving the soundness of the latter against a denotational semantics of the probabilistic lambda λ-calculus.
AB - Relational program logics have been used for mechanizing formal proofs of various cryptographic constructions. With an eye towards scaling these successes towards end-to-end security proofs for implementations of distributed systems, we present RF*, a relational extension of F*, a general-purpose higher-order stateful programming language with a verification system based on refinement types. The distinguishing feature of F*is a relational Hoare logic for a higher-order, stateful, probabilistic language. Through careful language design, we adapt the F*typechecker to generate both classic and relational verification conditions, and to automatically discharge their proofs using an SMT solver. Thus, we are able to benefit from the existing features of F*, including its abstraction facilities for modular reasoning about program fragments. We evaluate RF*experimentally by programming a series of cryptographic constructions and protocols, and by verifying their security properties, ranging from information flow to unlinkability, integrity, and privacy. Moreover, we validate the design of RF*by formalizing in Coq a core probabilistic λ-calculus and a relational refinement type system and proving the soundness of the latter against a denotational semantics of the probabilistic lambda λ-calculus.
KW - probabilistic programming
KW - program logics
U2 - 10.1145/2535838.2535847
DO - 10.1145/2535838.2535847
M3 - Conference contribution
AN - SCOPUS:84893437850
SN - 9781450325448
T3 - Conference Record of the Annual ACM Symposium on Principles of Programming Languages
SP - 193
EP - 205
BT - POPL 2014 - Proceedings of the 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
T2 - 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014
Y2 - 22 January 2014 through 24 January 2014
ER -