Formally verifying Kyber Episode IV: Implementation correctness

José Bacelar Almeida; Manuel Barbosa; Gilles Barthe; Benjamin Grégoire; Vincent Laporte; Jean Christophe Léchenet; Tiago Oliveira; Hugo Pacheco; Miguel Quaresma; Peter Schwabe; Antoine Séré; Pierre Yves Strub

doi:10.46586/tches.v2023.i3.164-193

Formally verifying Kyber Episode IV: Implementation correctness

José Bacelar Almeida
, Manuel Barbosa
, Gilles Barthe
, Benjamin Grégoire
, Vincent Laporte
, Jean Christophe Léchenet
, Tiago Oliveira
, Hugo Pacheco
, Miguel Quaresma
, Peter Schwabe
, Antoine Séré
, Pierre Yves Strub

Universidade de Minho
University of Porto
Ipatimup Diagnósticos
Max Planck Institute for Security and Privacy
IMDEA Software Institute
Université Côte D’Azur
Nancy Université
Radboud University
Meta

Résultats de recherche: Contribution à un journal › Article › Revue par des pairs

Résumé

In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.

langue originale	Anglais
Pages (de - à)	164-193
Nombre de pages	30
journal	IACR Transactions on Cryptographic Hardware and Embedded Systems
Volume	2023
Numéro de publication	3
Les DOIs	https://doi.org/10.46586/tches.v2023.i3.164-193
état	Publié - 9 juin 2023
Modification externe	Oui

Accès au document

10.46586/tches.v2023.i3.164-193

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

Almeida, J. B., Barbosa, M., Barthe, G., Grégoire, B., Laporte, V., Léchenet, J. C., Oliveira, T., Pacheco, H., Quaresma, M., Schwabe, P., Séré, A., & Strub, P. Y. (2023). Formally verifying Kyber Episode IV: Implementation correctness. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(3), 164-193. https://doi.org/10.46586/tches.v2023.i3.164-193

@article{489b9e2335b44a81af114b6a33b33b1f,

title = "Formally verifying Kyber Episode IV: Implementation correctness",

abstract = "In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.",

keywords = "EasyCrypt, High-assurance cryptography, Jasmin, NIST PQC, lattice-based KEMs",

author = "Almeida, \{Jos{\'e} Bacelar\} and Manuel Barbosa and Gilles Barthe and Benjamin Gr{\'e}goire and Vincent Laporte and L{\'e}chenet, \{Jean Christophe\} and Tiago Oliveira and Hugo Pacheco and Miguel Quaresma and Peter Schwabe and Antoine S{\'e}r{\'e} and Strub, \{Pierre Yves\}",

note = "Publisher Copyright: {\textcopyright} 2023 Ruhr-University of Bochum.",

year = "2023",

month = jun,

day = "9",

doi = "10.46586/tches.v2023.i3.164-193",

language = "English",

volume = "2023",

pages = "164--193",

journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems",

issn = "2569-2925",

number = "3",

}

TY - JOUR

T1 - Formally verifying Kyber Episode IV

T2 - Implementation correctness

AU - Almeida, José Bacelar

AU - Barbosa, Manuel

AU - Barthe, Gilles

AU - Grégoire, Benjamin

AU - Laporte, Vincent

AU - Léchenet, Jean Christophe

AU - Oliveira, Tiago

AU - Pacheco, Hugo

AU - Quaresma, Miguel

AU - Schwabe, Peter

AU - Séré, Antoine

AU - Strub, Pierre Yves

PY - 2023/6/9

Y1 - 2023/6/9

N2 - In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.

AB - In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.

KW - EasyCrypt

KW - High-assurance cryptography

KW - Jasmin

KW - NIST PQC

KW - lattice-based KEMs

UR - https://www.scopus.com/pages/publications/85163223028

U2 - 10.46586/tches.v2023.i3.164-193

DO - 10.46586/tches.v2023.i3.164-193

M3 - Article

AN - SCOPUS:85163223028

SN - 2569-2925

VL - 2023

SP - 164

EP - 193

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems

IS - 3

ER -

Formally verifying Kyber Episode IV: Implementation correctness

Résumé

Accès au document

Autres fichiers et liens

Empreinte digitale

Contient cette citation