International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives

Authors:
Joel Kuepper
Andres Erbsen
Jason Gross
Owen Conoly
Chuyue Sun
Samuel Tian
David Wu
Adam Chlipala
Chitchanok Chuengsatiansup
Daniel Genkin
Markus Wagner
Yuval Yarom
Download:
Search ePrint
Search Google
Presentation: Slides
Abstract: Most software domains rely on compilers to translate high-level code to multiple different machine languages, with performance not too much worse than what developers would have the patience to write directly in assembly language. However, cryptography has been an exception, where many performance-critical routines have been written directly in assembly (sometimes through metaprogramming layers). Some past work has shown how to do formal verification of that assembly, and other work has shown how to generate C code automatically along with formal proof, but with consequent performance penalties vs. the best-known assembly. We present CryptOpt, the first compilation pipeline that specializes high-level cryptographic functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset of known features of SMT solvers and symbolic-execution engines. The overall prototype is practical, e.g. producing new fastest-known implementations for the relatively new Intel i9 12G, of finite-field arithmetic for both Curve25519 (part of the TLS standard) and the Bitcoin elliptic curve secp256k1.
Video: https://youtu.be/lahO3de3k_0?t=2790
BibTeX
@misc{rwc-2023-35466,
  title={CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives},
  note={Video at \url{https://youtu.be/lahO3de3k_0?t=2790}},
  howpublished={Talk given at RWC 2023},
  author={Joel Kuepper and Andres Erbsen and Jason Gross and Owen Conoly and Chuyue Sun and Samuel Tian and David Wu and Adam Chlipala and Chitchanok Chuengsatiansup and Daniel Genkin and Markus Wagner and Yuval Yarom},
  year=2023
}