research-article

Open access

Machine-Checked Proofs for Cryptographic Standards: Indifferentiability of Sponge and Secure High-Assurance Implementations of SHA-3

Authors:

José Bacelar Almeida,

Cécile Baritel-Ruet,

Manuel Barbosa,

François Dupressoir,

Benjamin Grégoire,

Vincent Laporte,

Tiago Oliveira,

Alley Stoughton,

Pierre-Yves StrubAuthors Info & Claims

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Pages 1607 - 1622

https://doi.org/10.1145/3319535.3363211

Published: 06 November 2019 Publication History

Abstract

We present a high-assurance and high-speed implementation of the SHA-3 hash function. Our implementation is written in the Jasmin programming language, and is formally verified for functional correctness, provable security and timing attack resistance in the EasyCrypt proof assistant. Our implementation is the first to achieve simultaneously the four desirable properties (efficiency, correctness, provable security, and side-channel protection) for a non-trivial cryptographic primitive. Concretely, our mechanized proofs show that: 1) the SHA-3 hash function is indifferentiable from a random oracle, and thus is resistant against collision, first and second preimage attacks; 2) the SHA-3 hash function is correctly implemented by a vectorized x86 implementation. Furthermore, the implementation is provably protected against timing attacks in an idealized model of timing leaks. The proofs include new EasyCrypt libraries of independent interest for programmable random oracles and modular indifferentiability proofs.

Supplementary Material

WEBM File (p1607-gregoire.webm)

Download
105.25 MB

References

[1]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Arthur Blot, Benjamin Grégoire, Vincent Laporte, Tiago Oliveira, Hugo Pacheco, Benedikt Schmidt, and Pierre-Yves Strub. 2017. Jasmin: High-Assurance and High-Speed Cryptography. In ACM CCS 2017: 24th Conference on Computer and Communications Security, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 1807--1823. https://doi.org/10.1145/3133956.3134078

[2]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, and Francois Dupressoir. 2013. Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In ACM CCS 2013: 20th Conference on Computer and Communications Security, Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung (Eds.). ACM Press, 1217--1230. https://doi.org/10.1145/2508859.2516652

Digital Library

[3]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, and Francois Dupressoir. 2016a. Verifiable Side-Channel Security of Cryptographic Implementations: Constant-Time MEE-CBC. In Fast Software Encryption -- FSE 2016 (Lecture Notes in Computer Science), Thomas Peyrin (Ed.), Vol. 9783. Springer, Heidelberg, 163--184. https://doi.org/10.1007/978--3--662--52993--5_9

[4]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Francois Dupressoir, and Michael Emmi. 2016b. Verifying Constant-Time Implementations. In USENIX Security 2016: 25th USENIX Security Symposium, Thorsten Holz and Stefan Savage (Eds.). USENIX Association, 53--70.

[5]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte, Tiago Oliveira, and Pierre-Yves Strub. 2019. The Last Mile: High-Assurance and High-Speed Cryptographic Implementations. CoRR, Vol. abs/1904.04606 (2019). arxiv: 1904.04606 http://arxiv.org/abs/1904.04606

[6]

Andrew W. Appel. 2012. Verified Software Toolchain. In NASA Formal Methods - 4th International Symposium, NFM 2012, Norfolk, VA, USA, April 3--5, 2012. Proceedings. 2. https://doi.org/10.1007/978--3--642--28891--3_2

[7]

Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst., Vol. 37, 2 (2015), 7:1--7:31. https://doi.org/10.1145/2701415

Digital Library

[8]

Michael Backes, Gilles Barthe, Matthias Berg, Benjamin Grégoire, César Kunz, Malte Skoruppa, and Santiago Zanella-Béguelin. 2012. Verified Security of Merkle-Damgård. In 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25--27, 2012. 354--368. https://doi.org/10.1109/CSF.2012.14

[9]

Cecile Baritel-Ruet, François Dupressoir, Pierre-Alain Fouque, and Benjamin Grégoire. 2018. Formal Security Proof of CMAC and Its Variants. In 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9--12, 2018. 91--104. https://doi.org/10.1109/CSF.2018.00014

[10]

Gilles Barthe, Marion Daubignard, Bruce M. Kapron, and Yassine Lakhnech. 2010. Computational indistinguishability logic. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4--8, 2010, Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov (Eds.). ACM, 375--386. https://doi.org/10.1145/1866307.1866350

Digital Library

[11]

Gilles Barthe, François Dupressoir, Benjamin Grégoire, César Kunz, Benedikt Schmidt, and Pierre-Yves Strub. 2013. EasyCrypt: A Tutorial. In Foundations of Security Analysis and Design VII - FOSAD 2012/2013 Tutorial Lectures. 146--166. https://doi.org/10.1007/978--3--319--10082--1_6

[12]

Mihir Bellare. 2006. New Proofs for NMAC and HMAC: Security without Collision-Resistance. In Advances in Cryptology -- CRYPTO 2006 (Lecture Notes in Computer Science), Cynthia Dwork (Ed.), Vol. 4117. Springer, Heidelberg, 602--619. https://doi.org/10.1007/11818175_36

[13]

Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel. 2015. Verified Correctness and Security of OpenSSL HMAC. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12--14, 2015. 207--221. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/beringer

[14]

Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. 2008. On the Indifferentiability of the Sponge Construction. In Advances in Cryptology -- EUROCRYPT 2008 (Lecture Notes in Computer Science), Nigel P. Smart (Ed.), Vol. 4965. Springer, Heidelberg, 181--197. https://doi.org/10.1007/978--3--540--78967--3_11 balance

[15]

Benjamin Beurdouche, Franziskus Kiefer, and Tim Taubert. 2017. Verified cryptography for Firefox 57. https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/ Accessed May 14, 2019.

[16]

Beno^it Cogliati, Yevgeniy Dodis, Jonathan Katz, Jooyoung Lee, John P. Steinberger, Aishwarya Thiruvengadam, and Zhe Zhang. 2018. Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks. In Advances in Cryptology -- CRYPTO 2018, Part I (Lecture Notes in Computer Science), Hovav Shacham and Alexandra Boldyreva (Eds.), Vol. 10991. Springer, Heidelberg, 722--753. https://doi.org/10.1007/978--3--319--96884--1_24

[17]

Pierre Corbineau, Mathilde Duclos, and Yassine Lakhnech. 2011. Certified Security Proofs of Cryptographic Protocols in the Computational Model: An Application to Intrusion Resilience. In Certified Programs and Proofs - First International Conference, CPP 2011, Kenting, Taiwan, December 7--9, 2011. Proceedings (Lecture Notes in Computer Science), Jean-Pierre Jouannaud and Zhong Shao (Eds.), Vol. 7086. Springer, 378--393. https://doi.org/10.1007/978--3--642--25379--9_27

Digital Library

[18]

Jean-Sébastien Coron, Yevgeniy Dodis, Cécile Malinaud, and Prashant Puniya. 2005. Merkle-Damgård Revisited: How to Construct a Hash Function. In Advances in Cryptology -- CRYPTO 2005 (Lecture Notes in Computer Science), Victor Shoup (Ed.), Vol. 3621. Springer, Heidelberg, 430--448. https://doi.org/10.1007/11535218_26

[19]

Pascal Cuoq, Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2012. Frama-C - A Software Analysis Perspective. In Software Engineering and Formal Methods - 10th International Conference, SEFM 2012, Thessaloniki, Greece, October 1--5, 2012. Proceedings. 233--247. https://doi.org/10.1007/978--3--642--33826--7_16

[20]

Dana Dachman-Soled, Jonathan Katz, and Aishwarya Thiruvengadam. 2016. 10-Round Feistel is Indifferentiable from an Ideal Cipher. In Advances in Cryptology -- EUROCRYPT 2016, Part II (Lecture Notes in Computer Science), Marc Fischlin and Jean-Sé bastien Coron (Eds.), Vol. 9666. Springer, Heidelberg, 649--678. https://doi.org/10.1007/978--3--662--49896--5_23

[21]

Yuanxi Dai and John P. Steinberger. 2016. Indifferentiability of 8-Round Feistel Networks. In Advances in Cryptology -- CRYPTO 2016, Part I (Lecture Notes in Computer Science), Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9814. Springer, Heidelberg, 95--120. https://doi.org/10.1007/978--3--662--53018--4_4

Digital Library

[22]

Marion Daubignard, Pierre-Alain Fouque, and Yassine Lakhnech. 2012. Generic Indifferentiability Proofs of Hash Designs. In 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25--27, 2012, Stephen Chong (Ed.). IEEE Computer Society, 340--353. https://doi.org/10.1109/CSF.2012.13

[23]

Morris J. Dworkin. 2015. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. http://dx.doi.org/10.6028/NIST.FIPS.202

[24]

Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, and Adam Chlipala. 2019. Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises. In IEEE Security & Privacy. To appear. Retrieved from http://adam.chlipala.net/papers/FiatCryptoSP19/FiatCryptoSP19.pdf.

[25]

Xavier Leroy. 2009. A Formally Verified Compiler Back-end. J. Autom. Reasoning, Vol. 43, 4 (2009), 363--446. https://doi.org/10.1007/s10817-009--9155--4

Digital Library

[26]

Ueli M. Maurer, Renato Renner, and Clemens Holenstein. 2004. Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In TCC 2004: 1st Theory of Cryptography Conference (Lecture Notes in Computer Science), Moni Naor (Ed.), Vol. 2951. Springer, Heidelberg, 21--39. https://doi.org/10.1007/978--3--540--24638--1_2

[27]

Adam Petcher and Greg Morrisett. 2015. The Foundational Cryptography Framework. In Principles of Security and Trust - 4th International Conference, POST 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11--18, 2015, Proceedings. 53--72. https://doi.org/10.1007/978--3--662--46666--7_4

[28]

Jonathan Protzenko, Bryan Parno, Aymeric Fromherz, Chris Hawblitzel, Marina Polubelova, Karthikeyan Bhargavan, Benjamin Beurdouche, Joonwon Choi, Antoine Delignat-Lavaud, Cédric Fournet, Tahina Ramananandro, Aseem Rastogi, Nikhil Swamy, Christoph Wintersteiger, and Santiago Zanella-Beguelin. 2019. EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider. Cryptology ePrint Archive, Report 2019/757. https://eprint.iacr.org/2019/757.

[29]

Jonathan Protzenko, Jean Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago Zanella-Béguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified low-level programming embedded in F*. PACMPL, Vol. 1, ICFP (2017), 17:1--17:29. https://doi.org/10.1145/3110261

Digital Library

[30]

Thomas Ristenpart, Hovav Shacham, and Thomas Shrimpton. 2011. Careful with Composition: Limitations of the Indifferentiability Framework. In Advances in Cryptology -- EUROCRYPT 2011 (Lecture Notes in Computer Science), Kenneth G. Paterson (Ed.), Vol. 6632. Springer, Heidelberg, 487--506. https://doi.org/10.1007/978--3--642--20465--4_27

[31]

Phillip Rogaway and Thomas Shrimpton. 2004. Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In Fast Software Encryption -- FSE 2004 (Lecture Notes in Computer Science), Bimal K. Roy and Willi Meier (Eds.), Vol. 3017. Springer, Heidelberg, 371--388. https://doi.org/10.1007/978--3--540--25937--4_24

[32]

Victor Shoup. 2004. Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332. http://eprint.iacr.org/2004/332.

[33]

Nikhil Swamy, Catalin Hritcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzindohoué, and Santiago Zanella-Béguelin. 2016. Dependent Types and Multi-Monadic Effects in F*. In 43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 256--270. https://www.fstar-lang.org/papers/mumon/

Digital Library

[34]

Aaron Tomb. 2016. Automated Verification of Real-World Cryptographic Implementations. IEEE Security & Privacy, Vol. 14, 6 (2016), 26--33. https://doi.org/10.1109/MSP.2016.125

Digital Library

[35]

Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. 2017. Verified Correctness and Security of mbedTLS HMAC-DRBG. In ACM CCS 2017: 24th Conference on Computer and Communications Security, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 2007--2020. https://doi.org/10.1145/3133956.3133974

[36]

Jean Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL*: A Verified Modern Cryptographic Library. In ACM CCS 2017: 24th Conference on Computer and Communications Security, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 1789--1806. https://doi.org/10.1145/3133956.3134043

Digital Library

Cited By

Gregersen SAguirre AHaselwarter PTassarotti JBirkedal L(2024)Asynchronous Probabilistic Couplings in Higher-Order Separation LogicProceedings of the ACM on Programming Languages10.1145/36328688:POPL(753-784)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632868
Mohamadi HLahlou LKara NLeivadeas A(2024)A versatile chaotic cryptosystem with a novel substitution-permutation scheme for internet-of-drones photographyNonlinear Dynamics10.1007/s11071-024-09306-3112:6(4977-5012)Online publication date: 1-Feb-2024
https://doi.org/10.1007/s11071-024-09306-3
Hwang V(2024)Formal Verification of Emulated Floating-Point Arithmetic in FalconAdvances in Information and Computer Security10.1007/978-981-97-7737-2_7(125-141)Online publication date: 13-Sep-2024
https://doi.org/10.1007/978-981-97-7737-2_7
Show More Cited By

Index Terms

Machine-Checked Proofs for Cryptographic Standards: Indifferentiability of Sponge and Secure High-Assurance Implementations of SHA-3

Recommendations

Rebound attack on JH42
ASIACRYPT'11: Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security

The hash function JH [20] is one of the five finalists of the NIST SHA-3 hash competition. It has been recently tweaked for the final by increasing its number of rounds from 35.5 to 42. The previously best known results on JH were semi-free-start near-...
A synthetic indifferentiability analysis of some block-cipher-based hash functions

At ASIACRYPT'06 , Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks ...
A domain extender for the ideal cipher
TCC'10: Proceedings of the 7th international conference on Theory of Cryptography

We describe the first domain extender for ideal ciphers, i.e. we show a construction that is indifferentiable from a 2n-bit ideal cipher, given a n-bit ideal cipher. Our construction is based on a 3-round Feistel, and is more efficient than first ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

November 2019

2755 pages

ISBN:9781450367479

DOI:10.1145/3319535

General Chairs:
Lorenzo Cavallaro
King's College London, UK
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chairs:
XiaoFeng Wang
Indiana University, USA
,
Jonathan Katz
George Mason University, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Horizon 2020 Framework Programme
National Institute of Standards and Technology
Fundação para a Ciência e a Tecnologia
Office of Naval Research
National Science Foundation
Agence Nationale de la Recherche

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11 - 15, 2019

London, United Kingdom

Acceptance Rates

CCS '19 Paper Acceptance Rate 149 of 934 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
1,058
Total Downloads

Downloads (Last 12 months)226
Downloads (Last 6 weeks)27

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gregersen SAguirre AHaselwarter PTassarotti JBirkedal L(2024)Asynchronous Probabilistic Couplings in Higher-Order Separation LogicProceedings of the ACM on Programming Languages10.1145/36328688:POPL(753-784)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632868
Mohamadi HLahlou LKara NLeivadeas A(2024)A versatile chaotic cryptosystem with a novel substitution-permutation scheme for internet-of-drones photographyNonlinear Dynamics10.1007/s11071-024-09306-3112:6(4977-5012)Online publication date: 1-Feb-2024
https://doi.org/10.1007/s11071-024-09306-3
Hwang V(2024)Formal Verification of Emulated Floating-Point Arithmetic in FalconAdvances in Information and Computer Security10.1007/978-981-97-7737-2_7(125-141)Online publication date: 13-Sep-2024
https://doi.org/10.1007/978-981-97-7737-2_7
Lai LLiu JShi XTsai MWang BYang B(2024)Automatic Verification of Cryptographic Block Function Implementations with Logical Equivalence CheckingComputer Security – ESORICS 202410.1007/978-3-031-70903-6_19(377-395)Online publication date: 5-Sep-2024
https://doi.org/10.1007/978-3-031-70903-6_19
Almeida JArranz Olmos SBarbosa MBarthe GDupressoir FGrégoire BLaporte VLéchenet JLow COliveira TPacheco HQuaresma MSchwabe PStrub P(2024)Formally Verifying KyberAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68379-4_12(384-421)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68379-4_12
Haselwarter PRivas EVan Muylder AWinterhalter TAbate CSidorenco NHriţcu CMaillard KSpitters B(2023)SSProve: A Foundational Framework for Modular Cryptographic Proofs in CoqACM Transactions on Programming Languages and Systems10.1145/359473545:3(1-61)Online publication date: 20-Jul-2023
https://dl.acm.org/doi/10.1145/3594735
Barbosa MBarthe GGrégoire BKoutsos AStrub P(2023)Mechanized Proofs of Adversarial Complexity and Application to Universal ComposabilityACM Transactions on Privacy and Security10.1145/358996226:3(1-34)Online publication date: 19-Jul-2023
https://dl.acm.org/doi/10.1145/3589962
Grégoire BLéchenet JTassi EKrebbers RTraytel DPientka BZdancewic S(2023)Practical and Sound Equality Tests, Automatically: Deriving eqType Instances for Jasmin’s Data Types with Coq-ElpiProceedings of the 12th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3573105.3575683(167-181)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3573105.3575683
Hvass BAranha DSpitters B(2023)High-Assurance Field Inversion for Curve-Based Cryptography2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00008(552-567)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00008
Barbosa MDupressoir FGrégoire BHülsing AMeijers MStrub P(2023)Machine-Checked Security for $$\textrm{XMSS} $$ as in RFC 8391 and $$\mathrm {SPHINCS^{+}} $$Advances in Cryptology – CRYPTO 202310.1007/978-3-031-38554-4_14(421-454)Online publication date: 9-Aug-2023
https://doi.org/10.1007/978-3-031-38554-4_14
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents