## Functional correctness proofs of encryption algorithms (2005)

### Cached

### Download Links

- [www.cl.cam.ac.uk]
- [www.cs.utah.edu]
- [www.cl.cam.ac.uk]
- [www.cs.utah.edu]
- [www.gilith.com]
- [gilith.com]
- [mail.mtxstarship.com]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of 12th Conference on Logic for Programming Artificial Intelligence and Reasoning (LPAR 2005), number 3835 in LNAI |

Citations: | 10 - 3 self |

### BibTeX

@INPROCEEDINGS{Duan05functionalcorrectness,

author = {Jianjun Duan and Joe Hurd and Guodong Li and Scott Owens and Konrad Slind and Junxing Zhang},

title = {Functional correctness proofs of encryption algorithms},

booktitle = {In Proceedings of 12th Conference on Logic for Programming Artificial Intelligence and Reasoning (LPAR 2005), number 3835 in LNAI},

year = {2005},

pages = {519--533},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. We discuss a collection of mechanized formal proofs of symmetric key block encryption algorithms (AES, MARS, Twofish, RC6, Serpent, IDEA, and TEA), performed in an implementation of higher order logic. For each algorithm, functional correctness, namely that decryption inverts encryption, is formally proved by a simple but effective proof methodology involving application of invertibility lemmas in the course of symbolic evaluation. Block ciphers are then lifted to the encryption of arbitrary datatypes by using modes of operation to encrypt lists of bits produced by a polytypic encoding method. 1

### Citations

1353 | Introduction to Functional Programming
- Bird, Wadler
- 1988
(Show Context)
Citation Context ...as input a list of booleans and returns an element of type τ. It is also possible to build and compose decoders in a type-directed way. The key is to think of a decoder for type τ as a monadic parser =-=[21]-=- : decode τ : bool list → (τ × bool list) option Such a function tries to parse an input list of booleans into an element of type τ, and if it succeeds then it returns the element of τ, together with ... |

230 |
The Design of Rijndael
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...g aspects of the correctness proof. Further details on the algorithms can be found in the cited literature. 2.1 AES The AES block cipher is described in the NIST standards document [13] and in a book =-=[5]-=- by the authors of the cipher. AES is defined for three keylengths: 128, 192, and 256 bits. Our verification is for a keylength of 128, but changing to the other keylengths would be straightforward an... |

120 |
The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications
- Armando, Basin, et al.
- 2005
(Show Context)
Citation Context ...plementation of the SHA-1 hash algorithm in [20]. Higher level security protocol specification and verification has received much more attention than ciphers, and this work is starting to mature: see =-=[2]-=- for example. It would be interesting to explore links between our correctness proofs and that body of work. Finally, the Cryptol language [9] is a domain-specific language, based on functional progra... |

116 | Markov ciphers and differential cryptanalysis
- Lai, Massey
- 1991
(Show Context)
Citation Context ...ification used lists of indices, and we had to derive functions, which were more tractable in later proofs, from them. Several transcription errors were caught in the later invertibility proofs. IDEA =-=[8]-=- is used in the popular PGP (Pretty Good Privacy) package. IDEA operates on 64-bit blocks using a 128-bit key, and consists of seventeen rounds. The processes for encryption and decryption are similar... |

109 | Serpent: A proposal for the advanced encryption standard. Available from http://www.cl.cam.ac.uk/ rja14/serpent.html
- Anderson, Biham, et al.
(Show Context)
Citation Context ...close to 32 is at most six, so that sixteen cycles may suffice and the authors suggest 32 (we implemented 32 rounds). The verification of TEA was again an easy application of our methodology. Serpent =-=[1]-=- is a 128-bit block cipher designed by Ross Anderson, Eli Biham and Lars Knudsen. It placed second in the AES competition. The authors designed Serpent to provide users with the highest practical leve... |

61 |
The Twofish Encryption Algorithm
- Schneier, Kelsey, et al.
- 1998
(Show Context)
Citation Context ...e quite easy; again symbolic evaluation plus rewriting with inversion lemmas and some basic word identities (algebraic properties of exclusive-or, for example) sufficed for the final theorem. Twofish =-=[16]-=- was also an AES competitor. It has a block size of 128 bits and key sizes up to 256 bits. Twofish’s distinctive features are the use of pre-computed key-dependent S-boxes, and a relatively complex ke... |

41 | Calculate polytypically
- Meertens
- 1996
(Show Context)
Citation Context ...ist of blocks; however, there still remains the issue of how to encrypt higher level datatypes. Often support for this is provided by language-specific libraries. In our work, we have used polytypism =-=[11]-=- to implement datatype encryption: elements of datatypes are reduced by polytypic encoders to lists of bits which are then encrypted by a mode of operation instantiated with a particular block cipher.... |

31 | Recommendation for block cipher modes of operation: Methods and techniques
- Dworkin
(Show Context)
Citation Context ... results; and we re-use those definitions in the correctness proofs. In practice, ciphers are used to encrypt compound user-defined data such as numbers, lists, trees, and records. Modes of operation =-=[6]-=- can be used to apply a block cipher to the task of encrypting a list of blocks; however, there still remains the issue of how to encrypt higher level datatypes. Often support for this is provided by ... |

22 | Proof Checking the RSA Public Key Encryption Algorithm
- Boyer, Moore
- 1984
(Show Context)
Citation Context ...e. 4 Related Work Probably the earliest application of a proof assistant to cryptography is the use of Boyer and Moore’s Nqthm to verify the invertibilty of encryption in thesRSA public-key algorithm =-=[14]-=-. Whereas their goal seemed to be to check an interesting piece of (then) recently-announced mathematics, we have been more interested in getting an overview of how hard proofs are for a gamut of algo... |

9 |
K.: Automatic formal synthesis of hardware from higher order logic
- Gordon, Iyoda, et al.
- 2006
(Show Context)
Citation Context ...3] appears to provide an interesting framework in which to work. We have also been investigating the automatic synthesis of hardware from our specifications using a prototype deduction-based compiler =-=[7]-=-. At present, we are able to generate netlists from the HOL-4 specification of AES, and we plan to further develop and test our prototype on the other ciphers presented here. Invertibility proofs, as ... |

8 |
a Tiny Encryption Algorithm”, Fast Software Encryption
- Wheeler, Needham, et al.
- 1994
(Show Context)
Citation Context ...teps. RC6 does not use S-boxes. In spite of the fact that multiplication is used, the verification of RC6 was extremely simple, reducing to simple identities on words. TEA (Tiny Encryption Algorithm) =-=[22]-=- is a very compact cipher designed by David Wheeler and Roger Needham. TEA operates on 64-bit blocks and uses a 128-bit key. TEA has has a trivial key schedule (the same four keys are used throughout)... |

4 |
Formalising Huffman’s Algorithm
- Théry
- 2004
(Show Context)
Citation Context ... compression, being invertible, is similar to encryption, there may be commonalities in the two formal exercises. A verification of Huffman’s algorithm has recently been carried out in the Coq system =-=[19]-=-, and there are many other important compression algorithms that could be tackled. Finally, the investigation of security properties of block ciphers in theorem provers seems to be an obvious area for... |

3 |
a candidate cipher for AES, Available at http://www.research.ibm.com/security/mars.pdf
- Burwick, Coppersmith, et al.
- 1999
(Show Context)
Citation Context ... be a good challenge for SAT methods. 2.2 Verifying the other ciphers We now discuss the other ciphers, omitting much detail since the basic ideas have been established in the discussion of AES. MARS =-=[4]-=- was IBM’s candidate in the AES competition. It has 128 bit blocks (a 4-tuple of word32) and a variable keysize ranging from 128 to 448 bitss(we chose 128). The key schedule is a 40-tuple of word32s. ... |

3 |
The RC6 block cipher, Available at http://www.rsasecurity.com/rsalabs/rc6
- Rivest, Robshae, et al.
- 1998
(Show Context)
Citation Context ... operations, which are similar to that of AES. It uses these in column multiplication, also much like that of AES. However, unlike AES, the correctness proof for Twofish is almost comically easy. RC6 =-=[15]-=- is a block cipher based on RC5 and designed by Rivest, Sidney, and Yin for RSA Security. RC6 is a parameterized algorithm where the block size, the key size, and the number of rounds are variable; th... |

3 |
D.: Formal verification of a SHA-1 circuit core using ACL2
- Toma, Borrione
- 2005
(Show Context)
Citation Context ... Rijndael, and in [23] we provide further detail on the functional correctness of the IDEA cipher. Toma and Borrione report on an ACL2 verification of an implementation of the SHA-1 hash algorithm in =-=[20]-=-. Higher level security protocol specification and verification has received much more attention than ciphers, and this work is starting to mature: see [2] for example. It would be interesting to expl... |

2 |
Symmetric authentication in a simulatable Dolev-Yao-style cryptographic library
- Backes, Pfitzmann, et al.
- 2005
(Show Context)
Citation Context ...It would also be useful to input or output code in mainstream languages such as C or Java, as a way of developing a path from verification environments to security applications development. The paper =-=[3]-=- appears to provide an interesting framework in which to work. We have also been investigating the automatic synthesis of hardware from our specifications using a prototype deduction-based compiler [7... |

2 |
a domain specific language for cryptography
- Lewis, Cryptol
(Show Context)
Citation Context ...on than ciphers, and this work is starting to mature: see [2] for example. It would be interesting to explore links between our correctness proofs and that body of work. Finally, the Cryptol language =-=[9]-=- is a domain-specific language, based on functional programming principles, aimed at cryptographers. Cryptol provides a uniform stream-based view of all the data involving in encryption, and supports ... |

2 |
Recursive definition over coinductive types
- Matthews
- 1999
(Show Context)
Citation Context ...-processing language, and its semantics document is not yet in the public domain, we are basing the work on a HOL theory of lazy lists, due to Michael Norrish (based on original work by John Matthews =-=[10]-=-). Several of the ciphers have been ported to work over the new type, and we have been encouraged, since the functional correctness proof of the new algorithm can be reduced with a few simple lemmas t... |

1 |
A verification of Rijndael
- Slind
- 2002
(Show Context)
Citation Context ... with a particular block cipher. The correctness proofs of block ciphers can be combined with the correctness of encoders to obtain the correctness of data encryption. This work was initiated in 2002 =-=[17]-=- with a verification of the functional correctness of the then-recent AES standard. We subsequently extended the work to modes of operation, padding, and user-defined datatypes. After that, we were le... |

1 |
Applications of polytypism in theorem proving, Theorem Proving
- Slind, Hurd
- 2003
(Show Context)
Citation Context ...serialization but we will use encoding/decoding or simply coding. A type-directed approach to coding, based on an interpretation of higher order logic types into higher order logic terms, is given in =-=[18]-=-. An encoding function can be thought of simply as an injective function of type τ → bool list mapping elements of type τ to lists of booleans. The injectivity condition prevents two elements of τ bei... |