Published May 24, 2021 | Version v1
Conference paper Metadata-only

High-Assurance Cryptography in the Spectre Era

Barthe, Gilles
Cauligi, Sunjay
Grégoire, Benjamin
Koutsos, Adrien
Liao, Kevin
Oliveira, Tiago
Priya, Swarn
Rezk, Tamara
Schwabe, Peter
Others:
Max Planck Institute for Security and Privacy [Bochum] (MPI Security and Privacy)
Institute IMDEA Software [Madrid]
Sûreté du logiciel et Preuves Mathématiques Formalisées (STAMP) ; Inria Sophia Antipolis - Méditerranée (CRISAM) ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)
University of California [San Diego] (UC San Diego) ; University of California (UC)
Programming securely with cryptography (PROSECCO ) ; Inria de Paris ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)
Institute for Systems and Computer Engineering, Technology and Science [Braga] (INESC TEC)
Faculdade de Ciências da Universidade do Porto (FCUP) ; Universidade do Porto = University of Porto
Purdue University [West Lafayette]
Secure Diffuse Programming (INDES) ; Inria Sophia Antipolis - Méditerranée (CRISAM) ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)
This work is supported in part by the Office of Naval Research (ONR) under project N00014-15-1-2750; the CONIX Research Center, one of sixcenters in JUMP, a Semiconductor Research Corporation (SRC) program sponsored by DARPA; and the National Science Foundation (NSF) through the Graduate Research Fellowship Program.

Description

High-assurance cryptography leverages methods from program verification and cryptography engineering to deliver efficient cryptographic software with machine-checked proofs of memory safety, functional correctness, provable security, and absence of timing leaks. Traditionally, these guarantees are established under a sequential execution semantics. However, this semantics is not aligned with the behavior of modern processors that make use of speculative execution to improve performance. This mismatch, combined with the high-profile Spectre-style attacks that exploit speculative execution, naturally casts doubts on the robustness of high-assurance cryptography guarantees. In this paper, we dispel these doubts by showing that the benefits of high-assurance cryptography extend to speculative execution, costing only a modest performance overhead. We build atop the Jasmin verification framework an end-to-end approach for proving properties of cryptographic software under speculative execution, and validate our approach experimentally with efficient, functionally correct assembly implementations of ChaCha20 and Poly1305, which are secure against both traditional timing and speculative execution attacks.

Abstract

International audience

Additional details

Identifiers Origin repository
Created:
December 4, 2022
Modified:
November 29, 2023