Efficient Verification of Optimized Code: Correct High-speed X25519

TL;DR

This paper presents a formal verification approach for highly optimized cryptographic assembly code on microcontrollers, demonstrating correctness, security, and efficiency improvements through automated proof techniques.

Contribution

It introduces a method for verifying optimized assembly code using the Why3 platform, enabling validation and correction of cryptographic implementations on microcontrollers.

Findings

Verified a 3000-line assembly implementation of elliptic curve cryptography.

Discovered and corrected an error in the original code.

Reduced memory footprint while ensuring correctness.

Abstract

Code that is highly optimized poses a problem for program-level verification: programmers can employ various clever tricks that are non-trivial to reason about. For cryptography on low-power devices, it is nonetheless crucial that implementations be functionally correct, secure, and efficient. These are usually crafted in hand-optimized machine code that eschew conventional control flow as much as possible. We have formally verified such code: a library which implements elliptic curve cryptography on 8-bit AVR microcontrollers. The chosen implementation is the most efficient currently known for this microarchitecture. It consists of over 3000 lines of assembly instructions. Building on earlier work, we use the Why3 platform to model the code and prove verification conditions, using automated provers. We expect the approach to be re-usable and adaptable, and it allows for validation. Furthermore, an error in the original implementation was found and corrected, at the same time reducing its memory footprint. This shows that practical verification of cutting-edge code is not only possible, but can in fact add to its efficiency -- and is clearly necessary.