Planned intervention: On Wednesday April 3rd 05:30 UTC Zenodo will be unavailable for up to 2-10 minutes to perform a storage cluster upgrade.
Published June 21, 2021 | Version v1
Software Open

A Coq proof of the correctness of X25519 in TweetNaCl

  • 1. Radboud University
  • 1. Radboud University & MPI Security and Privacy
  • 2. Timmy Weerwag
  • 3. Radboud University

Description

Source code for the paper: A Coq proof of the correctness of X25519 in TweetNaCl.

We formally prove that the C implementation of the X25519 key-exchange protocol in the TweetNaCl library is correct. We prove both that it correctly implements the protocol from Bernstein’s 2006 paper, as standardized in RFC 7748, as well as the absence of undefined behavior like arithmetic overflows and array out of bounds errors. We also formally prove, based on the work of Bartzia and Strub, that X25519 is mathematically correct, i.e., that it correctly computes scalar multiplication on the elliptic curve Curve25519. The proofs are all computer-verified using the Coq theorem prover. To establish the link between C and Coq we use the Verified Software Toolchain (VST).

Files

Files (349.3 MB)

Name Size Download all
md5:531d20c4e1ee9e3dc07b5e2f78d29b3c
349.3 MB Download