Empowering the Experts: High-Assurance, High-Performance, High-Level Design with Cryptol Sally A. Browning, Magnus Carlsson, Levent Erkök, John Matthews, Brad Martin, Sean Weaver domain-specific language (DSL) is a programming language targeted at producing solutions in a given problem domain by enabling subject- Amatter experts to design solutions in terms they are familiar with and at a level of abstraction that makes most sense to them. In addition, a good DSL opens the way for powerful tool support: simulations for design exploration; automatic testing and generation of test harnesses; generation of highly specialized code for multiple targets; and generation of formal evidence for correctness, safety, and security properties. Cryptographer as designer or has insufficient throughput, or..., the into a test harness, and blasted with test You are a highly skilled crypto- hardware designer iteratively tweaks the vectors. If it works, great. Otherwise, the grapher charged with designing a custom, design until it is “good enough.” search begins to find the error. But how do you know if it still state-of-the-art encryption solution for And what if a security hole; for works the way you intended? protecting mission-critical information. example, a malicious counter or a back There are explicit and competing Typically, the design is fabricated door; was introduced? Would you even requirements for the implementation— (if it is an ASIC—application-specific know? throughput, size, power utilization, integrated circuit) or loaded into an FPGA operation temperature, etc.—that may (field-programmable gate array), placed There must be a better way. affect the implementation. You produce a design and want to see how it matches up with the implementation requirements. How would you proceed? Figure 1: Traditionally, the crypto developer must be highly Typically, you find an expert trained and expert at balancing hardware designer who translates your a myriad of often conflicting requirements. algorithm into VHDL (a hardware description language), and then runs proprietary tools to characterize the Image Source: Galois, Inc. implementation. If it uses too much power, 1 From Section 3.1 of the AES definition [2]: The input and output for the AES algorithm each consist of sequences of 128 bits... The Cipher Key for the AES algorithm is a sequence of 128, 192 or 256 bits. Other input, output and Cipher Key lengths are not permitted by this standard. In Cryptol: Cryptol: A better way {k}{k >= 2, 4 >= k) => ([128],[64*k]) -> [128] The Cryptol specification language Image Source: Galois, Inc. was designed for the National Security Figure 2: The constraints and requirements from the Advanced Encryption Standard Agency (NSA) as a public standard for (AES) [2] can be translated directly into Cryptol types, as shown above. The colored specifying cryptographic algorithms [1]. text shows the linkage between English constraint and Cryptol type. The Cryptol tools provide a development path for cryptographic modules across the plaintext initial entire software process, from specification permutation des : ([64] ,[ 56]) -> [[]64]; and implementation to verification and des (pt, key) = permute (FP, last) L0 R0 where { certification. Cryptol tools significantly K1 pt’ = permute (IP, pt); ^ f reduce overall life-cycle costs by iv = [| round (lr, key, rnd) addressing the key cost drivers in the || rnd <- [0 .. 15] R =L ^ (R ,K ) || lr <- [(split pt’)] # iv L1=R0 1 0 f 0 1 deployment of cryptography. |]; K 2 last = join (swap (iv @ 15)); ^ f Rapid design cycle swap [a b] = [b a]; }; L =R R =L ^f(R ,K ) Cryptol specifications are 2 1 2 1 1 2 fully executable, allowing designers round : ([2][32], [56], [4]) -> [2][32]; L =R R =L ^ (R ,K ) round([l r], key, rnd) = [r (l^f(r, kx))] 15 14 15 14 f 14 15 K to experiment with their programs where { 16 incrementally as their designs evolve. kx = expand(key, rnd); ^ f f(r,k) = permute(PP, SBox(k^permute(EP, r))); The Cryptol tools support a refinement }; R16=L15^f(R15,K16) L16=R15 methodology that bridges the conceptual inverse initial gap between specification and low-level Image Source: Galois, Inc. permutation implementation, thereby reducing time ciphertext to market. For example, Cryptol allows Figure 3: The Data Encryption Standard (DES) algorithm is a block cipher that engineers and mathematicians to program uses a 56-bit symmetric key. The diagram above is taken from the Standard [3]. Cryptol uses parallel stream comprehensions to interleave data and lazy evaluation cryptographic algorithms on FPGAs as if to encapsulate multiple computational stages in a single statement. Colors and they were writing software. shapes are used to help relate the program text to the diagram. Details of the language can be found in [4] and at www.cryptol.net. Reusable specification The Cryptol tools provide a predicates constrain the range of values platform-neutral specification language Design: The Cryptol the quantified size variables can accept; that generates implementations on multi- language here, k must be between 2 and 4. To the ple platforms. Cryptol tools can generate Cryptol [1] is a pure functional right of the =>, we see the actual type. software implementations, hardware language built on top of a polymorphic The function has two inputs: a 128- implementations, and for mal models for type system that has been extended with bit word containing the plaintext and a verification, all from a single Cryptol size polymorphism and arithmetic type 64*k-bit wide key. The function outputs program. predicates designed to capture constraints that arise naturally in cryptographic another 128-bit word, the ciphertext. Note Accelerated certification specifications. the precise correspondence of the type to the English description in the standard. A Cryptol reference specification Figure 2 shows an excerpt from becomes the formal documentation for the AES specification [2] that describes Figure 3 shows a Cryptol code the cryptographic module, eliminating the generator inputs and outputs, and the snippet—a specification for the core of the need for separate and voluminous corresponding Cryptol definition. The the DES algorithm. Note the compact English descriptions. In addition, Cryptol text to the left of => ([128],[64*k]) in the mathematical function notation and the verification tools show functionalCryptol definition describes quantified definition of sequence structures and bit equivalence between the specification type variables and predicates on them. In sizes. The Cryptol Reference Manual [4] and the implementation at various stages this case, the type is size polymorphic, has many more examples as well as a of the toolchain. relying on the size variable k. The detailed description of the language. 2 Implement: operations are to be applied. But there High-level exploration of The Cryptol FPGA the resemblance ends. Sequences, which the design space Type 1 cryptographic devices appear repeatedly in the mathematical Good design is always at the root of protect information of national descriptions of crypto algorithms, great performance. One of the key factors importance. The information assurance have many different instantiations as in Cryptol’s performance results is its standards for such products are hardware. At one extreme, the sequence ability to explore the implementation correspondingly high. In addition, crypto can be spread out in space as side-by- design space at a very high level. A modernization requirements mandate field side parallelism. At the other extreme, Cryptol developer can experiment with programmability, and various operational the sequence can be laid out in time as many different microarchitectures in the requirements call for a reduced space, consecutive values held in a register, or course of a few days, covering ground weight, and power footprint. over many registers in a pipeline. Many that would otherwise take weeks or FPGAs offer a compelling platform combinations of these are also possible. months using traditional methods. A to address these needs. They are field The Cryptol FPGA generator uses a variety of implementation approaches can updatable by design, offer tremendous wide variety of engineering heuristics to be modeled and characterized quickly. performance potential, and have fewer pick an appropriate translation of a Cryptol For example, at the Cryptol level, nonrecurring engineering costs than function to an FPGA configuration that a straightforward idiom identifies pipe- traditional ASIC designs. will make effective and efficient use of lined functional units in hardware. Recall However, FPGA development the silicon. The user can also provide the specification for DES shown in Figure still requires the considerable time and pragmas (compiler commands) about 3. The designer has created a pipelined talents of skilled hardware designers, space/time mappings, thereby guiding the version of the round function by hand which increases development time translation process without compromising by factoring the high-level Cryptol and costs. Mainstream design tools the integrity of the original specification. specification, as shown in Figure 4. The supplied by FPGA vendors have more The declarative quality of Cryptol, Cryptol FPGA generator produces an in common with VLSI (very-large- which makes Cryptol a good specification efficient pipelined circuit, also shown in scale integration) design tools than with language, also plays a key role in the Figure 4 on page 8. modern programming environments. effectiveness of automatic generation High-level design exploration pro- These design tools automatically limit of FPGA cores. In contrast, the inherent vides a profound advantage in the devel- the user population to designers trained in sequentiality of mainstream program- opment of high-performance algorithms VLSI design. ming languages makes them a poor match (or in algorithms meeting other design The Cryptol FPGA generator for the highly parallel nature of FPGAs. constraints). The key is the speed with introduces a new design flow that allows which the developer is able to iterate the Creating high-performance engineers and mathematicians to program design, the bottleneck of hardware design.