Formal Verification of DES Using the Mizar Proof ... - Semantic Scholar

Formal Verification of DES Using the Mizar Proof Checker Hiroyuki Okazaki1 , Kenichi Arai2 , and Yasunari Shidama1 1 Shinshu University, 4-17-1 Wakasato Nagano-city, Nagano 380-8553, Japan 2 Department of Information Technology, Nagano Technical High School, 3-9-1 sasideminami Nagano-city, Nagano 380-0948, Japan Abstract— In this paper, we introduce our formalization of Data Encryption Standard (DES) algorithm. DES, which was formerly the most widely used symmetric cryptosystem in the world, is a block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976. We prove the correctness of our formalization by using the Mizar proof checking system as a formal verification tool. Mizar is a project that formalizes mathematics with a computer-aided proving technique. The main objective of this work is to prove the security of cryptographic systems by using the Mizar proof checker. Keywords: Formal Verification, Mizar, Cryptology, Data Encryption Standard (DES)

1. Introduction Mizar[1], [2] is a project that formalizes mathematics with a computer-aided proving technique. The objective of this study is to prove the security of cryptographic systems by using the Mizar proof checker. To achieve this, we are intend to formalize some topics concerning cryptology. In this paper, we introduce our formalization of the Data Encryption Standard (DES). DES, which was formerly the most widely used symmetric cryptosystem in the world, is a block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976[3]. DES is now considered to be insecure and has already been superseded by the Advanced Encryption Standard (AES)[4]. Please see [5] and [6] about recent information on DES. However, DES is a typical block cipher, and it has a strong influence on the design of its successors. Thus, we will verify another block cipher system that we will develop in the future by using a method similar to our formalization of DES with the Mizar system. We formalized the DES algorithm as shown in FIPS46–3[3] in the Mizar language. We then verified the correctness of the formalized algorithm that the ciphertext encoded by the algorithm can be decoded uniquely by the same algorithm by using the Mizar proof checker. The remainder of this study is organized as follows. In Section 2, we briefly introduce the Mizar project. In Section 3, we briefly introduce the Data Encryption Standard (DES). In Section 4, we discuss our strategy for formalizing DES in Mizar. In Sections 5 and 6, we propose a formalization

of DES. We conclude our discussion in Section 7. The definitions and theorems in this study have been verified for correctness by using the Mizar proof checker.

2. Mizar Mizar[1], [2] is an advanced project of the Mizar Society led by Andrzej Trybulec that formalizes mathematics with a computer-aided proving technique. The Mizar project describes mathematical proofs in the Mizar language, which is created to formally describe mathematics. The Mizar proof checker operates in both Windows and UNIX environments, and registers the proven definitions and theorems in the Mizar Mathematical Library (MML). Furthermore, the objective of the Mizar project is to create a check system for mathematical theses. What formalizes the proof of mathematics by Mizar and describes it is called “article”. When an article is newly described, it is possible to advance it by referring to articles registered in the MML that have already been inspected as proof. Likewise, other articles can refer to an article after it has been registered in the MML. Although the Mizar language is based on the description method for general mathematical proofs, the reader should consult the references for its grammatical details, because Mizar uses a specific, unique notation[1], [2], [7], [8], [9].

3. Data Encryption Standard In this section, we review the outline of the DES algorithm. The DES algorithm takes a 64bits length plaintext block and a 64 bits length secret key, and transforms into a 64 bits length ciphertext block. Decryption must be performed using the same key as used for encryption, however it should be performed with the key scheduling process altered so that the decryption is the reverse of the encryption. Figure 1 shows a sketch of the structure of DES. DES is a type of iterated block cipher with the Feistel structure. The Feistel structure ensures that the encryption and decryption are similar processes, except that the round keys are used in the reverse order when decrypting. The algorithm is composed of the Feistel structure and a key scheduling function. In the Feistel structure of DES, there are 16 rounds of processing iterations. Before the main iterations, a given block of plaintext is permutated by IP and is then divided into two 32 bits length blocks, L0 and

Figure 2: i-th round of Feistel structure In Section 5, we will formalize the algorithm of generalized DES as a functor that takes substitutional subroutines. This generalized definition of DES is easily reusable for the formalization of other ciphers. In Section 6, we first formalize the subroutines, that is, the primitives of DES, according to FIPS46–3[3]. We will then formalize the DES algorithm by using the formalization of the generalized definition in Section 5 and the primitives in Section 6.1. Figure 1: Structure of DES R0 . The i-th round is performed as follows: Li Ri

= Ri−1 , ⊕ = Li−1 f (Ri−1 , Ki ),

where 1 ≤ i ≤ 16, f is the Feistel function of DES, and Ki is the i-th round key that is yielded by the key schedule function KS from the given secret key. Figure 2 shows a sketch of the i-th round of Feistel structure. Finally, the final permutation IP −1 transforms the concatenation of L16 and R16 into the ciphertext.

4. Strategy of Formalizing DES in Mizar In Mizar, there are two ways to define computational routines in an algorithmic sense. One way is by defining a routine as a functor. A functor is a relation between the input and output of a routine in Mizar. It is easy to write and understand the formalization of a routine as a functor, because the format of a functor in Mizar is similar to that of a function in certain programming languages. The other way is by defining a routine as a Function. A Function is a map from the space of the input onto that of the output. We can handle a Function as an element of the set of Functions. Note that both functor and Function can take a Function as their substitutable subroutines.

5. Formalization of Generalized DES First, we formalize the generalized algorithm of DES as a functor in the Mizar language as follows: Definition 5.1: (Codec of generalized DES) let n,m,k be non empty Element of NAT, RK be Element of (k-tuples_on (m-tuples_on BOOLEAN)), F be Function of [:n-tuples_on BOOLEAN, m-tuples_on BOOLEAN:], n-tuples_on BOOLEAN, IP be Permutation of (2*n)-tuples_on BOOLEAN, M be Element of (2*n)-tuples_on BOOLEAN; func DES-like-CoDec(M,F,IP,RK) -> Element of (2*n)-tuples_on BOOLEAN means ex L,R be sequence of (n-tuples_on BOOLEAN) st L.0=SP-Left(IP.M) & R.0=SP-Right(IP.M) & (for i be Element of NAT st 0