mirror of
https://github.com/GaloisInc/cryptol.git
synced 2024-08-18 02:10:31 +03:00
Use autoref command and lowercase section refs consistently in the book.
This commit is contained in:
parent
10f43b4279
commit
af6b830162
@ -64,7 +64,7 @@ community of cryptographers.
|
||||
The AES algorithm always takes 128 bits of input, and always produces
|
||||
128 bits of output, regardless of the key size. The key-size can be
|
||||
one of 128 (AES128), 192 (AES192), or 256 (AES256). Following the
|
||||
standard, we define the following three parameters~\cite[Section
|
||||
standard, we define the following three parameters~\cite[section
|
||||
2.2]{aes}:
|
||||
\begin{itemize}
|
||||
\item {\tt Nb}: Number of columns, always set to 4 by the standard.
|
||||
@ -185,7 +185,7 @@ Define a function
|
||||
gf28Add : {n} (fin n) => [n]GF28 -> GF28
|
||||
\end{code}
|
||||
that adds all the elements given.
|
||||
\lhint{Use a fold, see Pg.~\pageref{par:fold}.}\indFold
|
||||
\lhint{Use a fold, see page~\pageref{par:fold}.}\indFold
|
||||
\end{Exercise}
|
||||
\begin{Answer}\ansref{ex:gf:add0}
|
||||
\begin{code}
|
||||
@ -336,7 +336,7 @@ But {\tt aesMultAssociative} takes much longer! We show the results of
|
||||
%% [Coverage: 5.96e-3%. (1000/16777216)]
|
||||
Note that the coverage is pretty small (on the order of $0.006\%$)
|
||||
in this case. Proving associativity of multiplication algorithms using
|
||||
SAT/SMT based technologies is a notoriously hard task~\cite[Section
|
||||
SAT/SMT based technologies is a notoriously hard task~\cite[section
|
||||
6.3.1]{DecisionProcedures2008}. If you have the time, you can let
|
||||
Cryptol run long enough to complete the {\tt :prove
|
||||
gf28MultAssociative} command, however.
|
||||
@ -352,7 +352,7 @@ Cryptol run long enough to complete the {\tt :prove
|
||||
|
||||
Recall that the state in AES\indAES is a $4\times4$ matrix of
|
||||
bytes. As part of its operation, AES\indAES performs the so called
|
||||
{\tt SubBytes} transformation\indAESSbox~\cite[Section 5.1.1]{aes},
|
||||
{\tt SubBytes} transformation\indAESSbox~\cite[section 5.1.1]{aes},
|
||||
substituting each byte in the state with another element. Given an $x
|
||||
\in \mbox{GF}(2^8)$,\indGF the substitution for $x$ is computed as
|
||||
follows:
|
||||
@ -505,7 +505,7 @@ can make a table containing the precomputed values for all possible
|
||||
256 inputs, and simply perform a table look-up instead of computing
|
||||
these values each time we need it. In fact, Figure~7 on page 16 of
|
||||
the AES\indAES standard lists these precomputed values for
|
||||
us~\cite[Section 5.1.1]{aes}. We capture this table below in Cryptol:
|
||||
us~\cite[section 5.1.1]{aes}. We capture this table below in Cryptol:
|
||||
\todo[inline]{We should consistently use either ``look-up'' or ``lookup''.}
|
||||
|
||||
\vspace{0.25cm}
|
||||
@ -582,7 +582,7 @@ We have:
|
||||
high-assurance development makes sure that we have not made any
|
||||
cut-and-paste errors when we wrote down the numbers in our {\tt
|
||||
sbox} table. Equivalently, our proof also establishes that the
|
||||
official specification~\cite[Section 5.1.1]{aes} got its own table
|
||||
official specification~\cite[section 5.1.1]{aes} got its own table
|
||||
correct!}
|
||||
|
||||
\todo[inline]{Revisit a commented-out exercise here after \ticket{210}
|
||||
@ -611,7 +611,7 @@ We have:
|
||||
mind.}
|
||||
|
||||
The second transformation AES\indAES utilizes is the {\tt
|
||||
ShiftRows}\indAESShiftRows operation~\cite[Section 5.1.2]{aes}. This
|
||||
ShiftRows}\indAESShiftRows operation~\cite[section 5.1.2]{aes}. This
|
||||
operation treats the {\tt State} as a $4\times4$ matrix, and rotates
|
||||
the last three row to the left by the amounts 1, 2, and 3;
|
||||
respectively. Implementing {\tt ShiftRows} in Cryptol is trivial,
|
||||
@ -657,7 +657,7 @@ Of course, any multiple of 4 would have the same effect.
|
||||
\sectionWithAnswers{The {\ttfamily{\textbf MixColumns}} transformation}{sec:aesmixcolumns}
|
||||
|
||||
The third major transformation AES\indAES performs is the {\tt
|
||||
MixColumns}\indAESMixColumns operation~\cite[Section 5.1.3]{aes}.
|
||||
MixColumns}\indAESMixColumns operation~\cite[section 5.1.3]{aes}.
|
||||
In this transformation, the {\tt State} is viewed as a $4\times4$
|
||||
matrix, and each successive column of it is replaced by the result of
|
||||
multiplying it by the matrix:
|
||||
@ -778,7 +778,7 @@ which multiplies the given matrices in GF($2^8$)\indGF.
|
||||
|
||||
\unparagraph Now that we have the matrix multiplication machinery
|
||||
built, we can code {\tt MixColumns} fairly easily. Following the
|
||||
description in the AES\indAES standard~\cite[Section 5.3.1]{aes}, all
|
||||
description in the AES\indAES standard~\cite[section 5.3.1]{aes}, all
|
||||
we have to do is to multiply the matrix we have seen at the beginning
|
||||
of this section with the state:
|
||||
|
||||
@ -806,7 +806,7 @@ row-based ordering.
|
||||
between the various ticked and unticked versions of functions and
|
||||
their composition.}
|
||||
|
||||
Recall from Section~\ref{sec:aesparams} that AES takes 128, 192, or
|
||||
Recall from \autoref{sec:aesparams} that AES takes 128, 192, or
|
||||
256-bit keys. The key is not used as-is, however. Instead, AES\indAES
|
||||
expands the key into a number of round keys, called the {\em key
|
||||
schedule}. Construction of the key schedule relies on a number of
|
||||
@ -814,7 +814,7 @@ auxiliary definitions, as we shall see shortly.
|
||||
|
||||
\paragraph*{Round constants} The AES\indAES standard refers to the constant
|
||||
array {\tt Rcon} used during key expansion. For each {\tt i}, {\tt
|
||||
Rcon[i]} contains 4 words, the last three being 0~\cite[Section
|
||||
Rcon[i]} contains 4 words, the last three being 0~\cite[section
|
||||
5.2]{aes}. The first element is given by $x^{i-1}$, where
|
||||
exponentiation is done using the {\tt gf28Pow} function you have
|
||||
defined in Exercise~\ref{aes:subbytes}-\ref{ex:gfmi:0}. In Cryptol,
|
||||
@ -857,7 +857,7 @@ to get the indexing right.
|
||||
\end{Exercise}
|
||||
\begin{Answer}\ansref{ex:aeskerc:1}
|
||||
We need to write a conditional property
|
||||
(Section~\ref{sec:condproof})\indThmCond. Below, we use the function
|
||||
(\autoref{sec:condproof})\indThmCond. Below, we use the function
|
||||
{\tt elem} you have defined in
|
||||
Exercise~\ref{sec:recandrec}-\ref{ex:recfun:4:1}:\indElem
|
||||
\begin{code}
|
||||
@ -897,20 +897,20 @@ We have:
|
||||
% \end{Answer}
|
||||
|
||||
\paragraph*{The {\ttfamily{\textbf SubWord}} function} The AES\indAES
|
||||
specification refers to a function named {\tt SubWord}~\cite[Section
|
||||
specification refers to a function named {\tt SubWord}~\cite[section
|
||||
5.2]{aes}, that takes a 32-bit word and applies the {\tt SubByte}
|
||||
transformation from Section~\ref{aes:subbytes}. This function is
|
||||
transformation from \autoref{aes:subbytes}. This function is
|
||||
trivial to code in Cryptol:
|
||||
\begin{code}
|
||||
SubWord : [4]GF28 -> [4]GF28
|
||||
SubWord bs = [ SubByte' b | b <- bs ]
|
||||
\end{code}
|
||||
Note that we have used the table-lookup version ({\tt SubByte'},
|
||||
Pg~\pageref{aes:subbytetl}) above.
|
||||
page~\pageref{aes:subbytetl}) above.
|
||||
|
||||
\paragraph*{The {\ttfamily{\textbf RotWord}} function} The last
|
||||
function we need for key expansion is named {\tt RotWord} by the
|
||||
AES\indAES standard~\cite[Section 5.2]{aes}. This function merely
|
||||
AES\indAES standard~\cite[section 5.2]{aes}. This function merely
|
||||
rotates a given word cyclically to the left:
|
||||
\begin{code}
|
||||
RotWord : [4]GF28 -> [4]GF28
|
||||
@ -933,7 +933,7 @@ viewed the same way as the {\tt State}:\todo[inline]{\emph{Viewed} or
|
||||
type RoundKey = State
|
||||
\end{code}
|
||||
The expanded key schedule contains {\tt Nr}+1 round-keys. (Recall
|
||||
from Section~\ref{sec:aesparams} that {\tt Nr} is the number of
|
||||
from \autoref{sec:aesparams} that {\tt Nr} is the number of
|
||||
rounds.) It also helps to separate out the first and the last keys,
|
||||
as they are used in a slightly different fashion. Based on this
|
||||
discussion, we use the following Cryptol type to capture the
|
||||
@ -946,7 +946,7 @@ The key schedule is computed by seeding it with the initial key and
|
||||
computing the successive elements from the previous entries. In
|
||||
particular, the $i$th element of the expanded key is determined as
|
||||
follows, copied verbatim from the AES\indAES
|
||||
specification~\cite[Figure 11; Section 5.2]{aes}:
|
||||
specification~\cite[figure 11; section 5.2]{aes}:
|
||||
\begin{Verbatim}
|
||||
temp = w[i-1]
|
||||
if (i mod Nk = 0)
|
||||
@ -1080,7 +1080,7 @@ Appendix~A.1 of the reference specification for AES.\indAES
|
||||
\label{sec:ttfam-addr-transf}
|
||||
|
||||
{\tt AddRoundKey} is the simplest of all the transformations in
|
||||
AES~\cite[Section 5.1.4]{aes}.\indAES It merely amounts to the
|
||||
AES~\cite[section 5.1.4]{aes}.\indAES It merely amounts to the
|
||||
exclusive-or of the state and the current round key:\indXOr
|
||||
\begin{code}
|
||||
AddRoundKey : (RoundKey, State) -> State
|
||||
@ -1099,10 +1099,10 @@ encryption.
|
||||
|
||||
\paragraph*{AES rounds} As mentioned before, AES performs encryption in
|
||||
rounds. Each round consists of performing {\tt SubBytes}
|
||||
(Section~\ref{aes:subbytes}), {\tt ShiftRows}
|
||||
(Section~\ref{aes:shiftrows}), and {\tt MixColumns}
|
||||
(Section~\ref{sec:aesmixcolumns}). Before finishing up, each round
|
||||
also adds the current round key to the state~\cite[Section
|
||||
(\autoref{aes:subbytes}), {\tt ShiftRows}
|
||||
(\autoref{aes:shiftrows}), and {\tt MixColumns}
|
||||
(\autoref{sec:aesmixcolumns}). Before finishing up, each round
|
||||
also adds the current round key to the state~\cite[section
|
||||
5.1]{aes}. The Cryptol code for the rounds is fairly trivial:
|
||||
\begin{code}
|
||||
AESRound : (RoundKey, State) -> State
|
||||
@ -1159,7 +1159,7 @@ We have:
|
||||
given key and calls the round functions. The starting state (\texttt{state0}
|
||||
below) is constructed by adding the first round key to the
|
||||
input. We then run all the middle rounds using a simple comprehension,
|
||||
and finish up by applying the last round~\cite[Figure 5, Section
|
||||
and finish up by applying the last round~\cite[figure 5, section
|
||||
5.1]{aes}:\indRIndex
|
||||
\begin{code}
|
||||
aesEncrypt : ([128], [AESKeySize]) -> [128]
|
||||
@ -1208,7 +1208,7 @@ aesEncrypt(0x00112233445566778899aabbccddeeff, 0x000102030405060708090a0b0c0d0e0
|
||||
|
||||
\paragraph*{Other key sizes} Our development of AES has been key-size
|
||||
agnostic, relying on the definition of the parameter \texttt{Nk}. (See
|
||||
Section~\ref{sec:aesparams}.) To obtain AES192, all we need is to set
|
||||
\autoref{sec:aesparams}.) To obtain AES192, all we need is to set
|
||||
\texttt{Nk} to be 6, no additional code change is needed. Similarly, we
|
||||
merely need to set \texttt{Nk} to be 8 for AES256.
|
||||
|
||||
@ -1224,7 +1224,7 @@ merely need to set \texttt{Nk} to be 8 for AES256.
|
||||
\sectionWithAnswers{Decryption}{sec:aesdecryption}
|
||||
|
||||
AES decryption is fairly similar to encryption, except it uses inverse
|
||||
transformations~\cite[Figure 12, Section 5.3]{aes}. Armed with all the
|
||||
transformations~\cite[figure 12, section 5.3]{aes}. Armed with all the
|
||||
machinery we have built so far, the inverse transformations are
|
||||
relatively easy to define.
|
||||
|
||||
@ -1233,7 +1233,7 @@ relatively easy to define.
|
||||
\label{sec:ttfam-invs-transf}
|
||||
|
||||
The {\tt InvSubBytes} transformation reverses the {\tt SubBytes}
|
||||
transformation of Section~\ref{aes:subbytes}. As with {\tt SubBytes},
|
||||
transformation of \autoref{aes:subbytes}. As with {\tt SubBytes},
|
||||
we have a choice to either do a table lookup implementation, or follow
|
||||
the mathematical description. We will do the former in these examples;
|
||||
you are welcome to do the latter on your own and prove the equivalence
|
||||
@ -1302,8 +1302,8 @@ We have:
|
||||
\end{Answer}
|
||||
|
||||
\begin{Exercise}\label{ex:invsb:3}
|
||||
The AES specification provides an inverse S-box table~\cite[Figure
|
||||
14, Section 5.3.2]{aes}. Write a Cryptol function {\tt InvSubBytes'}
|
||||
The AES specification provides an inverse S-box table~\cite[figure
|
||||
14, section 5.3.2]{aes}. Write a Cryptol function {\tt InvSubBytes'}
|
||||
using the table lookup technique. Make sure your implementation is
|
||||
correct (i.e., equivalent to {\tt InvSubBytes}) by writing and
|
||||
proving a corresponding property.
|
||||
@ -1314,7 +1314,7 @@ We have:
|
||||
|
||||
The {\tt InvShiftRows} transformation\indAESInvShiftRows simply
|
||||
reverses the {\tt ShiftRows}\indAESShiftRows transformation from
|
||||
Section~\ref{aes:shiftrows}:
|
||||
\autoref{aes:shiftrows}:
|
||||
|
||||
\begin{code}
|
||||
InvShiftRows : State -> State
|
||||
@ -1342,7 +1342,7 @@ We have:
|
||||
\subsection{The {\ttfamily{\textbf InvMixColumns}} transformation}
|
||||
\label{sec:ttfam-invm-transf}
|
||||
|
||||
Recall from Section~\ref{sec:aesmixcolumns} that {\tt
|
||||
Recall from \autoref{sec:aesmixcolumns} that {\tt
|
||||
MixColumns}\indAESMixColumns amounts to matrix multiplication in
|
||||
GF($2^8$).\indGF The inverse transform turns out to be the same,
|
||||
except with a different matrix:\indAESInvMixColumns
|
||||
@ -1383,7 +1383,7 @@ take much longer. Below we show the {\tt :check} results instead:
|
||||
\label{sec:inverse-cipher}
|
||||
|
||||
We now also have all the ingredients to encode AES decryption.
|
||||
Following Figure~12 (Section 5.3) of the AES\indAES
|
||||
Following figure~12 (section 5.3) of the AES\indAES
|
||||
standard~\cite{aes}: {\small
|
||||
\begin{code}
|
||||
AESInvRound : (RoundKey, State) -> State
|
||||
@ -1441,7 +1441,7 @@ aesDecrypt(0x8ea2b7ca516745bfeafc49904b496089, 0x000102030405060708090a0b0c0d0e0
|
||||
|
||||
\paragraph*{Other key sizes} Similar to encryption, all we need to
|
||||
obtain AES192 decryption is to set {\tt Nk} to be 6 in
|
||||
Section~\ref{sec:aesparams}. Setting {\tt Nk} to 8 will
|
||||
section~\ref{sec:aesparams}. Setting {\tt Nk} to 8 will
|
||||
correspondingly give us AES256.
|
||||
|
||||
\paragraph*{The code} You can see all the Cryptol code for AES in
|
||||
@ -1504,7 +1504,7 @@ cryptographic algorithm programming.
|
||||
capabilities?}
|
||||
%% Furthermore, Cryptol has some further proof tools in its arsenal
|
||||
%% that will actually let us complete this proof in a reasonable
|
||||
%% amount of time, as we shall see in Section~\ref{sec:proveaes}.
|
||||
%% amount of time, as we shall see in \autoref{sec:proveaes}.
|
||||
\commentout{
|
||||
\begin{code}
|
||||
sanityCheck = (aesEncrypt (0x3243f6a8885a308d313198a2e0370734, 0x2b7e151628aed2a6abf7158809cf4f3c)
|
||||
|
@ -1,14 +1,15 @@
|
||||
\chapter{AES in Cryptol}\label{app:aes}
|
||||
|
||||
In this appendix we present the Cryptol code for the AES\indAES in its
|
||||
entirety for reference purposes. Chapter~\ref{chapter:aes} has a
|
||||
detailed discussion on how AES works, and the construction of the
|
||||
Cryptol model below.
|
||||
entirety for reference purposes.
|
||||
\hyperref[chapter:aes]{Chapter~\ref*{chapter:aes}} has a detailed
|
||||
discussion on how AES works, and the construction of the Cryptol model
|
||||
below.
|
||||
|
||||
In the below code, simply set {\tt Nk} to be 4 for AES128, 6 for
|
||||
AES192, and 8 for AES256 on line 19. No other modifications are
|
||||
required for obtaining these AES variants. Note that we have
|
||||
rearranged the code given in Chapter~\ref{chapter:aes} below for ease
|
||||
rearranged the code given in \autoref{chapter:aes} below for ease
|
||||
of reading.
|
||||
%% and eliminated the theorem declarations for simplicity.
|
||||
|
||||
|
@ -74,7 +74,7 @@ instance, if the shift is 2, {\tt A} becomes {\tt C}, {\tt B} becomes
|
||||
{\tt D}, and so on. Once we run out of letters, we circle back to {\tt
|
||||
A}; so {\tt Y} becomes {\tt A}, and {\tt Z} becomes {\tt B}. Coding
|
||||
Caesar's cipher in Cryptol is quite straightforward (recall from
|
||||
Section~\ref{sec:tsyn} that a {\tt String n} is simply a sequence of n
|
||||
\autoref{sec:tsyn} that a {\tt String n} is simply a sequence of n
|
||||
8-bit words.):\indTSString
|
||||
\begin{code}
|
||||
caesar : {n} ([8], String n) -> String n
|
||||
@ -574,7 +574,7 @@ And similarly for other examples:
|
||||
One question is what happens if you search for a non-existing
|
||||
character. In this case you can just return {\tt 0}, a non-valid
|
||||
ASCII character, which can be interpreted as {\em not found}.
|
||||
\hint{Use a fold (see Pg.~\pageref{par:fold}).}\indFold
|
||||
\hint{Use a fold (see page~\pageref{par:fold}).}\indFold
|
||||
\end{Exercise}
|
||||
\begin{Answer}\ansref{ex:subst:1}
|
||||
\begin{code}
|
||||
|
@ -38,7 +38,7 @@ interchangeable scramblers, and a fixed reflector.
|
||||
\sectionWithAnswers{The plugboard}{sec:enigma:plugboard}
|
||||
|
||||
Enigma essentially implements a polyalphabetic substitution cipher
|
||||
(Section~\ref{section:subst})\indPolyAlphSubst, consisting of a number
|
||||
(\autoref{section:subst})\indPolyAlphSubst, consisting of a number
|
||||
of rotating units that jumble up the alphabet. The first component is
|
||||
the so called plugboard ({\em steckerbrett} in
|
||||
German)\indEnigmaPlugboard. In the original Enigma, the plugboard
|
||||
@ -283,7 +283,7 @@ signature:
|
||||
That is, we receive {\tt n} rotors and the character to be encrypted,
|
||||
and return the updated rotors (accounting for their rotations) and the
|
||||
final character. The implementation is an instance of the
|
||||
fold\indFold pattern (Section~\ref{sec:recandrec}), using the {\tt
|
||||
fold\indFold pattern (\autoref{sec:recandrec}), using the {\tt
|
||||
scramble} function we have just defined:
|
||||
\begin{code}
|
||||
joinRotors (rotors, inputChar) = (rotors', outputChar)
|
||||
@ -563,7 +563,7 @@ signal is passing the second time through the rotors. (In a sense, the
|
||||
rotations happen after the signal completes its full loop, getting to
|
||||
the reflector and back.) Consequently, it is much easer to code as
|
||||
well (compare this code to {\tt joinRotors}, defined in
|
||||
Section~\ref{sec:enigma:notches}):
|
||||
\autoref{sec:enigma:notches}):
|
||||
|
||||
\begin{code}
|
||||
backSignal : {n} (fin n) => ([n]Rotor, Char) -> Char
|
||||
@ -576,7 +576,7 @@ Section~\ref{sec:enigma:notches}):
|
||||
\end{code}
|
||||
Note that we explicitly reverse the rotors in the definition of {\tt
|
||||
cs}.\indReverse (The definition of {\tt cs} is another typical
|
||||
example of a fold. See Pg.~\pageref{par:fold}.)\indFold
|
||||
example of a fold. See page~\pageref{par:fold}.)\indFold
|
||||
|
||||
Given all this machinery, coding the entire Enigma loop is fairly
|
||||
straightforward:
|
||||
|
@ -1,6 +1,8 @@
|
||||
\chapter{Enigma simulator}\label{app:enigma}
|
||||
In this appendix we present the Cryptol code for the enigma\indEnigma machine in its entirety for
|
||||
reference purposes. Chapter~\ref{chapter:enigma} has a detailed discussion on how the enigma machine worked, and the
|
||||
In this appendix we present the Cryptol code for the enigma\indEnigma
|
||||
machine in its entirety for reference purposes.
|
||||
\hyperref[chapter:enigma]{Chapter~\ref*{chapter:enigma}} has a
|
||||
detailed discussion on how the enigma machine worked, and the
|
||||
construction of the Cryptol model below.
|
||||
|
||||
\fvset{fontsize=\footnotesize}
|
||||
|
@ -143,7 +143,7 @@ What do you see?\indCmdInfo
|
||||
It is important to distinguish between \emph{stating} a property and
|
||||
actually \emph{proving} it. So far, our focus is purely on
|
||||
specification. We will focus on actual proofs in
|
||||
Section~\ref{sec:establishcorrectness}.
|
||||
\autoref{sec:establishcorrectness}.
|
||||
|
||||
%~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
\subsection{Property--function correspondence}\indThmFuncCorr
|
||||
@ -334,7 +334,7 @@ etc.) did not violate the stated properties.
|
||||
\label{sec:formal-proofs}
|
||||
|
||||
Recall our very first property, {\tt sqDiffsCorrect}, from
|
||||
Section~\ref{sec:writingproperties}. We will now use Cryptol to
|
||||
\autoref{sec:writingproperties}. We will now use Cryptol to
|
||||
actually prove it automatically. To prove {\tt sqDiffsCorrect}, use
|
||||
the command {\tt :prove}:\indCmdProve
|
||||
\begin{Verbatim}
|
||||
@ -395,7 +395,7 @@ at. These counterexamples are extremely valuable for debugging
|
||||
purposes.\indCounterExample
|
||||
|
||||
If you try to prove an invalid property that encodes a test vector
|
||||
(Section~\ref{sec:thmvec}), then you will get a mere indication that
|
||||
(\autoref{sec:thmvec}), then you will get a mere indication that
|
||||
you have a contradiction, since there are no universally quantified
|
||||
variables to instantiate to show you a
|
||||
counterexample.\indContradiction If the expression evaluates to {\tt
|
||||
@ -425,7 +425,7 @@ they may hold for certain monomorphic instances while not for others.
|
||||
In this cases, we must tell Cryptol what particular monomorphic
|
||||
instance of the property we would like it to prove. Let us
|
||||
demonstrate this with the \texttt{multShift} property from
|
||||
Section~\ref{sec:polythm}:
|
||||
\autoref{sec:polythm}:
|
||||
\begin{Verbatim}
|
||||
Cryptol> :prove multShift
|
||||
Not a monomorphic type:
|
||||
@ -444,7 +444,7 @@ function to the {\tt :prove} command:\indCmdProve\indWhere
|
||||
Cryptol> :prove dbl where dbl x = (x:[8]) * 2 == x+x
|
||||
Q.E.D.
|
||||
\end{Verbatim}
|
||||
Of course, a \lamex (Section~\ref{sec:lamex}) would work just as well
|
||||
Of course, a \lamex (\autoref{sec:lamex}) would work just as well
|
||||
too:\indLamExp
|
||||
\begin{Verbatim}
|
||||
Cryptol> :prove \x -> (x:[8]) * 2 == x+x
|
||||
@ -584,12 +584,12 @@ We have:
|
||||
%%\end{code}
|
||||
%%to simplify writing conditional properties.
|
||||
%% However, this approach is flawed as it fails to account correctly for
|
||||
%% exceptions. We shall revisit this topic in detail in
|
||||
%% Sections~\ref{sec:pitfall:evorder} and~\ref{sec:pitfall:thmexceptions}.
|
||||
%% exceptions. We shall revisit this topic in detail in
|
||||
%% sections~\ref{sec:pitfall:evorder} and~\ref{sec:pitfall:thmexceptions}.
|
||||
|
||||
\paragraph*{Recognizing messages} Our work on classic ciphers
|
||||
(Chapter~\ref{chapter:classic}) and the enigma
|
||||
(Chapter~\ref{chapter:enigma}) involved working with messages that
|
||||
(\autoref{chapter:classic}) and the enigma
|
||||
(\autoref{chapter:enigma}) involved working with messages that
|
||||
contained the letters {\tt 'A'} .. {\tt 'Z'} only. When writing
|
||||
properties about these ciphers it will be handy to have a recognizer
|
||||
for such messages, as we explore in the next exercise.
|
||||
@ -624,7 +624,7 @@ write it inline.
|
||||
|
||||
\begin{Exercise}\label{ex:cond:3}
|
||||
Recall the pair of functions {\tt caesar} and {\tt dCaesar} from
|
||||
Section~\ref{sec:caesar}.\indCaesarscipher Write a property, named
|
||||
\autoref{sec:caesar}.\indCaesarscipher Write a property, named
|
||||
{\tt caesarCorrect}, stating that {\tt caesar} and {\tt dCaesar} are
|
||||
inverses of each other for all {\tt d} (shift amount) and {\tt msg}
|
||||
(message)'s. Is your property valid? What extra condition do you
|
||||
@ -663,8 +663,8 @@ We have:
|
||||
|
||||
\begin{Exercise}\label{ex:cond:4}
|
||||
Write and prove a property for the {\tt modelEnigma} machine
|
||||
(Page~\pageref{def:modelEnigma}), relating the {\tt enigma} and {\tt
|
||||
dEnigma} functions from Section~\ref{enigma:encdec}.
|
||||
(page~\pageref{def:modelEnigma}), relating the {\tt enigma} and {\tt
|
||||
dEnigma} functions from \autoref{enigma:encdec}.
|
||||
\end{Exercise}
|
||||
\begin{Answer}\ansref{ex:cond:4}
|
||||
\begin{code}
|
||||
@ -925,7 +925,7 @@ allowing the user to focus on the specification of the problem.
|
||||
\todo[inline]{Re-add chapter on verification, or two chapters on
|
||||
\texttt{:sat} and \texttt{:prove}.}
|
||||
% (We will see several larger applications of the satisfiability
|
||||
% checker in Chapter~\ref{chap:usingsat}.)
|
||||
% checker in \autoref{chap:usingsat}.)
|
||||
|
||||
\begin{Exercise}\label{ex:sat:0}
|
||||
Fermat's last theorem states that there are no integer solutions to
|
||||
@ -1020,7 +1020,7 @@ instance as you increase the bit-size.
|
||||
%%\begin{itemize}
|
||||
%% \item Division ({\tt /}) and modulus ({\tt \%}) by 0, both modular
|
||||
%% and polynomial versions (See
|
||||
%% Section~\ref{sec:polynomials})\indDiv\indMod\indDivPoly\indModPoly
|
||||
%% \autoref{sec:polynomials})\indDiv\indMod\indDivPoly\indModPoly
|
||||
%% \item Index-out-of-bounds errors for {\tt @}, {\tt @@}, {\tt !} and
|
||||
%% {\tt !!},\indIndex\indIndexs\indRIndex\indRIndexs
|
||||
%% \item Calling {\tt lg2} on {\tt 0},\indLg
|
||||
@ -1158,7 +1158,7 @@ instance as you increase the bit-size.
|
||||
%% While it is important to understand what Cryptol is telling us, the
|
||||
%% user can safely ignore these alerts most of the time, especially
|
||||
%% when one is focusing only at the Cryptol level. (We will revisit
|
||||
%% this topic in Section~\ref{sec:pitfall:thmexceptions}.)
|
||||
%% this topic in \autoref{sec:pitfall:thmexceptions}.)
|
||||
%%
|
||||
%%\begin{Exercise}\label{ex:safe:3}
|
||||
%% Rewrite {\tt choose} so that {\tt :safe} will not issue any
|
||||
|
@ -76,7 +76,7 @@
|
||||
|
||||
\newcommand{\sectionWithAnswers}[2]{%
|
||||
\section{#1}\label{#2}%
|
||||
\AnswerBoxSectionMark{Section \arabic{chapter}.\arabic{section} #1 (p.\pageref{#2})}%
|
||||
\AnswerBoxSectionMark{Section \arabic{chapter}.\arabic{section} #1 (p.~\pageref{#2})}%
|
||||
\AnswerBoxExecute{\addcontentsline{toc}{section}{\texorpdfstring{\parbox{2.3em}{\arabic{chapter}.\arabic{section}\ }}{(\arabic{chapter}.\arabic{section})\ }#1}}%
|
||||
}
|
||||
|
||||
@ -223,7 +223,7 @@ include "../aes/AES.tex";
|
||||
%\section{Assumed equality}
|
||||
%\section{Uninterpreted functions}
|
||||
%\section{Proving AES correct}\label{sec:proveaes}
|
||||
%In Section~\ref{sec:aescorrectattempt}, we wrote down the below Cryptol theorem stating that our AES\indAES encryption/decryption functions work correctly:
|
||||
%In \autoref{sec:aescorrectattempt}, we wrote down the below Cryptol theorem stating that our AES\indAES encryption/decryption functions work correctly:
|
||||
%\begin{Verbatim}
|
||||
% theorem AESCorrect: {msg key}. aesDecrypt (aesEncrypt (msg, key), key) == msg;
|
||||
%\end{Verbatim}
|
||||
|
@ -73,7 +73,7 @@ Here is the response I get:
|
||||
[0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x21]
|
||||
\end{Verbatim}
|
||||
\end{small}
|
||||
As we shall see in Section~\ref{sec:charstring}, strings are just
|
||||
As we shall see in \autoref{sec:charstring}, strings are just
|
||||
sequences of ASCII characters, so Cryptol is telling you the ASCII
|
||||
numbers corresponding to the letters.
|
||||
\end{Answer}
|
||||
|
Loading…
Reference in New Issue
Block a user