Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/jhumphry/Ascon_SPARK

A project to implement the Ascon AEAD algorithm in Ada 2012 / SPARK 2014
https://github.com/jhumphry/Ascon_SPARK

Last synced: 2 months ago
JSON representation

A project to implement the Ascon AEAD algorithm in Ada 2012 / SPARK 2014

Lists

README 

        
# Ascon_SPARK



## Introduction



This is an Ada 2012 / SPARK 2014 project that implements the [Ascon](http://ascon.iaik.tugraz.at) 

Authenticated Encryption with Additional Data Algorithm, the [NIST Lightweight 

Cryptography](https://csrc.nist.gov/projects/lightweight-cryptography) standard. It was also 

selected as a finalist in the [CAESAR](http://competitions.cr.yp.to/caesar.html) competition. Ascon 

was designed by Christoph Dobraunig, Maria Eichlseder, Florian Mendel and Martin Schläffer.



This project implements both of the recommended Ascon variants in v1.1 and v1.2 of the

specification. A single generic package can be instantiated with the relevant parameters. There are

a few additional requirements on the target system which should not be a problem - for example it

must support operations on the `Interfaces.Unsigned_64` type.



This project is free software (using the ISC permissive licence) and is provided with no

warranties, as set out in the file `LICENSE`.



## Overview of the packages



The main generic package is `Ascon` which implements the high-level API. This consists of just two

procedures, `AEADEnc` and `AEADDec`. The former procedure takes in a key `K`, a 'nonce' `N`,

optional associated data `A` (not encrypted) and the optional message to be encrypted `M` and

returns the encrypted cipher-text `C` and the authentication tag `T`. The latter procedure performs

the decryption and returns the decoded message and a Boolean that indicates whether the message was

valid. If either of the  `A` or `M` parameters are not used, the constant `Null_Storage_Array` can

be passed to the routines.



Packages `Ascon128v11` and `Ascon128av11` are instantiations of the generic package with the

parameters recommended in version 1.1 of the specification. Packages `Ascon128v12` and

`Ascon128av12` are instantiations of the generic package with the parameters recommended in version

1.2 of the specification.



`Ascon_Definitions` defines some constrained types used in the generic formal parameters and

`Ascon.Load_Store` contains functions that convert between standard word sizes and `Storage_Array`

in Little-Endian format.



`Ascon.Access_Internals` allows access to the lower-level API which allows you to follow the

internal state of the cipher as it processes some data. `Ascon.Utils` contains useful helper

functions for printing out `Storage_Array` and `State` types.



## Examples



Three example programs are included. `ascon128_demo` is a simple example of using the high-level

API and demonstrates successful encryption and decryption, and also unsuccessful decryption if the

tag is altered.



`ascon_test_vectors` uses the lower-level API to print the trace of a sample encryption for both of

the suggested variants of Ascon128. These can be compared with the output of the reference C code

provided by the Ascon designers. In order to get a more detailed trace from the reference C code,

the line `//#define PRINTSTATE` in `ascon.c` should be un-commented.



`ascon_check_padding` checks that authenticated encryption and decryption works correctly when the

lengths of the associated data and message vary. This is primarily to check for any bugs in the

implementation of the padding.



## Status of SPARK proof



As the code is written in the SPARK 2014 subset of Ada 2012, it is possible to formally verify

properties of the code and eliminate the possibility of run-time exceptions.



The GPL SPARK prover `gnatprove` shipped with GNAT Community 2021 from 

[AdaCore](https://www.adacore.com/community) is used for this project. It is also able to prove the 

absence of all potential sources of run-time exceptions without manual intervention. This includes 

checking for the non-initialization of arrays, which was not possible before GNAT Community 2020. 

It also proves that `AEADDec` will not return any decrypted data if the tag verification failed.



## Project files



The project has been updated to work withe Alire package manager, so it can be built with the usual

command `alr build`. The `tests` directory contains a sub-project that includes tests of the code.



Alternatively, the `gprbuild` project files can be used directly. These have the usual flags 

available, but with one custom flag:



- `ascon_spark_load_store` can only be set to `explicit` (the default). This setting is reserved 

for possible future accelerated big-/little-endian conversions.



Note that the file `ascon-compare_tags.adb` is given special treatment, as it is never optimized 

regardless of the optimization flags selected. This is deliberate, in an attempt to prevent the 

compiler from optimizing the tag check to 'short-circuit' - that is, to prevent it from re-writing 

the code to return early if two tags differ at an early position.  This optimization can produce a 

timing small side-channel which can, in certain situations, leak information to opponents. This is 

also the reason why the comparison of the two tag arrays is not written in the most obvious way.



## Using GNATprove for verification



To verify the code, GNATprove can be invoked via the GnatStudio IDE. Alternatively the following 

command line can be used:



- SPARK from GNAT Community 2021



    gnatprove -P ascon_spark.gpr -j0 -Xload_store=explicit -Xmode=debug --level=0



Add `--report=all` if you want to see the checks that are proved as well.