13. Mizarの記述例(TAYLOR展開定理)
theorem :: TAYLOR_1:33
for n be Nat, f be PartFunc of REAL,REAL, x0,r be Real st
( 0 < r & f is_differentiable_on n+1, ].x0-r,x0+ r.[ )
for x be Real st x in ].x0-r,
x0+r.[ holds ex s be Real st 0 < s & s< 1 &
f.x=Partial_Sums(Taylor(f, ].x0-r,x0+r.[,x0,x)).n + (diff(f,].x0- r,x0+r.[).(n+1)).(x0+s*(x-x0)) * (x-x0) |^ (n+1) / ((n+1)!);
14. 他システムで記述すると
|- !f diff h n. &0 < h /¥ 0 < n /¥ (diff(0) = f) /¥ (!m t. m < n /¥ &0 <= t /¥ t <= h ==> (diff(m) diffl diff(SUC m)(t))(t)) ==> (?t. &0 < t /¥ t < h /¥ (f(h) = sum(0,n)(¥m. (diff(m)(&0) / &(FACT m)) * (h pow m)) + ((diff(n)(t) / &(FACT n)) * (h pow n))))
判読が難しい
(例 HOL Light)
21. 形式化記述の例(本体部分)
begin
theorem EX1:
for n being Nat holds 2 divides n*(n-1)
proof
defpred P[Nat] means 2 divides $1*($1-1);
0 = 2 * 0;
then
P0: P[0] by INT_1:def 3;
PN: for n being Nat st P[n] holds P[n+1]
proof
let n be Nat;
assume P[n];
then
consider s being Integer such that
A2: n * (n - 1) = 2 * s by INT_1:def 3
(n+1)*(n+1-1) = n*(n-1) + n + n*1
.=n*(n-1) + 2*n
.=2*s + 2*n by A2
.= 2*(s+n);
hence P[n+1] by INT_1:def 3;
end;
thus for n being Nat holds P[n] from NAT_1:sch 2(P0,PN);
end;
23. PN: for n being Nat st P[n] holds P[n+1]
補題PN:
任意の自然数nに対して「P[n]が成り 立つときP[n+1]が成り立つ」
proof
補題PNの証明開始
proof ~ endブロックで記述する。
let n be Nat;
nを任意の自然数とする
assume P[n];
P[n] すなわち2 divides n・(n-1)
を仮定する
then
consider s being Integer such that
A2: n * (n – 1) = 2 * s by INT_1:def 3;
従って INT_1:def 3によれば以下の補 題A2が成り立つある自然数 s を考え ることができる。
補題A2: n・(n - 1) = 2・s
24. (n+1)*(n+1-1) = n*(n-1) + n + n*1
.=n*(n-1) + 2*n
.=2*s + 2*n by A2
.= 2*(s+n);
補題2などにより,等式
(n+1)・(n+1-1) = 2・(s+n)
が得られる
hence
P[n+1] by INT_1:def 3;
よってP[n+1] がINT_1:def 3によって成 り立つ
end;
補題PNの証明終了
thus for n being Nat holds
P[n] from NAT_1:sch 2(P0,PN);
以上補題P0,PNと数学的帰納法の公理 図式NAT_1:sch 2を用いて, 任意の 自然数nについてP[n]が成り立つ
end;
定理EX1の証明終了
34. 簡単な例をもう一つ
theorem
for x be Element of NAT st 1 < x holds
not ex N,c be Element of NAT st
for n be Element of NAT st N <= n holds
x to_power n <= c * ( n to_power x)
2014/9/7
xnncxholdsnNtsntsNcholdsxtsx ...., 1.. NNN
36. theorem N2POWINPOLY:
for x be Element of NAT st 1 < x holds
not ex N,c be Element of NAT st
for n be Element of NAT st N <= n holds
2 to_power n <= c * ( n to_power x)
を使って
for x be Element of NAT st 1 < x holds
not ex N,c be Element of NAT st
for n be Element of NAT st N <= n holds
x to_power n <= c * ( n to_power x) を証明
2014/9/7
37. proof
let x be Element of NAT;
assume AS: 1 < x;
assume CNT: ex N,c be Element of NAT st
for n be Element of NAT st N <= n holds
x to_power n <= c * ( n to_power x);
まず命題が偽であると仮定する
2014/9/7
38. ex N,c be Element of NAT st
for n be Element of NAT st N <= n holds
2 to_power n <= c * ( n to_power x);
(proofは次ページに)
hence contradiction by AS,N2POWINPOLY;
end;
変なことが証明できたので定理N2POWINPOLY に矛盾して背理法で証明終わり
2014/9/7
39. ex N,c be Element of NAT st for n be Element of NAT st N <= n holds
2 to_power n <= c * ( n to_power x)
proof
consider N,c be Element of NAT such that CNT2:
for n be Element of NAT st N <= n holds
x to_power n <= c * ( n to_power x) by CNT;
take N,c;
for n be Element of NAT st N <= n holds 2 to_power n <= c * ( n to_power x)
proof
let n be Element of NAT; assume N <= n;then
LCX1: x to_power n <= c * ( n to_power x) by CNT2;
1+1 <= x by AS,INT_1:7;then
2 to_power n <= x to_power n by LEMC01;
hence thesis by LCX1,XXREAL_0:2;
end;
hence thesis; end;
2014/9/7
41. Data Encryption Standard (DES) Data Encryption Standard (DES) Symmetric cryptosystem (Block cipher). Selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 (FIPS46).
3 Strong influence on the design of its successors. Insecure Advanced Encryption Standard (AES)
Now
42. Formal Verification of DES Using the Mizar Proof Checker
Hiroyuki Okazaki1, Kenichi Arai2, Yasunari Shidama1
1. Shinshu University 2. Nagano Technical High School(当時) 現:東京理科大学
July 18, 2011
43. Agenda Proof is verified by using a proof checker. The correctness of our formalization of the DES algorithm. Prove the security of cryptographic systems by using the Mizar proof checker. Introduction : Our formalization of the Data Encryption Standard (DES) algorithm.
1
44. Proof Checker “Mizar” The definitions and the theorems have been verified for correctness using the Mizar proof checking system. Mizar Mizar is an advanced project by Mizar Society that Prof. A. Trybulec leads in Bialystok university to which is formalized mathematics by the computer-aid. The Mizar project describes mathematical proofs in the Mizar language, which is created to formally describe mathematics. What formalizes the proof of mathematics and describes it is called article.
2
45. 4
Structure of DES
Figure 1: Structure of DES 64bits length plaintext block. 64bits length secret key. 64bits length ciphertext block. 16 rounds of processing iterations
Decryption Encryption
Same Key
Feistel Structure
64 bits
64 bits
64 bits
46. i-th Round of Feistel Structure
5
Figure 2: i-th round of Feistel structure
( ) Ri-1 : 32 bits length block. Li-1 : 32 bits length block. Ki : i-th round key (48 bits).
Exclusive OR (XOR)
47. About “functor” and “Function”
6
Mizar Two ways to define computational routines in an algorithmic sense.
functor
function
A “functor” is a relation between the input and output of a routine.
A “function” is a map from the space
of the input onto that of the output.
48. Strategy of Formalizing DES in Mizar
7 Step1 : Formalization of the algorithm of generalized DES. Step2 : Formalization of the primitives of DES according to FIPS46–3.
Formalization of the DES algorithm
49. Formalization of the generalized algorithm of DES
8
Definition 5.1: ( Codec of gereralized DES )
Mizar language
it = DES-like- CoDec(M,F,IP,RK)
: Concatenation
: Inverse
[:A, B:] : Cartesian product of A and B
50. Correctness of the generalized algorithm of DES
Theorem 5.1: ( Correctness of generalized DES )
9
Proved that the ciphertext encoded by any Feistel cipher algorithm can be decoded uniquely with the same algorithm and secret key that were used in encryption.
Mizar language
51. Formalization of DES Formalization of the DES algorithm according to FIPS46–3 in Mizar language. Step1: Formalization of the DES primitives according to FIPS46-3. Step2: Formalization of the correctness of the DES algorithm. (Using the formalization of the generalized DES algorithm.)
Prove the correctness of the DES algorithm
10
52. 11
Formalization of DES Primitives S-Boxes ( S-Box S1, ... , S-Box S5, .. , S-Box S8 ). Initial Permutation (IP). Final Permutation (IP -1). Feistel Function : ( ). Bit selection Function (E). Permutation (P). Key Scheduling Function (KS). Permuted Choice 1 (PC1). Permuted Choice 2 (PC2). Left Shift.
DES Primitives
54. 13
S-Boxes
Theorem 6.1: ( S-Box S1)
Similarly defined the other S-Boxes, DES-SBOX2 (S2), ….. , DES-SBOX8 (S8).
S-Box S1
Mizar language
it = DES-SBOX1
55. 14
Initial Permutation (IP)
Definition 6.2: ( IP as functor )
IP
Mizar language
it = DES-IP(r)
56. Initial Permutation (IP)
15
Definition 6.3: ( IP as function )
Similarly defined the functor of the final permutation DES-IPINV and the function of the DES-PIPINV.
Mizar language
it = DES-PIP
63. Permuted Choice 1 (PC1)
Definition 6.8: ( PC1 as functor )
Mizar language
it = DES-PC1(r)
PC1
Similarly defined the functor of PC2 as DES-PC2.
22
C0
D0
64. 23
Table of the Numbers of Left-Shift
Definition 6.9: ( Table of Left-Shift )
Mizar language
it = bitshift_DES
i-th Numbers Round of Left-Shift 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1
1 1
65. 24
Formalization of the Key Scheduling Function
Definition 6.7: ( Key Scheduling function )
Mizar language
it = DES-KS(Key)
66. 25
DES Algorithm The generalized DES algorithm The DES primitives
Definition 6.11: ( DES Algorithm )
Mizar language
it = DES-CoDEC (M,F,IP,RK)
DES algorithm
67. 26
Encode and Decode Algorithm of DES
Definition 6.12: ( Encode Algorithm of DES)
Mizar language
Definition 6.13: ( Decode Algorithm of DES)
Mizar language
68. Correctness of DES
Theorem 6.1: ( Correctness of DES )
Proved using the Mizar system that the ciphertext encoded by the DES algorithm can be decoded uniquely with the same algorithm and secret key that were used in Encryption.
27
Mizar language
69. Conclusion
28 Prove the correctness of the DES algorithm. Introduction : Our formalization of DES algorithm.
Mizar proof checking system.
Future work Analyze the security of DES. Prove the security of cryptographic systems by using the Mizar proof checker.