Pedro Pereira and I are working on a new project in the Masters. The second half of the Masters is composed of a single project suggested by a company. Some companies are forming partnerships in the Masters formal methods, including: the Critical software, SIG and Galois. We chose the Galois because we also are in the area of cryptography and we already knew some work of some people from this company.

The project suggested by Galois was study the Cryptol as a language of specification of cryptographic algorithms. The cipher we used for this study is the SNOW 3G (The SNOW website), later on I will talk about the specification of this cipher. In this post I am only interested to show the language.

I’m going to show you some details about the language. This post is not intend to be a exhaustive explanation of Cryptol, if you looking for that you can go directly to the manuals. This post only relates my experience, and what I like it most with the language.

## Overview

Cryptol is a high-level language that is geared to deal with low-level problems. Is a Domain-specific language to design and implement cryptographic algorithms.

This language has a high percentage of correctness of the implementation of a cipher, because it implements type inference, so we can say that a big part of the language implements correctness. This correctness is also achieved thanks to the architecture of the language – functional. We don’t have side effects – a function only return something inside is codomain.

In Cryptol we have this philosophy that says that everything is a sequence. This is very useful because we are working with low level data (array of bits), so we use sequences to represent that arrays. We can have nested sequences to have a more structured representation of data. For example, we can simply transform a 32-bit sequence in a 4 1-byte sequence.

The size of this sequences could be implemented as finite or infinite, as we going to see later in this post. Because Cryptol is a high-level language we can also implement polymorphic functions, most of the primitive functions are implemented in polymorphic mode. The way we have to navigate throw the sequences is using recursion, or sequences comprehension, and with these two techniques we can implement recurrences.

If you are a Haskell programmer you just need the next section to learn Cryptol. This language is so look a like with Haskell that even the philosophy seems to have a lot in commune.

## Types in Cryptol

The type means that you have a sequence of 32-bit size. All the types in Cryptol are size oriented. The unit is the , that you can use to represent . To represent a infinite sequence we use the reserved word , and we write: to represent that.

If you want to generate a infinite sequence, we use the syntactic sugar of the sequences like that: . Cryptol will infer this sequence as type

That means this sequence have infinite positions of 1-bit words. The type inference mechanism will always optimize the size that he needs, to represent the information.

So, it infer the type of as:

Because, it “knows” that needs only 7-bits to represent the decimal . But if you need more, you can force the type of your function.

We implement polymorphism in our types, if we have:

This means, that the function have polymorphism over , because we say that it domain is one sequence of size of type , and it codomain also. Here we could also see: meaning that is a constant of sequences of size of type , times.

So, lets talk about some primitive functions in Cryptol, and its types. The function have the following type in Cryptol:

As we can see, Cryptol is so size oriented, that we can use arithmetic operators in types. We can probably infer what this function does just from it type: works for all and such that if we have one sequence os size of type it returns one sequence of size of same type. In fact this function removes the first element of one sequence.

Because of this size oriented philosophy a lot of functions, that change the size of the sequences can be read just from the type.

As you can see in the following list of Cryptol primitive function:

## Recursion and Recurrence

Cryptol implements Recursion, just like a lot of functional languages do.

Imagine the fibonacci function definition:

It implementation in Crytol is exactly the same as defined mathematically.

fib : [inf]32 -> [inf]32; fib n = if n == 0 then 0 else if n == 1 then 1 else fib (n-1) + fib (n-2);

Cryptol uses recursion to permit us to iterate throw sequences.

But, If you prefer you can implement a more functional algorithm of fibonacci function in Cryptol:

fib : [inf]32 -> [inf]32; fib n = fibs @ n; where { fibs : [inf]32; fibs = [0 1] # [| x + y || x <- drop (1,fibs) || y <- fibs |]; };

Here, as you can see, we define a infinite list of all the fibonacci numbers, by calling the inside the sequences comprehension , this is called a recurrence, and you can use that too in Cryptol.

## Cryptol vs C

I’m going to show you some part of the implementation of SNOW 3G in C. This is a function called

MULa : [8] -> [32]; MULa(c) = join ( reverse [ ( MULxPOW(c, 23 :[32], 0xA9) ) ( MULxPOW(c, 245:[32], 0xA9) ) ( MULxPOW(c, 48 :[32], 0xA9) ) ( MULxPOW(c, 239:[32], 0xA9) ) ] );

/* The function MUL alpha. Input c: 8-bit input. Output : 32-bit output. See section 3.4.2 for details. \*/ u32 MULalpha(u8 c) { return ((((u32)MULxPOW(c,23, 0xa9)) << 24 ) | (((u32)MULxPOW(c, 245,0xa9)) << 16 ) | (((u32)MULxPOW(c, 48,0xa9)) << 8 ) | (((u32)MULxPOW(c, 239,0xa9)))) ; }

You can see that in Cryptol we just say that we want to work with a 32-bit word, and we don’t need to do any shift to our parts of the word. We just join them together. We reverse the sequence, because Cryptol stores words in little-endian, and we want to keep the definition like the specification.

This is a very simple function, so the result in C is not so that different. But if we have a more complex function, we were going to start having a nightmare to write that in C.

## Conclusion

Well, the conclusion is that Cryptol is a language that really help to write low-level algorithms. With Cryptol the specification is formal and easier to read than other languages. A value of Cryptol is that the code can be converted to other languages, such as VHDL and C.

If you’re interested, take a look at the presentation that we did.