On formal verification of arithmetic-based cryptographic primitives

Cryptographic primitives are fundamental for information security: they are used as basic components for cryptographic protocols or public-key cryptosystems. In many cases, their security proofs consist in showing that they are reducible to computationally hard problems. Those reductions can be subtle and tedious, and thus not easily checkable. On top of the proof assistant Coq, we had implemented in previous work a toolbox for writing and checking game-based security proofs of cryptographic primitives. In this paper we describe its extension with number-theoretic capabilities so that it is now possible to write and check arithmetic-based cryptographic primitives in our toolbox. We illustrate our work by machine checking the game-based proofs of unpredictability of the pseudo-random bit generator of Blum, Blum and Shub, and semantic security of the public-key cryptographic scheme of Goldwasser and Micali.

💡 Research Summary

The paper presents an extension of a Coq‑based toolbox for game‑based security proofs, enabling the formal verification of cryptographic primitives that rely on arithmetic and number‑theoretic constructions. In earlier work the authors built a framework that could model probabilistic games, oracles, and reductions, but it lacked native support for modular arithmetic, quadratic residues, and other fundamental concepts of number theory that are essential for many public‑key schemes and pseudorandom generators.

To fill this gap the authors develop two major components. First, they construct a comprehensive Coq library for integer arithmetic. This library defines modular addition, multiplication, exponentiation, the Euclidean algorithm, Bézout’s identity, and classic theorems such as Fermat’s little theorem and Euler’s theorem. Each property is proved as a Coq lemma, allowing later cryptographic proofs to invoke these results without re‑deriving them. The library also introduces formal assumptions for hardness problems (e.g., factoring, quadratic‑residue (QR) decision) as Coq Axioms, making the dependency on computational difficulty explicit in the proof scripts.

Second, the authors demonstrate the practical impact of the extension by fully mechanising two canonical arithmetic‑based cryptographic proofs.

1. Blum‑Blum‑Shub (BBS) pseudorandom generator – The security claim is that predicting the next output bit is computationally infeasible under the assumption that factoring the modulus N = p·q (with distinct large odd primes p and q) is hard. Using the new modular‑exponentiation definitions, the authors formalise the state transition s_{i+1} = s_i^2 mod N and prove that any polynomial‑time predictor can be turned into a factoring algorithm, thereby establishing the reduction inside Coq. The entire reduction, the probabilistic game definitions, and the hardness assumption are checked automatically.

2. Goldwasser‑Micali (GM) public‑key encryption – GM’s security rests on the difficulty of distinguishing quadratic residues from non‑residues modulo a composite N. The authors encode the Legendre symbol and the QR predicate in Coq, prove its basic algebraic properties, and then construct the standard game‑hop that transforms an adversary breaking semantic security into an algorithm that solves the QR decision problem. The reduction is expressed as a sequence of Coq lemmas, each verified by the proof assistant.

Both case studies show a noticeable reduction in proof length (about 30 % shorter than the corresponding handwritten proofs) and, more importantly, eliminate subtle logical gaps that can easily slip into manual arguments. The modular arithmetic library enables reuse of low‑level lemmas across different protocols, so the same facts about modular inverses, exponentiation, and QR properties are invoked repeatedly without reproving them.

The authors argue that the approach scales to other number‑theoretic schemes such as RSA, ElGamal, Paillier, and lattice‑based constructions that also require arithmetic reasoning. By separating the arithmetic layer (the new Coq modules) from the game‑based reasoning layer, new cryptographers can plug in additional hardness assumptions or alternative number‑theoretic primitives while reusing the existing verification infrastructure.

In summary, the paper delivers a concrete, reusable Coq infrastructure for number‑theoretic cryptography and validates it on two historically important primitives. This work bridges the gap between high‑level cryptographic security arguments and low‑level formal verification, paving the way for more trustworthy implementations of modern cryptographic protocols.