United States. Almost every time a secure Google Chrome browser is opened, a new cryptographic system developed by MIT is helping to better protect your data.
In a paper presented at the recent IEEE Symposium on Security and Privacy, MIT researchers detail a system that, for the first time, automatically generates optimized cryptography code that is usually written by hand. Implemented in early 2018, the system is now being widely used by Google and other tech companies.
The paper now demonstrates to other researchers in the field how automated methods can be implemented to avoid man-made errors in cryptocode generation, and how key adjustments to system components can help achieve higher performance.
To secure online communications, cryptographic protocols run complex mathematical algorithms that perform some complex arithmetic calculations on large numbers. However, behind the scenes, a small group of experts writes and rewrites those algorithms by hand. For each algorithm, they must weigh various mathematical techniques and chip architectures to optimize performance. When the underlying mathematics or architecture changes, they essentially start from scratch. In addition to being laborious, this manual process can produce suboptimal algorithms and often introduces errors that are then detected and repaired.
Instead, researchers at the Computer Science and Artificial Intelligence Laboratory (CSAIL) designed "Fiat Cryptography," a system that automatically generates, and simultaneously verifies, cryptographic algorithms optimized for all hardware platforms. In the tests, the researchers found that their system can generate algorithms that match the performance of the best handwritten code, but much faster.
The code automatically generated by the researchers has populated Google's BoringSSL, an open-source cryptographic library. Google Chrome, Android apps and other programs use BoringSSL to generate the various keys and certificates used to encrypt and decrypt data. According to the researchers, about 90 percent of Chrome's secure communications currently run its code.
"Cryptography is implemented by doing arithmetic in large numbers. [Fiat Cryptography] makes it easier to implement mathematical algorithms... because we automate the construction of the code and provide proof that the code is correct," says paper co-author Adam Chlipala, a CSAIL researcher and associate professor of electrical and computer engineering and head of the programming and verification languages group. It's basically like taking a process that runs in human brains and understanding it well enough to write code that mimics that process."
Jonathan Protzenko of Microsoft Research, a crypto expert who was not involved in this research, sees the work as representing a shift in industry thinking.
"The Fiat crypto used in BoringSSL benefits the entire [crypto] community," he says. "[It's] a sign that times are changing and that big software projects are realizing that insecure cryptography is a liability, [and shows] that verified software is mature enough to enter the mainstream. I hope that more and more established software projects will make the switch to verified cryptography. Maybe in the next few years, verified software can be used not only for cryptographic algorithms, but also for other application domains."
Joining Chlipala on paper: first author Andres Erbsen and co-authors Jade Philipoom and Jason Gross, who are all CSAIL graduate students; as well as Robert Sloan MEng '17.
Get to know the full report here.
http://news.mit.edu/2019/fiat-cryptography-chrome-android-0617
Source: MIT.
Leave your comment