You are on page 1of 2

Cryptol Reference Card • Records are like tuples with named elements, and Cryptol> [1,3 ..

10]
are also accessed with . like this: { foo=1, bar=2 Assuming a = 4
A brief summary of Cryptol’s syntax and basic patterns. }.bar is 2. [1, 3, 5, 7, 9]
For more details, look for the book Programming Cryptol.
Descending sequences have descending first two elements:
Querying types
Cryptol> [10, 9 .. 0]
Starting Cryptol, basic commands Functions, expressions and values all have types in Cryp- Assuming a = 4
tol. You can ask Cryptol what the type of something is [10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0]
Start Cryptol either by itself, or with the name of a Cryptol
with the :t command, like this:
file as its argument: Infinite sequences are created with ... Since the elements
Cryptol> :t "Hello, world!" of a sequence all have to have the same (finite) type, the
% cryptol myfile.cry
"Hello, world!" : [13][8] sequence will wrap around. For example:
_ _
Cryptol> :t 123
___ _ __ _ _ _ __ | |_ ___ | |
123 : {a} (fin a, a >= 7) => [a] Cryptol> [1, 2 ...] // 2 bits per element
/ __| '__| | | | '_ \| __/ _ \| |
Cryptol> :t 0xf00d Assuming a = 2
| (__| | | |_| | |_) | || (_) | |
0xf00d : [16] [1, 2, 3, 0, 1, ...]
\___|_| \__, | .__/ \__\___/|_|
Cryptol> :t (||) Cryptol> [0x1, 0x3 ...] // 4 bits/elt
|___/|_| version 2.4.0
(||) : {a} a -> a -> a [1, 3, 5, 7, 9, ...]
Cryptol> :t (+)
Loading module Cryptol Finally, Cryptol lets you specify the elements of a se-
(+) : {a} (Arith a) => a -> a -> a
Cryptol> quence with the sequence comprehension syntax, which
At the Cryptol prompt, a number of commands are These say, in order: is inspired by the same concept in mathematics notation.
available: Here are some examples:
• ”the string ’Hello, world!’ is a sequence of 13 8-bit
:set base=10 words Cryptol> [ a + 3 | a <- [1 .. 10] ]
:set ascii=on // or =off • the number 123 takes a finite number, a, of bits, [4, 5, 6, 7, 8, 9, 10, 11, 12, 13]
:r // or :reload - reloads file where a >= 7. Cryptol> [ a + b | a <- [1 .. 10] \
:l <filename> // or :load <filename> • the number 0xf00d is a 16-bit sequence | b <- [3 ...] ]
:e // edits the current file • the operator || takes two arguments of the same [4, 6, 8, 10, 12, 14, 0, 2, 4, 6]
type, and its return value has the same type
Pressing Tab at the Cryptol> prompt, after typing :, or The first one would be described as “a sequence of ele-
• the operator + takes two arguments of class Arith ments whose values are a + 3, where a is drawn from the
after :set shows you available options. Experiment!
and returns a value of the same type sequence ‘1 to 10’ ”. The second one is a parallel compre-
hension. The resulting length of a parallel comprehension
Data and types Sequence constructors is the shortest length of its legs. In this case, we would
describe it as “a sequence of elements whose values are
Cryptol’s types include: a + b where a is drawn from the sequence ‘1 to 10’ and b
Sequences are the most commonly-used structure in Cryp-
• Bit values can be True or False tol. They can be constructed in a number of ways. We’ve is drawn from the infinite sequence starting at 3”.
• Sequences whose elements must have the same type, already seen sequence literals, like [1, 2, 3]. You can Cryptol also supports Cartesian comprehensions, whose
like [0xa, 0xb, 0xc]. Elements of sequences can construct sequences of finite length by specifying the first legs are separated by commas. The first element of the
be accessed with the @ and ! indexing operators, and last elements, like this: first leg is paired with each element of the other leg(s),
which index from the beginning and the end of the followed by the second element of the first leg, etc:
sequence, respectively. For example [0xa, 0xb, Cryptol> [1 .. 10]
Cryptol> [(a, b) | a <- [1, 2]\
0xc]@0 is 0xa. [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
, b <- [3, 4] ]
• Tuples whose elements can have different types, [(1, 3), (1, 4), (2, 3), (2, 4)]
Specify the step between elements by providing the first
like ('a', 0xf00d, (True, False)) Elements of
two:
tuples can be accessed via . like this: (True, 0xa).0 Other things you can do with sequences: the built-
is True. in reverse function reverses the elements of a sequence,

See github. {}.. elem} (fin front) => Having defined this type.drop`{1}fibs] addThree = f 3 One limitation of :prove and :sat is that the argu. 3. using :prove. and can be confusing sometimes. and that it returns [ indexToChar (indexOf c perm) f : {a} (Arith a) => a -> a -> a | c <. are very general. so it infers that we want to take 7 indexToChar : Index -> Char • the name of the function. fibs = [0. If a function returns Bit. you’ll probably be better served by refactor- • the final element is the type of the return value..and the # operator concatenates two sequences (of course take`{2}[1 . and is hosted as take and drop: 123 on GitHub. 7] invertPermutation : Permutation -> Permutation The type of this function is: We asked for the type of take. theorem proving powers to either prove that the function erating on sequences. Some functions take type-level arguments.. Cryptol knows the list has 10 elements.. 5.com/dylanmc/CryptoBook . or return values of that type. 34] specify the function had type [32]->Bit..Cryptol’s inferred types Q. | a <. back. using :sat. 10] define a new type like this: Cryptol> reverse ['0' . Here we prove (fibs:[_][64])@85 You can provide the type of a function along with its that x + y == y + x for all 32-bit values x and y: // value: 0x039a9fadb327f099 definition. the names of type variables. and also ] Reading the type of a function in Cryptol. 6. 13. function return True. such Cryptol> 51 ^^ 31:[8] This reference card is by Dylan McNamee. 10] Defining types the two arguments to # must have elements of the same // value: [1. that :prove and :sat Cryptol idioms the type a needs to be something that supports arith- metic operations (Arith). drop`{2}[1 . If you’re tempted to call a function • the types of the arguments. like type NumChars = 26 this: type Permutation=[NumChars]Char type Index=[7] Functions in Cryptol Cryptol> :t take take : {front. 2.E. you can define functions that A function declaration looks like this: [front + back]elem -> [front]elem take arguments. 10] becomes more readable with descriptive type names.1] # if you pass fewer arguments than a function takes. take`{10}(fibs:[_][12]) addThree 8 // value is 11 ments have to be monomorphic. or you can let Cryptol infer a function’s type for you.. 10] Type names typically start with capital letters. separated by -> is true for all values of its argument(s). Here we ask Cryptol if there are an 8-bit x and y such that xy = 123: Type variables Cryptol> :sat (\x y -> x ^^ y == 123):[8]->[8]->Bit ((\x y -> x ^^ y == 123) : [8] -> [8] -> Bit) Type variables can occur in a few contexts in a Cryptol 51 31 = True program. elements of our list [1 . 'z'] "9876543210abcdefghijklmnopqrstuvwxyz" Type-level arguments can be positional or named. Here.alphabet front elements. and we learned that its invertPermutation perm = argument is front + back elements long. 5. 1. 2. that there exists at least one input value that makes the ing your problem into recursive operations on sequences. That’s why we had to // value: [0. 1. For example: | b <. 4 . 21. Sometimes providing the type can help Cryptol Main> :prove (\x y -> x+y == y+x):[32]->[32]->Bit give you better error messages . f x y = x + y [1. 4.E.. indexToChar i = (0b0 # i) + 'A' • : • in curly braces. or recursively. 2] type).fibs and has the same return type. 3. Your code Cryptol> take`{back=3}[1 . we prove that x+x Here’s an idiomatic Fibonacci sequence in Cryptol: Cryptol supports curried arguments. which means that is always equal to x << 1. the re- Cryptol> :prove (\x -> x + x == x << 1):[32]->Bit [ a + b sult is a function that accepts the remaining arguments Q. you can use Cryptol’s powerful Pretty much everything you do in Cryptol should be op- • a fat arrow (=>). '9'] # ['a' . 10]. You can // value: [3. If we pass back=3 as the type argument to take. 8. you have: that front + 3 = 10.D. • in parentheses the type constraints (in this case.D.