Computers and programs running on these computers are powerful tools for many domains of human activities. In some of these domains, program errors can have enormous consequences. It will become crucial for all stakeholders that the best techniques are used when designing these programs.

We advocate using higher-order logic proof assistants as tools to obtain better quality programs and designs. These tools make it possible to build designs where all decisive arguments are explicit, ambiguity is alleviated, and logical steps can be verified precisely. In practice, we are intensive users of the Coq system and we participate actively to the development of this tool, in collaboration with other teams at Inria, and we also take an active part in advocating its usage by academic and industrial users around the world.

Many domains of modern computer science and engineering make a heavy use of mathematics. If we wish to use proof assistants to avoid errors in designs, we need to develop corpora of formally verified mathematics that are adapted to these domains. Developing libraries of formally verified mathematics is the main motivation for our research. In these libraries, we wish to capture not only the knowledge that is usually recorded in definitions and theorems, but also the practical knowledge that is recorded in mathematical practice, idioms, and work habits. Thus, we are interested in logical facts, algorithms, and notation habits. Also, the very process of developing an ambitious library is a matter of organisation, with design decisions that need to be evaluated and improved. Refactoring of libraries is also an important topic. Among all higher-order logic based proof assistants, we contend that those based on Type theory are the best suited for this work on libraries, thanks to their strong capabilities for abstraction and modular re-use.

The interface between mathematics, computer science and engineering is large. To focus our activities, we will concentrate on applications of proof assistants to two main domains: cryptography and robotics. We also develop specific tools for proofs in cryptography, mainly around a proof tool named EasyCrypt.

The proof assistants that we consider provide both a programming language, where users can describe algorithms performing tasks in their domain of interest, and a logical language to reason about the programs, thus making it possible to ensure that the algorithms do solve the problems for which they were designed. Trustability is gained because algorithms and logical statements provide multiple views of the same topic, thus making it possible to detect errors coming from a mismatch between expected and established properties. The verification process is itself a logical process, where the computer can bring rigor in aligning expectations and guarantees.

The foundations of proof assistants rest on the very foundations of mathematics. As a consequence, all aspects of reasoning must be made completely explicit in the process of formally verifying an algorithm. All aspects of the formal verification of an algorithm are expressed in a discourse whose consistency is verified by the computer, so that unclear or intuitive arguments need to be replaced by precise logical inferences.

One of the foundational features on which we rely extensively is Type Theory. In this approach a very simple programming language
is equiped with a powerful discipline to check the consistency of
usage: types represent sets of data with similar behavior, functions
represent algorithms mapping types to other types, and the consistency
can be verified by a simple computer program, a type-checker.
Although they can be
verified by a simple program, types can express arbitrary complex
objects or properties, so that the verification work lives in an
interesting realm, where verifying proofs is decidable, but finding
the proofs is undecidable.

This process for producing new algorithms and theorems is a novelty in the development of mathematical knowledge or algorithms, and new working methods must be devised for it to become a productive approach to high quality software development. Questions that arise are numerous. How do we avoid requiring human assistance to work on mundane aspects of proofs? How do we take advantage of all the progress made in automatic theorem proving? How do we organize the maintenance of ambitious corpora of formally verified knowledge in the long term?

To acquire hands-on expertise, we concentrate our activity on three aspects. The first one is foundational: we develop and maintain a library of mathematical facts that covers many aspects of algebra. In the past, we applied this library to proofs in group theory, but it is increasingly used for many different areas of mathematics and by other teams around the world, from combinatorics to elliptic cryptography, for instance. The second aspect is applicative: we develop a specific tool for proofs in cryptography, where we need to reason on the probability that opponents manage to access information we wish to protect. For this activity, we develop a specific proof system, relying on a wider set of automatic tools, with the objective of finding the tools that are well adapted to this domain and to attract users that are initially specialists in cryptography but not in formal verification. The third domain is robotics, as we believe that the current trend towards more and more autonomous robots and vehicles will raise questions of safety and trustability where formal verification can bring significant added value.

The Mathematical Components library is the main by-product of an effort started almost two decades ago to provide a formally verified proof for a major theorem in group theory. Because this major theorem had a proof published in books of several hundreds of pages, with elements coming from character theory, other coming from algebra, and some coming from real analysis, it was an exercice in building a large library, with results in many domains, and in establishing clear guidelines for further increase and data search.

This library has proved to be a useful repository of mathematical facts for a wide area of applications, so that it has a growing community of users in many contries (Denmark, France, Germany, Japan, Singapore, Spain, Sweden, UK, USA) and for a wide variety of topics (transcendental number theory, elliptic curve cryptography, articulated robot kinematics, recently block chain foundations).

Interesting questions on this library range around the importance of decidability and proof irrelevance, the way to structure knowledge to automatically inherit theorems from one topic to another, the way to generate infrastructure to make this automation efficient and predictable. In particular, we want to concentrate on adding a new mathematical topic to this library: real analysis and then complex analysis (Mathematical Components Analysis).

On the front of automation, we are convinced that a higher level language is required to describe similarities between theories, to generate theorems that are immediate consequences of structures, etc, and for this reason, we invest in the development of a new language on top of the proof assistant (ELPI).

When we work on cryptography, we are interested in the formal
verification of proofs showing that some cryptographic primitives
provide good guarantees against unwanted access to information. Over
the years we have developed a technique for this kind of reasoning
that relies on a programing logic (close to Hoare logic) with
probabilistic aspects and the capability to establish relations
between several implementations of a problem. The resulting
programming logic is called probabilistic relational Hoare
logic.
We also study questions of side-channel attacks,
where we wish to guarantee that opponents cannot gain access to
protected knowledge, even if they observe specific features of
execution, like execution time (to which the answer lies in constant-time execution) or partial access to memory bits (to which
the answer lies in masking).

For this domain of application, we choose to work with a specific proof tool (EasyCrypt), which combines powerful first-order reasoning and uses of automatic tools, with a specific support for probabilistic relational Hoare Logic. The development of this EasyCrypt proof tool is one of the objectives of our team.

When it comes to formal proofs of resistance to side-channel attack, we contend that it is necessary to verify formally that the compiler used in the production of actually running code respects the resistance properties that were established in formally verified proofs. One of our objectives is to describe such a compiler (Jasmin) and show its strength on a variety of applications.

Robots are man-made artifacts where numerous design decisions can be argued based on logical or mathematical principles. For this reason, we wish to use this domain of application as a focus for our investigations. The questions for which we are close to providing answers involve precision issues in numeric computation, obstacle avoidance and motion planning (including questions of graph theory), articulated limb cinematics and dynamics, and balance and active control.

From the mathematical perspective, these topics require that we improve our library to cover real algebraic geometry, computational geometry, real analysis, graph theory, and refinement relations between abstract algorithms and executable programs.

In the long run, we hope to exhibit robots where pieces of software and part of the design have been subject to formal verification.

This year we consider our formal proof of the theorem on the unsolvability of quintic polynomials by radicals to be a highlight, as it illustrates the wealth of existing results in the Mathematical Components library 11.

Here we describe new software and platforms.

Coq version 8.14 integrates many usability improvements, as well as an important change in the core language. The main changes include:

- The internal representation of match has changed to a more space-efficient and cleaner structure, allowing the fix of a completeness issue with cumulative inductive types in the type-checker. The internal representation is now closer to the user-level view of match, where the argument context of branches and the inductive binders "in" and "as" do not carry type annotations.

- A new "coqnative" binary performs separate native compilation of libraries, starting from a .vo file. It is supported by coq_makefile.

- Improvements to typeclasses and canonical structure resolution, allowing more terms to be considered as classes or keys.

- More control over notation declarations and support for primitive types in string and number notations.

- Removal of deprecated tactics, notably omega, which has been replaced by a greatly improved lia, along with many bug fixes.

- New Ltac2 APIs for interaction with Ltac1, manipulation of inductive types and printing.

Many changes and additions to the standard library in the numbers, vectors and lists libraries. A new signed primitive integers library Sint63 is available in addition to the unsigned Uint63 library.

This release is compatible with Coq 8.11, 8.12, 8.13 and 8.14.

The main additions are:

the theory of diagonalization of matrices, the pairwise predicate and its theory, bounded sequences and their theory, several lemmas in various parts of the library (order.v, finset.v, etc).

The programming language has the following features

- Native support for variable binding and substitution, via an Higher Order Abstract Syntax (HOAS) embedding of the object language. The programmer needs not to care about De Bruijn indexes.

- Native support for hypothetical context. When moving under a binder one can attach to the bound variable extra information that is collected when the variable gets out of scope. For example when writing a type-checker the programmer needs not to care about managing the typing context.

- Native support for higher-order unification variables, again via HOAS. Unification variables of the meta-language (lambdaProlog) can be reused to represent the unification variables of the object language. The programmer does not need to care about the unification-variable assignment map and cannot assign to a unification variable a term containing variables out of scope, or build a circular assignment.

- Native support for syntactic constraints and their meta-level handling rules. The generative semantics of Prolog can be disabled by turning a goal into a syntactic constraint (suspended goal). A syntactic constraint is resumed as soon as relevant variables get assigned. Syntactic constraints can be manipulated by constraint handling rules (CHR).

- Native support for backtracking, to ease implementation of search.

- The constraint store is extensible. The host application can declare non-syntactic constraints and uses custom constraint solvers to check their consistency.

- Clauses are graftable. The user is free to extend an existing program by inserting/removing clauses, both at runtime (using implication) and at "compilation" time by accumulating files.

Most of these features come with lambdaProlog. Constraints and propagation rules are novel in ELPI.

ELPI implements a variant of lambdaProlog enriched with Constraint Handling Rules, a programming language well suited to manipulate syntax trees with binders and unification variables.

ELPI is a research project aimed at providing a programming platform for the so called elaborator component of an interactive theorem prover.

ELPI is designed to be embedded into larger applications written in OCaml as an extension language. It comes with an API to drive the interpreter and with an FFI for defining built-in predicates and data types, as well as quotations and similar goodies that come in handy to adapt the language to the host application.

- Bind OCaml APIs to control the garbage collector

- Fix bugs in predicate spilling, eta conversion and a few standard library predicates

- Improve implementation of findall, which is now able to handle holes and names in the list of solutions

The Jasmin programming language smoothly combines high-level and low-level constructs, so as to support “assembly in the head” programming. Programmers can control many low-level details that are performance-critical: instruction selection and scheduling, what registers to spill and when, etc. The language also features high-level abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of high-level abstractions incurs no run-time penalty.

The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machine-checked by the Coq proof assistant). This justifies that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against side-channel attacks (constant-time).

Year 2021 has brought several improvements to the Jasmin programming language, enabling the implementation of more complex programs: local functions (preserved during compilation), sub-arrays, etc. The release of a new major version is scheduled for early 2022.

Preparatory work to support several target architectures have also been carried out.

The correctness theorem of the compiler has been made more precise. It now allows to reason at source level about some non-functional properties of the program produced by the compiler. In particular, there is now a formal proof (in Coq) that the compiler always preserves the “constant-time” security property.

A didactical Coq development to introduce various semantics styles. Shows how to derive an interpreter, a compiler, a verifier, or a program analyser from formal descriptions, and how to prove their consistency.

This is a library for the Coq system, where the description of a toy programming language is presented. The value of this library is that it can be re-used in classrooms to teach programming language semantics or the Coq system. The topics covered include introductory notions to domain theory, pre and post-conditions, abstract interpretation, compilation, and the proofs of consistency between all these point of views on the same programming language. Standalone tools for the object programming language can be derived from this development.

EasyCrypt is a formal verification tool used extensively for formalizing concrete security proofs of cryptographic constructions. However, the EasyCrypt formal logics consider only classical attackers, which means that post-quantum security proofs cannot be formalized and machine-checked with this tool. In 7 we prove that a natural extension of the EasyCrypt core logics permits capturing a wide class of post-quantum cryptography proofs, settling a question raised by (Unruh, POPL 2019). Leveraging our positive result, we implemented EasyPQC, an extension of EasyCrypt for post-quantum security proofs, and used EasyPQC to verify postquantum security of three classical constructions: PRF-based MAC, Full Domain Hash, and GPV08 identity-based encryption.

We extended EasyCrypt to be able to reason about the computational complexity of adversaries. The key technical tool is a Hoare logic for reasoning about computational complexity (execution time and oracle calls) of adversarial computations. Our Hoare logic is built on top of the module system used by EasyCrypt for modeling adversaries. We proved the soundness of our logic w.r.t. the semantics of EasyCrypt programs. We showed how our approach can express precise relationships between the probability of adversarial success and their execution time. As a main benefit of our approach, we revisited security proofs of some well-known cryptographic constructions and we present a new formalization of Universal Composability (UC). The work has been published in 8.

High-assurance cryptography leverages methods from program verification and cryptography engineering to deliver efficient cryptographic software with machine-checked proofs of memory safety, functional correctness, provable security, and absence of timing leaks. Traditionally, these guarantees are established under a sequential execution semantics. However, this semantics is not aligned with the behavior of modern processors that make use of speculative execution to improve performance. This mismatch, combined with the high-profile Spectre-style attacks that exploit speculative execution, naturally casts doubts on the robustness of high-assurance cryptography guarantees. In 9 we dispel these doubts by showing that the benefits of high-assurance cryptography extend to speculative execution, costing only a modest performance overhead. We build atop the Jasmin verification framework an end-to-end approach for proving properties of cryptographic software under speculative execution, and validate our approach experimentally with efficient, functionally correct assembly implementations of ChaCha20 and Poly1305.

Many security properties of interest are captured by instrumented semantics that model the functional behavior and the leakage of programs. For several important properties, including cryptographic constant-time (CCT), leakage models are sufficiently abstract that one can define instrumented semantics for high-level and low-level programs. One important goal is then to relate leakage of source programs and leakage of their compilation—this can be used, e.g. to prove preservation of CCT. To simplify this task, we put forward the idea of structured leakage. In contrast to the usual modeling of leakage as a sequence of observations, structured leakage is tightly coupled with the operational semantics of programs. This coupling greatly simplifies the definition of leakage transformers that map the leakage of source programs to leakage of their compilation and yields more precise statements about the preservation of security properties. We illustrate our methods on the Jasmin compiler and prove preservation results for two policies of interest: CCT and cost. This work is presented in 10.

We continued the work on Jasmin

3, allowing to add new features to the Jasmin compiler: global arrays, non-inlined function calls, pointers to arrays, better error messages. We also added various small transformations to the compiler. We started generalizing the compiler such that it will be able to generate code for different architectures (in particular Arm, but we also plan to make it work for RISC-V). All the new features are now fully proved and we plan to release a version of the compiler and its complete proof in the near future.

The verification of cryptographic schemes —from the protocol level down to the correct implementation of the cryptographic primitives— is a challenging task. This has led to the development of a number of verification tools for cryptographic properties. These tools differ significantly as it comes to the properties they can express and reason about as well as the level of automation they provide. Thus, even though it is already challenging to choose the best suited tool amongst the plethora of existing ones for a given protocol, it is also impossible to prove a protocol relying on different verifiers even when different parts of the protocol could be handled by different tools.

We developed a translation from CryptoVerif to EasyCrypt that allows cryptographic assumptions that cannot be proved in CryptoVerif to be translated to EasyCrypt and proved there. We used the translation to start the proof of different hypotheses assumed in CryptoVerif:

We studied how to use coq-elpi to implement fast equality tests for inductive datatypes in Coq. This work needs to be completed with a benchmark to test the impact on efficiency for an "inversion" tactic.

We studied how tabulating (in other words memoization) can improve the efficiency of the Elpi implementation, using a toy interpreter for first order logic as a case study. The toy interpreter shares the same basic design as Elpi, and some of the newly studied data structures have already been transferred to Elpi. However, this work needs to be complemented with a treatement of higher order logic. The ultimate goal is to make Elpi a good tool for type class resolution in the Coq system.

Universe polymorphism in Coq is an important feature to ensure its usability at higher orders. Tools that exploit the meta theoretic properties of type theory need to manage this aspect of logic in a powerful way. In particular, Enzo Crance developed a tool to exploit

, using the coq-elpi language. We worked together to make sure universe polymorphism was handled correctly, thus improving the applicability of that tool.

Building algebraic hierarchies in a proof assistant such as Coq requires a lot of manual labor and often a deep expertise. To reduce the cost, we developed Hierarchy Builder (HB), a high level language to build hierarchies of algebraic structures and to make these hierarchies evolve without breaking user code. This relies on coq-elpi. We extended HB to support parameterized structures and hierarchies of functions and morphisms as well and implemented a detection of Non Forgetful Inheritance as described in the paper 1. This was necessary to port the Mathematical Components library.

A fair amount of work was invested to make the tool usable in the long run: speed of execution, quality of error messages, diagnostic commands (HB.about), etc.

The key to keep the Mathcomp library growing in a rational way is that it revolves around a hierarchy of interfaces which organizes operations and properties. Interfaces come with theories which apply, automatically, to all the objects which are registered as validating the interface. We replaced the hand-crafted hierarchy by one generated by Hierarchy Builder. The work is almost finished but still needs some feature implementations in Hierarchy Builder.

This work was presented at the 2021 Coq workshop13.

We provide a Coq formalization that there does not exist a general method for solving by radicals polynomial equations of degree greater than 4. This development includes a proof of Galois’ Theorem of the equivalence between solvable extensions and extensions solvable by radicals. The unsolvability of the general quintic follows from applying this theorem to a well chosen polynomial with unsolvable Galois group.

This work was published and presented at ITP 2021 11.

We provide a construction of the Lebesgue measure, which is a necessary and difficult step in the formalization of Lebesgue integration and its variants. The originality of our approach is the use of the mathematical structure of algebras of sets as a ground for Carathéodory’s extension theorem. This is how the construction is often taught in undergraduate classes and we believe that this approach improves the modularity of the formalization because it favors abstract lemmas. It takes advantage of the Hierarchy Builder. This is part of MathComp analysis 2.

This work was presented at the 2021 Coq workshop.

Following the HOL-light formalization, we have extended the MathComp Analysis

2library with the definition and basic properties of the usual real functions (ln, sin, cos, tan, asin, acos, atan) and some higher-order property (sufficient conditions for the inverse function of a function to be continuous).

We completed some part of the coq-robot library concerning the use of quaternions to represent rigid transformations and the definition of octonions. The code is visible on an

open source repository on github.

We created and maintained the coq-nix-toolbox, a tool chain that provides support for using the nix package manager in conjunction with a Coq development. In particular, it support easy dependency management, caching and generation of github action CI jobs.

This work was presented at 2021 Coq workshop.

The article describing the work on the formalisation of "basic building blocks of double-word arithmetics" has been accepted and published in

.

Our collaboration continues on the formalisation of algorithms for Euclidian norms. These algorithms for Euclidian norms use the square root of double-word numbers. We have formalised the correctness of two algorithms for square root, including error bound validation. Both algorithms have been studied and formalized in the general case, including overflow and underflow.

The article describing this work has been submitted to Transactions on Mathematical Software16.

We have been redesigning the communication protocol between Coq and its user-interface software to make it compliant with the LSP protocol used in Visual Studio Code. We are now exploring the use of event-based programming for this integrated development environment.

We developed a formal description for a known algorithm to decompose a plane region into cells that are guaranteed to be free of obstacles. The goal of this development is to make it possible to prove that some trajectories are collision free.

We submitted a paper on the proof of Wagner's theorem at "Interactive Theorem Proving" (ITP'2021), which was accepted and presented in June

15.

We formalized two proofs of the Weak Perfect Graph theorem that are both significantly simpler than a previously published proof (at CPP2020). This is part of the latest release of the GraphTheory library, in May.

The STAMP team participates with the Grace team (Inria Saclay) in the JASMIN contract funded in the framework of the Inria-Nomadic Labs collaboration for research related to the Tezos blockchain. This contract funds the PhD thesis of Swarn Priya.

The acronym FUI stands for “fonds unique interministériel” and is aimed at research and development projects in pre-industrial phase. The STAMP team is part of one such project.

Cyril Cohen and Enrico Tassi organized the international coding sprint on "porting Mathematical Components to Hierarchy Builder" in April.

Christian Doczkal was a co-organizer with Jean-Marie Madiot of the 2021 Coq-Workshop.

Enrico Tassi was chair for "Logical Frameworks and Meta-Languages: Theory and Practice" (Pittsburgh, USA), in July.

Yves Bertot was member of the program committee for "Certified Programs and Proofs (CPP'2022)". Enrico Tassi was a member of the program committee for "Formal Integrated Development Environment (F-IDE'21)" and "Coq for Programming Languages (CoqPL'22)".

Pierre Boutry was a reviewer for "Certified Programs and Proofs (CPP'2022)". Benjamin Grégoire was a reviewer for "Computer Security Foundations (CSF'21)". Enrico Tassi was a reviewer for "Interactive Theorem Proving (ITP'21)". Yves Bertot was a reviewer for "Formal Structures for Computation and Deduction (FSCD'21)".

Yves Bertot, Cyril Cohen, and Laurent Théry reviewed articles for "Journal of Automated Reasoning" (JAR). Laurent Théry reviewed an article for "Logical Methods in Computer Science" (LMCS). Yves Bertot reviewed an article for "Journal of Symbolic Logic" (JSL).

Cyril Cohen did a talk for AFADL 2021 about the proof of Abel-Ruffini theorem.

Cyril Cohen did a presentation and an introductory course of 4 days of the Mathematical Components Library at University of Paris (IRIF laboratory) in december 2021.

Yves Bertot is member of the steering committee for "Interactive Theorem Proving (ITP)", for "Coq Workshop", and for "Coq for Programming Languages".

Yves Bertot is chair of the general assembly for the Coq consortium.

Yves Bertot was an expert for the evaluation of projects for Foundation UNIT and for "Agence Nationale de la Recherche (ANR)".

Benjamin Grégoire and Yves Bertot are supervising the thesis of Swarn Priya.

Cyril Cohen and Assia Mahboubi are supervising the thesis of Chris Hughes (based in Nantes).

Yves Bertot was a member of the jury for Diane Gallois-Wong (University of Paris-Saclay) and Yannick Forster (University of Saarbrücken, Germany).

Laurence Rideau is a member of the editorial board for Interstice.

Yves Bertot participated to Salon "Open Source Experience (OSXP)" where he presented the capabilities of the Coq system, in November.