Computers and programs running on these computers are powerful tools for many domains of human activities. In some of these domains, program errors can have enormous consequences. It will become crucial for all stakeholders that the best techniques are used when designing these programs.

We advocate using higher-order logic proof assistants as tools to obtain better quality programs and designs. These tools make it possible to build designs where all decisive arguments are explicit, ambiguity is alleviated, and logical steps can be verified precisely. In practice, we are intensive users of the Coq system and we participate actively to the development of this tool, in collaboration with other teams at Inria, and we also take an active part in promoting its usage by academic and industrial users around the world.

Many domains of modern computer science and engineering make a heavy use of mathematics. If we wish to use proof assistants to avoid errors in designs, we need to develop corpora of formally verified mathematics that are adapted to these domains. Developing libraries of formally verified mathematics is the main motivation for our research. In these libraries, we wish to capture not only the knowledge that is usually recorded in definitions and theorems, but also the practical knowledge that is recorded in mathematical practice, idioms, and work habits. Thus, we are interested in logical facts, algorithms, and notation habits. Also, the very process of developing an ambitious library is a matter of organisation, with design decisions that need to be evaluated and improved. Refactoring of libraries is also an important topic. Among all higher-order logic based proof assistants, we contend that those based on Type theory are the best suited for this work on libraries, thanks to their strong capabilities for abstraction and modular re-use.

The interface between mathematics, computer science and engineering is large. To focus our activities, we will concentrate on applications of proof assistants to two main domains: cryptography and robotics. We also develop specific tools for proofs in cryptography, mainly around a proof tool named EasyCrypt.

The proof assistants that we consider provide both a programming language, where users can describe algorithms performing tasks in their domain of interest, and a logical language to reason about the programs, thus making it possible to ensure that the algorithms do solve the problems for which they were designed. Trustability is gained because algorithms and logical statements provide multiple views of the same topic, thus making it possible to detect errors coming from a mismatch between expected and established properties. The verification process is itself a logical process, where the computer can bring rigor in aligning expectations and guarantees.

The foundations of proof assistants rest on the very foundations of mathematics. As a consequence, all aspects of reasoning must be made completely explicit in the process of formally verifying an algorithm. All aspects of the formal verification of an algorithm are expressed in a discourse whose consistency is verified by the computer, so that unclear or intuitive arguments need to be replaced by precise logical inferences.

One of the foundational features on which we rely extensively is Type Theory. In this approach a very simple programming language
is equiped with a powerful discipline to check the consistency of
usage: types represent sets of data with similar behavior, functions
represent algorithms mapping types to other types, and the consistency
can be verified by a simple computer program, a type-checker.
Although they can be
verified by a simple program, types can express arbitrary complex
objects or properties, so that the verification work lives in an
interesting realm, where verifying proofs is decidable, but finding
the proofs is undecidable.

This process for producing new algorithms and theorems is a novelty in the development of mathematical knowledge or algorithms, and new working methods must be devised for it to become a productive approach to high quality software development. Questions that arise are numerous. How do we avoid requiring human assistance to work on mundane aspects of proofs? How do we take advantage of all the progress made in automatic theorem proving? How do we organize the maintenance of ambitious corpora of formally verified knowledge in the long term?

To acquire hands-on expertise, we concentrate our activity on three aspects. The first one is foundational: we develop and maintain a library of mathematical facts that covers many aspects of algebra. In the past, we applied this library to proofs in group theory, but it is increasingly used for many different areas of mathematics and by other teams around the world, from combinatorics to elliptic cryptography, for instance. The second aspect is applicative: we develop a specific tool for proofs in cryptography, where we need to reason on the probability that opponents manage to access information we wish to protect. For this activity, we develop a specific proof system, relying on a wider set of automatic tools, with the objective of finding the tools that are well adapted to this domain and to attract users that are initially specialists in cryptography but not in formal verification. The third domain is robotics, as we believe that the current trend towards more and more autonomous robots and vehicles will raise questions of safety and trustability where formal verification can bring significant added value.

The Mathematical Components library is the main by-product of an effort started almost two decades ago to provide a formally verified proof for a major theorem in group theory. Because this major theorem had a proof published in books of several hundreds of pages, with elements coming from character theory, other coming from algebra, and some coming from real analysis, it was an exercice in building a large library, with results in many domains, and in establishing clear guidelines for further increase and data search.

This library has proved to be a useful repository of mathematical facts for a wide area of applications, so that it has a growing community of users in many countries (Denmark, France, Germany, Japan, Singapore, Spain, Sweden, UK, USA) and for a wide variety of topics (transcendental number theory, elliptic curve cryptography, articulated robot kinematics, recently block chain foundations).

Interesting questions on this library range around the importance of decidability and proof irrelevance, the way to structure knowledge to automatically inherit theorems from one topic to another, the way to generate infrastructure to make this automation efficient and predictable. In particular, we want to concentrate on adding a new mathematical topic to this library: real analysis and then complex analysis (Mathematical Components Analysis).

On the front of automation, we are convinced that a higher level language is required to describe similarities between theories, to generate theorems that are immediate consequences of structures, etc, and for this reason, we invest in the development of a new language on top of the proof assistant (ELPI).

When we work on cryptography, we are interested in the formal
verification of proofs showing that some cryptographic primitives
provide good guarantees against unwanted access to information. Over
the years we have developed a technique for this kind of reasoning
that relies on a programing logic (close to Hoare logic) with
probabilistic aspects and the capability to establish relations
between several implementations of a problem. The resulting
programming logic is called probabilistic relational Hoare
logic.
We also study questions of side-channel attacks,
where we wish to guarantee that opponents cannot gain access to
protected knowledge, even if they observe specific features of
execution, like execution time (to which the answer lies in constant-time execution) or partial access to memory bits (to which
the answer lies in masking).

For this domain of application, we choose to work with a specific proof tool (EasyCrypt), which combines powerful first-order reasoning and use of automatic tools, with a specific support for probabilistic relational Hoare Logic. The development of this EasyCrypt proof tool is one of the objectives of our team.

When it comes to formal proofs of resistance to side-channel attacks, we contend that it is necessary to verify formally that the compiler used in the production of actually running code respects the resistance properties that were established in formally verified proofs. One of our objectives is to develop such a compiler (Jasmin) and show its strength on a variety of applications.

The pair of tools EasyCrypt and Jasmin has also proved its worth in the formal verification of correctness for post-quantum cryptography.

Robots are man-made artifacts where numerous design decisions can be argued based on logical or mathematical principles. For this reason, we wish to use this domain of application as a focus for our investigations. The questions for which we are close to providing answers involve precision issues in numeric computation, obstacle avoidance and motion planning (including questions of graph theory), articulated limb kinematics and dynamics, and balance and active control.

From the mathematical perspective, these topics require that we improve our library to cover real algebraic geometry, computational geometry, real analysis, graph theory, and refinement relations between abstract algorithms and executable programs.

In the long run, we hope to exhibit robots where pieces of software and part of the design have been subject to formal verification.

The software tool EasyCrypt and Jasmin that we develop are instrumental for the Libjade library, with a notable application to the formal verification of NIST-approved post-quantum cryptography algorithms like Dilithium.

Coq version 8.16 integrates changes to the Coq kernel and performance improvements along with a few new features. We highlight some of the most impactful changes here:

The guard checker (see Guarded) now ensures strong normalization under any reduction strategy.

Irrelevant terms (in the SProp sort) are now squashed to a dummy value during conversion, fixing a subject reduction issue and making proof conversion faster.

Introduction of reversible coercions, which allow coercions relying on meta-level resolution such as type-classes or canonical structures. Also allow coercions that do not fullfill the uniform inheritance condition.

Generalized rewriting support for rewriting with Type-valued relations and in Type contexts, using the Classes.CMorphisms library.

Added the boolean equality scheme command for decidable inductive types.

Added a Print Notation command.

Incompatibilities in name generation for Program obligations, eauto treatment of tactic failure levels, use of ident in notations, parsing of module expressions.

Standard library reorganization and deprecations.

Improve the treatment of standard library numbers by Extraction.

See https://coq.inria.fr/refman/changes.html#version-8-16 for a detailed changelog.

The programming language has the following features

- Native support for variable binding and substitution, via an Higher Order Abstract Syntax (HOAS) embedding of the object language. The programmer does not need to care about technical devices to handle bound variables, like De Bruijn indices.

- Native support for hypothetical context. When moving under a binder one can attach to the bound variable extra information that is collected when the variable gets out of scope. For example when writing a type-checker the programmer needs not to care about managing the typing context.

- Native support for higher-order unification variables, again via HOAS. Unification variables of the meta-language (lambdaProlog) can be reused to represent the unification variables of the object language. The programmer does not need to care about the unification-variable assignment map and cannot assign to a unification variable a term containing variables out of scope, or build a circular assignment.

- Native support for syntactic constraints and their meta-level handling rules. The generative semantics of Prolog can be disabled by turning a goal into a syntactic constraint (suspended goal). A syntactic constraint is resumed as soon as relevant variables get assigned. Syntactic constraints can be manipulated by constraint handling rules (CHR).

- Native support for backtracking, to ease implementation of search.

- The constraint store is extensible. The host application can declare non-syntactic constraints and uses custom constraint solvers to check their consistency.

- Clauses are graftable. The user is free to extend an existing program by inserting/removing clauses, both at runtime (using implication) and at "compilation" time by accumulating files.

Most of these features come with lambdaProlog. Constraints and propagation rules are novel in ELPI.

ELPI implements a variant of lambdaProlog enriched with Constraint Handling Rules, a programming language well suited to manipulate syntax trees with binders and unification variables.

ELPI is a research project aimed at providing a programming platform for the so called elaborator component of an interactive theorem prover.

ELPI is designed to be embedded into larger applications written in OCaml as an extension language. It comes with an API to drive the interpreter and with an FFI for defining built-in predicates and data types, as well as quotations and similar goodies that come in handy to adapt the language to the host application.

The Jasmin programming language smoothly combines high-level and low-level constructs, so as to support “assembly in the head” programming. Programmers can control many low-level details that are performance-critical: instruction selection and scheduling, what registers to spill and when, etc. The language also features high-level abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of high-level abstractions incurs no run-time penalty.

The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machine-checked by the Coq proof assistant). This justifies that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against side-channel attacks (constant-time).

In 2022, two major versions were released. The first one, 2022.04.0, is the result of more than two years of development, and thus brings major new features to the language, including the support for local functions and sub-arrays. The second one, 2022.09.0, adds in particular the support for system calls, which allows for instance to call an operating system function returning random data.

Work to support multiple architecture has progressed well. The support for ARM 32 bits was merged and is being polished.

Work on "Speculative Load Hardening", a transformation making a program resistant to some Spectre attacks, are ongoing. In parallel, another line of work tries to add arrays whose length is not known at compile time.

A didactical Coq development to introduce various semantics styles. Shows how to derive an interpreter, a compiler, a verifier, or a program analyser from formal descriptions, and how to prove their consistency.

This is a library for the Coq system, where the description of a toy programming language is presented. The value of this library is that it can be re-used in classrooms to teach programming language semantics or the Coq system. The topics covered include introductory notions to domain theory, pre and post-conditions, abstract interpretation, compilation, and the proofs of consistency between all these points of view on the same programming language. Standalone tools for the object programming language can be derived from this development.

We have developed a new logic for bounding the expectation of a function in a probabilistic program. This logic has been integrated in the tool Eassycrypt and used to bound the expected cost of two algorithms: randomized qselect (a variant of quick sort) and the skip-list data-structure.

In 2016, NIST initiated a competition for standardizing cryptographic algorithms that could withstand quantum adversaries. The competition recently reached an important milestone with the selection of four standards: one KEM (Kyber) and three signature algorithms (Dilithium, Falcon, Sphincs+). Dilithium is a lattice-based digital signature based on the Fiat-Shamir with aborts (FSa) paradigm introduced by Lyubashevsky. We identified a subtle gap that appears in several ROM and QROM security proofs of Dilithium and other schemes based on FSa. Second, we provided fixed proofs, both for the ROM and the QROM. Third, we mechanized the ROM proof completely in the EasyCrypt proof assistant. This work is based on the logic for expectation presented in the previous section.

The current gold standard of cryptographic software is to write efficient libraries with systematic protections against timing attacks. In order to meet this goal, cryptographic engineers increasingly use high-assurance cryptography tools. However, high-assurance tools reason about overly simple execution models that elide transient execution leakage. Thus, implementations validated by high-assurance cryptography tools remain potentially vulnerable to transient execution attacks such as Spectre or Meltdown. Moreover, proposed countermeasures are not used in practice due to performance overhead. We have proposed, analyzed, implemented and evaluated an approach for writing efficient cryptographic implementations that are protected against Spectre v1 attacks in Jasmin. Our approach ensures speculative constant-time. Speculative constant-time is enforced by means of a (value-dependent) information flow type system. We implemented our approach in the Jasmin framework for high-assurance cryptography, and use it for protecting all implementations of an experimental cryptographic library named Libjade that includes highly optimized implementations of symmetric primitives, of elliptic-curve cryptography, and of Kyber, a lattice-based KEM recently selected by NIST for standardization. The performance impact of our protections is very low; for example, less than 1% for Kyber and essentially zero for the curve X25519.

Cryptographic constant-time (CT) is a popular programming discipline used by cryptographic libraries to protect themselves against timing attacks. The CT discipline aims to enforce that program execution does not leak secrets, where leakage is defined by a formal leakage model. Constant-timeness can be checked automatically by many tools. However, most sound tools are focused on a baseline (BL) leakage model where memory addresses and conditional branches leak but other basic operations do not leak. In other models, operation like division can leak the value of its arguments or only the cache line of a memory address can leak. We have developed a verification infrastructure, which proves that source programs are constant-time, and a compiler infrastructure, which provably preserves constant-timeness for these fine-grained policies. By making these infrastructures parametric in the leakage model, we achieve the first approach that supports fine-grained constant-time policies. We implemented the approach in the Jasmin tool, and we evaluated our approach with examples from the literature: OpenSSL and wolfSSL. We found a bug in OpenSSL and provided a formally verified fix. This work has been published in CCS 2022

8.

We studied how to use coq-elpi to implement fast equality tests for inductive datatypes in Coq. The complete work, including benchmarks to verify asymptotic behavior with respect to numbers of constructors, is ready for publication and will appear in 2023

11.

The article describing the work on the formalization of "basic building blocks of double-word arithmetics" has been published in

.

Our collaboration continues on the formalization of algorithms for Euclidean norms. This year we formalized the algorithm presented in the article in the case without overflow or underflow. This algorithm uses a result of Rump and Lange on iterated sums of floating-point numbers, which we also formalized. The article describing this work has just been published (Transactions on Mathematical Software)4.

Currently, within the ANR project Nuscap, we have undertaken a work of formalization of the FFT.

As a first milestone, we formalized the correctness proof of the classic algorithm that works on an arbitrary integral ring 13.

We also formalized algorithms for the multiplication of complex numbers, as well as the proofs of different algorithms of an article of Kahan concerning the efficient multiplication/sum of four floating point numbers "a*b+c*d". This is useful for the multiplication of complex numbers.

In order to support function handling in the development of Lebesgue integral, we developed a library of injective/surjective/bijective functions from a subset to another, with automated inference of compositions, and overloading of the function inverse symbol and its theory.

We formalized a dedicated type for positive elements of a numeric domain (like the rationals, real numbers or complex numbers), but also for the positive extended reals. We designed it with enough generality so as to encompass positive, negative, non-positive, non-negative and non-zero elements, with fast automated inference of positivity in many cases. This makes it possible to discharge automatically many trivial proofs of positivity.

After we provided a construction of the Lebesgue measure, we continued with Lebesgue integration. We proved the monotone convergence theorem, the dominated convergence theorem, and Fubini's theorem. This is part of MathComp analysis.

We extend an existing formalization of measure and integration theory with s-finite kernels, a mathematical structure to interpret typing judgments in the semantics of a probabilistic programming language. The resulting library makes it possible to reason formally about transformations of probabilistic programs and their execution. This is published in a paper to appear in early 2023

7.

In this ongoing work, we rephrase and restructure the results from

"The Marriage of Univalence and Parametricity", in order to retain translations even without univalence.

We explore an alternative to the packaging of signatures and sets, based on a mixture of class based inference and structure based inference. The result of this experiment is available as

teasing materialfor the LiberAbaci Inria challenge.

We got interested in

the djbsort library, a library for sorting numbers in a cryptographic context. As an initial step, we formalized the proof of the main network sorting algorithms : bitonic, odd-even merge, odd-even exchange

12.

The mechanism of type classes is a typical addition to dependent type theory that makes the overloading of notations and the re-use of generic theorems elegant. In this work, we explore how such a system can be implemented using the ELPI language. With such a high-level language description we hope to clarify the key points of the mechanism and ease its fine-tuning and improvements.

Two prototypes have been developed: one for Coq and one for Lambdapi (the basis of Dedukti).

Hierarchy builder is still being improved, aiming for complete integration in released version of mathematical components and math-comp-analysis.

We added a new feature to the Jasmin compiler: clearing the stack when exiting functions. The proof of correctness for this feature is still ongoing work. We finished the work on generalizing the compiler so that it will be able to generate code for different architectures. We started implementing an ARM code producer, but it is not completely functional yet. Three releases of Jasmin were published in 2022.

We continue our study of approaches to combine two mechanized tools to verify protocols.

We developed a translation from CryptoVerif to EasyCrypt that allows cryptographic assumptions that cannot be proved in CryptoVerif to be translated to EasyCrypt and proved there. We used the translation to prove different hypotheses assumed in CryptoVerif:

For the formalization of the proof of the reduction linked to the Computational/Gap Diffie-Hellman (CDH/GDH) games we relied on a set of properties, denoted as nominal groups by Bruno Blanchet, common to prime-order groups, Curve25519 and Curve448. We worked on verifying that Curve25519 and Curve448 are actually models of nominal groups using Easycrypt as a proof-checker and we spotted two problems in the formalization of these properties as used in 7.18. The first one was a mistake on our part. The second one was a property that turned out to be too strong and was not holding for Curve25519 and Curve448. However, the proof from 7.18 did not need to be modified since the restrictions that we needed to add to fix these problems were already met.

In the process we found another needed correction. There are several definitions of the concept of statistical distance between distributions. The pen-and-paper proof was using them as if they were equivalent. Though they are indeed related, they are not equivalent. Beside allowing to fix three problems in the proof of these reductions, showing yet again the benefit of a complete formal proof, the formalization of properties of Curve25519 and Curve448 will make it possible to increase the level of confidence in some of the proofs in Libjade. These curves are commonly used in reference cryptographic algorithms but until now there was no Easycrypt proofs of their properties which then needed to be axiomatized. This work will be completed shortly after the completion of 7.20, making it easier to justify the minor remaining gaps.

As an effort to complete Easycrypt with proofs of properties that should be needed for future developments, we started working on a library of field extensions. Most of the remaining work is about adding missing lemmas about permutation and polynomial Euclidean division, the latter being the main focus locally. We are done with the properties of the division when the considered polynomials are defined over rings, while the case of fields still needs to be completed. We take inspiration from the development about polynomial Euclidean division done in the Mathcomp library for the choice of the statements of the lemmas. However, the definition of the operations differ. In the Mathcomp library, the operators that capture these definitions are defined recursively, while in Easycrypt recursion is not allowed. So we use iterators to do so. since the operations do not have the same definitions, the Mathcomp proof is mostly just a source of inspiration as one can obviously not prove that the same property holds for two distinct operations in a unique way. Some of the lemmas about polynomial Euclidean division will also be used to conclude the proof of 7.19.

In the library there were two different definitions of cyclic groups that were not taking advantage of existing material. So we gave a third definition that supersedes the previous ones and modified the rest of the library to make sure the new one is used everywhere. This made it possible to detect maintenance issues with the library, especially with respect to continuous integration.

We are working on a formal description of Bezier Curves and the formal verification that curves of that kind do not collide with obstacles given by straight line segments.

We have been redesigning the communication protocol between Coq and its user-interface software to make it compliant with the LSP protocol used in Visual Studio Code. We are now exploring the use of event-based programming for this integrated development environment.

The STAMP team participates with the Grace team (Inria Saclay) in the JASMIN contract funded in the framework of the Inria-Nomadic Labs collaboration for research related to the Tezos blockchain. This contract funds the PhD thesis of Swarn Priya.

Reynald Affeldt (AIST, Japan) visited the STAMP team from June 27 to July 8, to discuss the development of the Math-comp-analysis library and the project to verify algorithms computing trajectories.

Reynald Affeldt (AIST, Japan), Takafumi Saikawa (Nagoya University, Japan), and Kazuhiko Sakaguchi (University Tsukuba, Japan) visited the STAMP team from December 5 to December 12 to participate in the Mathematical Components winter school that was organized in Sophia Antipolis and discuss research projects around the formal verification of probability theory.

Ralf Hulsing from University Eindhoven visited the team from September to December to collaborate with Benjamin Grégoire on post-quantum cryptography.

The acronym FUI stands for “fonds unique interministériel” and is aimed at research and development projects in pre-industrial phase. The STAMP team is part of one such project.

Enrico Tassi organized a winter school on formalization using the Mathematical Components Library from December 5 to December 9, 2022. Yves Bertot, Cyril Cohen, Laurence Rideau, and Laurent Théry were also speakers at this school.

Assia Mahboubi and Enrico Tassi organized a workshop on the Mathematical Components Library on December 7.

Cyril Cohen was workshop chair for the conference ITP 2022 (Interactive Theorem Proving).

Enrico Tassi was a member of the program committee for the workshop F-IDE (Formal Integrated Development Environment).

Yves Bertot and Cyril Cohen reviewed papers for ITP 2022 (Interactive Theorem Provers). CSL (Computer Science Logic) CICM (Conference on intelligent computer mathematics), CoqPL (Coq for programming Languages).

Yves Bertot, Cyril Cohen, Pierre Boutry, and Laurent Théry reviewed articles for JAR (Journal of Automated Reasoning), MSCS (Mathematical Structures in Computer Science), and LMCS (Logical Methods in Computer Science).

Benjamin Grégoire gave an invited talk on EasyCrypt at "Journées Codage & Cryptographie" in April 2022.

Yves Bertot is a member of the steering committee for the conference "Interactive Theorem Provers" (ITP).

Yves Bertot is coordinator of the Inria Challenge "Liber Abaci" on formal proofs for first years of higher mathematical higher education.

Yves Bertot and Benjamin Grégoire supervise the thesis of Swarn Priya (Université Côte d'Azur).

Cyril Cohen spervised the thesis of Chris Hughes until September 2022.

Yves Bertot was member of the Jury for the thesis of Lucien Rakotomalala (Université de Toulouse).

Laurence Rideau is a member of the editorial board of Interstices, the Inria medium for outreach.

Yves Bertot and Maxime Dénès gave outreach talks at the OSXP conference (Open-Source Experience) in Paris in November 2022.