2.1 Programming securely with cryptography

In recent years, an increasing amount of sensitive data is being generated, manipulated, and accessed online, from bank accounts to health records. Both national security and individual privacy have come to rely on the security of web-based software applications. But even a single design flaw or implementation bug in an application may be exploited by a malicious criminal to steal, modify, or forge the private records of innocent users. Such attacks are becoming increasingly common and now affect millions of users every year.

The risks of deploying insecure software are too great to tolerate anything less than mathematical proof, but applications have become too large for security experts to examine by hand, and automated verification tools do not scale. Today, there is not a single widely-used web application for which we can give a proof of security, even against a small class of attacks. In fact, design and implementation flaws are still found in widely-distributed and thoroughly-vetted security libraries designed and implemented by experts.

Software security is in crisis. A focused research effort is needed if security programming and analysis techniques are to keep up with the rapid development and deployment of security-critical distributed applications based on new cryptographic protocols and secure hardware devices. The goal of our team Prosecco is to draw upon our expertise in cryptographic protocols and program verification to make decisive contributions in this direction.

Our vision is that, over its lifetime, Prosecco will contribute to making the use of formal techniques when programming with cryptography as natural as the use of a software debugger. To this end, our long-term goals are to design and implement programming language abstractions, cryptographic models, verification tools, and verified security libraries that developers can use to deploy provably secure distributed applications. Our target applications include cryptographic libraries, network protocol implementations, web applications, and cloud-based web services. In particular, we aim to verify full software applications, including both the cryptographic core and the high-level application code. Furthermore, we aim to verify implementations, not just models. Finally, we aim to account for computational cryptography, not just its symbolic abstraction.

We identify five key focus areas for our research in the short- to medium term.

3.1 Symbolic verification of cryptographic applications

Despite decades of experience, designing and implementing cryptographic applications remains dangerously error-prone, even for experts. This is partly because cryptographic security is an inherently hard problem, and partly because automated verification tools require carefully-crafted inputs and are not widely applicable. To take just the example of TLS, a widely-deployed and well-studied cryptographic protocol designed, implemented, and verified by security experts, the lack of a formal proof about all its details has regularly led to the discovery of major attacks (including several in Prosecco) on both the protocol and its implementations, after many years of unsuspecting use.

As a result, the automated verification for cryptographic applications is an active area of research, with a wide variety of tools being employed for verifying different kinds of applications.

In previous work, we have developed the following approaches:

• ProVerif: a symbolic prover for cryptographic protocol models
• F*: a new language that enables the verification of cryptographic applications

3.2 Computational verification of cryptographic applications

Proofs done by cryptographers in the computational model are mostly manual. Our goal is to provide computer support to build or verify these proofs. In order to reach this goal, we have designed the automatic tool CryptoVerif, which generates proofs by sequences of games. We already applied it to important protocols such as TLS 38 and Signal 53 but more work is still needed in order to develop this approach, so that it is easier to apply to more protocols.

Another tool we develop, called the Squirrel Prover, uses a symbolic approach called the compuatationally complete symbolic adversary (CCSA)  36 to verify cryptographic protocols in the computational model. Squirrel is an interactive theorem prover, hence provides less automation than CryptoVerif, but allows the user to guide the proof more easily when complex arguments are needed; and it is better-suited for some protocols, notably for stateful protocols.

A third approach is to directly verify executable cryptographic code by typing. A recent work 50 shows how to use refinement typechecking to prove computational security for protocol implementations. In this method, henceforth referred to as computational F*, typechecking is used as the main step to justify a classic game-hopping proof of computational security. The correctness of this method is based on a probabilistic semantics of F# programs and crucially relies on uses of type abstraction and parametricity to establish strong security properties, such as indistinguishability.

In principle, the three approaches—game-based proofs in CryptoVerif, interactive proofs in Squirrel, and typechecking proofs in F*—are complementary. Understanding how to combine these approaches remains an open and active topic of research. For example, CryptoVerif can generate OCaml implementations from CryptoVerif specifications that have been proved secure 47. We are currently working on this approach to generate implementations in F*.

3.3 F*: A Higher-Order Effectful Language for Program Verification

F* 63, 33 is a verification system for effectful programs developed collaboratively by Inria and Microsoft Research. It puts together the automation of an SMT-backed deductive verification tool with the expressive power of a proof assistant based on dependent types. After verification, F* programs can be extracted to efficient OCaml, F#, or C code 60. This enables verifying the functional correctness and security of realistic applications. F*'s type system includes dependent types, monadic effects, refinement types, and a weakest precondition calculus. Together, these features allow expressing precise and compact specifications for programs, including functional correctness and security properties. The F* type-checker aims to prove that programs meet their specifications using a combination of SMT solving and interactive proofs. The main ongoing use case of F* is building a verified, drop-in replacement for the whole HTTPS stack in Project Everest. This includes verified implementations of TLS 1.2 and 1.3 40 and of the underlying cryptographic primitives 65, 59, 58.

3.4 Efficient Formally Secure Compilers to a Tagged Architecture

Severe low-level vulnerabilities abound in today’s computer systems, allowing cyber-attackers to remotely gain full control. This happens in big part because our programming languages, compilers, and architectures were designed in an era of scarce hardware resources and too often trade off security for efficiency. The semantics of mainstream low-level languages like C is inherently insecure, and even for safer languages, establishing security with respect to a high-level semantics does not guarantee the absence of low-level attacks. Secure compilation using the coarse-grained protection mechanisms provided by mainstream hardware architectures would be too inefficient for most practical scenarios.

We aim to leverage emerging hardware capabilities for fine-grained protection to build the first, efficient secure compilation chains for realistic low-level programming languages (the C language, and Low* a safe subset of C embedded in F* for verification 60). These compilation chains will provide a secure semantics for all programs and will ensure that high-level abstractions cannot be violated even when interacting with untrusted low-level code. To achieve this level of security without sacrificing efficiency, our secure compilation chains target a tagged architecture 35, which associates a metadata tag to each word and efficiently propagates and checks tags according to software-defined rules. We hope to experimentally evaluate and carefully optimize the efficiency of our secure compilation chains on realistic workloads and standard benchmark suites. We are also using property-based testing and formal verification to provide high confidence that our compilation chains are indeed secure. Formally, we are constructing machine-checked proofs of a new security criterion we call robustly safe compilation, which is defined as the preservation of safety properties even against an adversarial context 32, 31. This strong criterion complements compiler correctness and ensures that no machine-code attacker can do more harm to securely compiled components than a component already could with respect to a secure source-level semantics.

3.5 Provably secure web applications

Web applications are fast becoming the dominant programming platform for new software, probably because they offer a quick and easy way for developers to deploy and sell their apps to a large number of customers. Third-party web-based apps for Facebook, Apple, and Google, already number in the hundreds of thousands and are likely to grow in number. Many of these applications store and manage private user data, such as health information, credit card data, and GPS locations. To protect this data, applications tend to use an ad hoc combination of cryptographic primitives and protocols. Since designing cryptographic applications is easy to get wrong even for experts, we believe this is an opportune moment to develop security libraries and verification techniques to help web application programmers.

As a typical example, consider commercial password managers, such as LastPass, RoboForm, and 1Password. They are implemented as browser-based web applications that, for a monthly fee, offer to store a user's passwords securely on the web and synchronize them across all of the user's computers and smartphones. The passwords are encrypted using a master password (known only to the user) and stored in the cloud. Hence, no-one except the user should ever be able to read her passwords. When the user visits a web page that has a login form, the password manager asks the user to decrypt her password for this website and automatically fills in the login form. Hence, the user no longer has to remember passwords (except her master password) and all her passwords are available on every computer she uses.

Password managers are available as browser extensions for mainstream browsers such as Firefox, Chrome, and Internet Explorer, and as downloadable apps for Android and Apple phones. So, seen as a distributed application, each password manager application consists of a web service (written in PHP or Java), some number of browser extensions (written in JavaScript), and some smartphone apps (written in Java or Objective C). Each of these components uses a different cryptographic library to encrypt and decrypt password data. How do we verify the correctness of all these components?

We propose three approaches. For client-side web applications and browser extensions written in JavaScript, we propose to build a static and dynamic program analysis framework to verify security invariants. To this end, we have developed two security-oriented type systems for JavaScript, Defensive JavaScript  48  and TS* 62, and used them to guarantee security properties for a number of JavaScript applications. For Android smartphone apps and web services written in Java, we propose to develop annotated JML cryptography libraries that can be used with static analysis tools like ESC/Java to verify the security of application code. For clients and web services written in F# for the .NET platform, we propose to use F* to verify their correctness. We also propose to translate verified F* web applications to JavaScript via a verified compiler that preserves the semantics of F* programs in JavaScript.

3.6 Design and Verification of next-generation protocols: identity, blockchains, and messaging

Building on our work on verifying and re-designing pre-existing protocols like TLS and Web Security in general, with the resources provided by the NEXTLEAP project, we are working on both designing and verifying new protocols in rapidly emerging areas like identity, blockchains, and secure messaging. These are all areas where existing protocols, such as the heavily used OAuth protocol, are in need of considerable re-design in order to maintain privacy and security properties. Other emerging areas, such as blockchains and secure messaging, can have modifications to existing pre-standard proposals or even a complete 'clean slate' design. As shown by Prosecco's work, newer standards, such as IETF OAuth, W3C Web Crypto, and W3C Web Authentication API, can have vulnerabilities fixed before standardization is complete and heavily deployed. We hope that the tools used by Prosecco can shape the design of new protocols even before they are shipped to standards bodies. We are currently contributing to the design and analysis of new extensions to the TLS protocol, such as Encrypted Client Hello, new secure messaging protocol such as IETF Messaging Layer Security (MLS), and to IoT protocols like the IETF Lightweight Authenticated Key Exchange (LAKE).

4.1 High-Assurance Cryptographic Libraries

Cryptographic libraries implement algorithms for symmetric and asymmetric encryption, digital signatures, message authentication, hashing, and key exchange. Popular libraries like OpenSSL, NSS, and BoringSSL are widely used in web browsers, operating system, and cloud services. We aim to apply our tools and verification techniques to build high-assurance high-performance cryptographic libraries that can be deployed in mainstream software applications. Our flagship project is HACL*, a verified cryptographic library that is written in the F* programming language.

4.2 Design and Analysis of Protocol Standards

Cryptographic protocol standards such as TLS, SSH, IPSec, and Kerberos are the trusted base on which the security of modern distributed systems is built. Our work enables the analysis and verification of such protocols, both in their design and implementation. We participate in standards organizations like the IETF and collaborate with industry groups to help them design and deploy secure protocols. For example, we built and verified models and reference implementations for the well-known TLS 1.3 protocol, using our tools ProVerif and CryptoVerif, before it was standardaized at he IETF and contributed to the protocol's final design.

4.3 Web application security

Web applications use a variety of cryptographic techniques to securely store and exchange sensitive data for their users. For example, a website may serve pages over HTTPS, authenticate users with a single sign-on protocol such as OAuth, encrypt user files on the server-side using XML encryption, and deploy client-side cryptographic mechanisms using a JavaScript cryptographic library. The security of these applications depends on the public key infrastructure (X.509 certificates), web browsers' implementation of HTTPS and the same origin policy (SOP), the semantics of JavaScript, HTML5, and their various associated security standards, as well as the correctness of the specific web application code of interest. We build analysis tools to find bugs in all these artifacts and verification tools that can analyze commercial web applications and evaluate their security against sophisticated web-based attacks.

5.1 Footprint of research activities

Our team's work focuses on the design, analysis, and implementation of cryptographic protocols. As such, we are dedicated to improving the security and privacy of all Web users. The output of our research is used, for example, to protect HTTPS connections used daily by millions of Mozilla Firefox users. On the whole, we strive to perform ethical research that improves the digital lives of citizens everywhere.

Our research does not by itself have any environmental impact, but our team does travel to conferences, and we regularly host international visitors, which incurs multiple international flights each year.

7.1 New software

7.2 New platforms

No new platforms in 2021

8.1 Survey on computer-aided cryptography

Participants: Bruno Blanchet, Karthikeyan Bhargavan.

In collaboration with Manuel Barbosa, Gilles Barthe, Cas Cremers, Kevin Liao, and Bryan Parno, we wrote a survey on computer-aided cryptography, published at IEEE Security and Privacy 2021 15.

8.2 Verification of security protocols in the symbolic model: tool ProVerif

Participants: Bruno Blanchet, Vincent Cheval.

In collaboration with Vincent Cheval and Véronique Cortier, we (Bruno Blanchet) wrote a paper on important improvements of ProVerif: 1) support for integer counters, with incrementation and inequality tests, 2) lemmas and axioms to give intermediate results to ProVerif, which it exploits to help proving subsequent queries, by deriving additional information in the Horn clauses that it uses to perform the proofs, 3) proofs by induction on the length of the trace, by giving as lemma the property to prove, but obviously for strictly shorter traces, 4) temporal queries, which allow to order events. The soundness of these features is proved (by hand). Moreover, many algorithms used in ProVerif (generation of clauses, resolution, subsumption ...) were optimized, resulting in impressive speedups on large examples. These features are included in ProVerif 2.02pl1 and the paper will appear at IEEE Security and Privacy 2022 20.

8.3 Verification of security protocols in the computational model: tool CryptoVerif

Participants: Karthikeyan Bhargavan, Bruno Blanchet, Benjamin Lipp.

Bruno Blanchet continued the development of our protocol verification tool CryptoVerif. The new features of this year are detailed in the section on software.

In collaboration with Joël Alwen, Eduard Hauck, Eike Kiltz, and Doreen Riepel, team members Bruno Blanchet and Benjamin Lipp verified the Hybrid Public Key Encryption (HPKE) scheme. It is an emerging standard currently under consideration by the Crypto Forum Research Group (CFRG) of the IETF as a candidate for formal approval. Of the four modes of HPKE, we analyse the authenticated mode ${\mathrm{𝖧𝖯𝖪𝖤}}_{\mathrm{𝖠𝗎𝗍𝗁}}$ in its single-shot encryption form as it contains what is, arguably, the most novel part of HPKE. ${\mathrm{𝖧𝖯𝖪𝖤}}_{\mathrm{𝖠𝗎𝗍𝗁}}$'s intended application domain is captured by a new primitive which we call Authenticated Public Key Encryption (APKE). We provide syntax and security definitions for APKE schemes, as well as for the related Authenticated Key Encapsulation Mechanisms (AKEMs). We prove security of the AKEM scheme $\mathrm{𝖣𝖧}\mathrm{𝖠𝖪𝖤𝖬}$ underlying ${\mathrm{𝖧𝖯𝖪𝖤}}_{\mathrm{𝖠𝗎𝗍𝗁}}$ based on the Gap Diffie-Hellman assumption and provide general AKEM/DEM composition theorems with which to argue about ${\mathrm{𝖧𝖯𝖪𝖤}}_{\mathrm{𝖠𝗎𝗍𝗁}}$'s security. To this end, we also formally analyse ${\mathrm{𝖧𝖯𝖪𝖤}}_{\mathrm{𝖠𝗎𝗍𝗁}}$'s key schedule and key derivation functions. All these proofs are done using the automatic computational verifier CryptoVerif. As an independent contribution, we propose the new framework of nominal groups that allows us to capture abstract syntactical and security properties of practical elliptic curves, including the Curve25519 and Curve448 based groups (which do not constitute cyclic groups). This work appeared at EuroCrypt 2021 13 (long version  34).

Benjamin Lipp, Bruno Blanchet, and Karthikeyan Bhargavan implemented a compiler from CryptoVerif models to executable F* implementations. This compiler extends a previous translation from CryptoVerif to OCaml by generating lemmas for equational assumptions made on primitives in CryptoVerif. These assumptions can then be proved in F*. For instance, we prove that message parsing composed with the corresponding serialization is the identity. In the future, we plan to translate the security properties proved by CryptoVerif into F*, so that these properties can be assumed in subsequent F* proofs.

In collaboration with Pierre-Yves Strub (Ecole Polytechnique), Pierre Boutry, Christian Doczkal, et Benjamin Grégoire (Inria Sophia), team member Bruno Blanchet worked on a translation from CryptoVerif security assumptions on primitives to EasyCrypt. These assumptions can then be proven in EasyCrypt from lower-level cryptographic assumptions. This is useful since CryptoVerif provides a high degree of automation but is better at proving protocols than primitives, while EasyCrypt has the expressive power needed to reason both about protocols and about the correctness of primitives, but this expressive power comes at the cost of providing less automation. Hence, proving primitives in EasyCrypt and protocols in CryptoVerif provides the best trade-off. We applied our approach to the proof of the Computational Diffie-Hellman (CDH) model in CryptoVerif (which includes several Diffie-Hellman pairs and allows key compromise) from the standard CDH assumption for one Diffie-Hellman pair. We are currently working to apply it to the Gap Diffie-Hellman model and to an authenticated Key Encapsulation Mechanism (AKEM).

8.4 Verification of Security Protocols in the Computational Model: Squirrel

Participants: Adrien Koutsos.

In collaboration with David Baelde, Stephanie Delaune, Charlie Jacomme and Solene Moreau, Adrien Koutsos designed a new framework and an interactive prover – the Squirrel Prover – allowing to mechanize proofs of security protocols for an arbitrary number of sessions in the computational model. This framework consists of a meta-logic based upon the CCSA logic  37, and a proof system for deriving security properties. Proofs in Squirrel only deal with high-level, symbolic representations of protocol executions, similar to proofs in the symbolic model, but providing security guarantees at the computational level. We have performed a number of case studies in Squirrel, covering a variety of primitives (e.g. hashes, encryption) and security properties (e.g. authentication, unlinkability). This work has been published at IEEE Security and Privacy 2021 14, and the Squirrel Prover is open source, and continues to be developed.

Squirrel approach to protocol security is complementary w.r.t. existing tools in the computational model (e.g. CryptoVerif or EasyCrypt). Squirrel particularly shines when analyzing stateful protocols, which are often out-of-reach of existing tools, or require a very large amount of work. Work in that direction has been started, and early results have been presented at the LFMTP'21 workshop 25.

8.5 Mechanized Complexity Proofs for Cryptographic Reductions

Participants: Adrien Koutsos.

In collaboration with Manuel Barbosa, Gilles Barthe, Benjamin Gregoire and Pierre-Yves Strub, Adrien Koutsos enhanced the EasyCrypt proof assistant with a Hoare logic for reasoning about computational complexity (execution time and oracle calls) of adversarial computations. Our Hoare logic is built on top of EasyCrypt module system used for modeling adversaries. We proved that our logic is sound w.r.t. EasyCrypt semantics — incidentally, our work provided the first full semantics for the EasyCrypt module system, which was previously lacking. We exemplified this extension by revisiting the security proofs of some well-known cryptographic constructions, and by conducting a new formalization of Universal Composability (UC). This work was published at ACM CCS'21 16, and has been integrated in the EasyCrypt tool.

8.6 Journal Paper: Decidability Result

Participants: Adrien Koutsos.

A journal version of the IEEE CSF'19 paper  54:

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability

has been published at ACM Transactions on Computational Logic 11. In this work, we prove the decidability of a set of first-order axioms which are computationally sound, though incomplete, for protocols with a bounded number of sessions whose security is based on an $ind-cc{a}_2$ encryption scheme. Alternatively, our result can be viewed as the decidability of a family of cryptographic game transformations. Our proof relies on term rewriting and automated deduction techniques.

8.7 High-Assurance High-Performance Crypto

Participants: Karthikeyan Bhargavan, Marina Polubelova, Benjamin Beurdouche, Natalia Kulatova, Jonathan Protzenko, Adrien Koutsos.

Since 2017, we maintain and distribute the HACL* verified cryptographic library, which is currently deployed in many mainstream software applications and high-performance networking stacks including Mozilla Firefox, Linux Kernel, WireGuard VPN, Microsoft WinQuic, Tezos Blockchain, and ElectionGuard.

While HACL* includes best-in-class C implementations of many popular cryptographic algorithms, on certain platforms, significantly improved performance can be obtained by exploiting low-level instructions that are only available to assembly code. The EverCrypt API brings together verified C code from HACL* with verified Intel assembly code from the Vale project and packages them in a verified multiplexed agile API that can be conveniently used by applications. Our work resulted in a new release of HACL* and a paper at the IEEE Security and Privacy conference 59.

In a second line of work, we propose a new methodology called HACLxN for building formally verified cryptographic code that exploits single-instruction multiple data (SIMD) parallelism. We show how to write and verify code once and then compile it to multiple platforms that support vector instructions, including ARM Neon and Intel AVX, AVX2, and AVX512. We apply our methodology to obtain verified vectorized implementations in C on all these platforms for the ChaCha20 encryption algorithm, the Poly1305 one-time MAC, and the SHA-2 and Blake2 families of hash algorithms. The resulting C code has performance that is comparable to hand-optimized assembly for these platforms. This work led to a new release of HACL* and a paper at ACM CCS 2020 58. This year we extended HACL* with code for more primitives, such as RSA-PSS and FFDHE, based on a generic verified Bignum library. We also added support for IBMz and Power architectures.

High-assurance cryptography aims at building efficient cryptographic software with machine-checked proofs of memory safety, functional correctness, provable security, and absence of timing leaks. Traditionally, these guarantees are established under a sequential execution semantics. However, this semantics does not correspond to the behavior of modern processors, that make use of speculative execution to improve performance. This semantics mismatch has been exploited to conduct attacks (e.g. Spectre). In a new line of work, published at IEEE Security and Privacy 2021 17, we showed that the benefits of high-assurance cryptography can be extended to speculative execution, costing only a modest performance overhead. To do this, we built atop the Jasmin verification framework an end-to-end approach for proving properties of cryptographic software under speculative execution. This approach has been validated experimentally with efficient, functionally correct assembly implementations of ChaCha20 and Poly1305, which have been proved secure against both traditional timing and speculative execution attacks.

8.8 Verification of cryptographic protocol implementations in the symbolic model: the DY* framework

Participants: Karthikeyan Bhargavan.

In collaboration with colleagues at the University of Stuttgart and IIT Gandhinagar, we developed DY*, a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks.

Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security.

DY* is built as a library of F* modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F*. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.

The design of DY* and a detailed analysis of Signal was published at IEEE Euro S&P 2021 19 and a tutorial introduction to the framework appeared in 24. We also applied DY* to an in-depth analysis of the ACME protocol, which is used by the LetsEncrypt CA to issue the majority of certificates on the Web 18.

8.9 Extensions to F*

Participants: Denis Merigoux.

Since 2010, our group contributes to the design, implementation, and application of the F* programming language and verification work.

In new work this year, we developed a semantics for concurrent separation logic (CSL) within the F* proof assistant in a manner that enables dependently-typed, effectful F* programs to make use of concurrency and to be specified and verified using a full-featured, extensible CSL. In contrast to prior approaches, we directly derive the partial-correctness Hoare rules for CSL from the denotation of computations in the effectful semantics of non-deterministically interleaved atomic actions. Demonstrating the flexibility of our semantics, we build generic, verified libraries that support various concurrency constructs, ranging from dynamically allocated, storable spin locks, to protocol-indexed channels. This work has led to on ongoing re-architecture of the core of the F* framework, and was published at ICFP 2020  64.

8.10 Formalizing and Implementing Tax Law

Participants: Denis Merigoux, Aymeric Fromherz.

In France, income tax is computed from taxpayers' individual returns, using an algorithm that is authored, designed and maintained by the French Public Finances Directorate (DGFiP). Owing to the shortcomings of its custom programming language and the technical limitations of the compiler, the algorithm is proving harder and harder to maintain, relying on ad-hoc behaviors and workarounds to implement the most recent changes in tax law. As an improvement to this infrastructure, we developed Mlang, an open-source compiler toolchain that has been thoroughly validated against the private DGFiP test suite. Mlang has a formal semantics; eliminates previous handwritten workarounds in C; compiles to modern languages (Python); and enables a variety of instrumentations, providing deep insights about the essence of French income tax computation. The DGFiP is now officially transitioning to Mlang for their production system. This line of work has yielded papers at CC 2020 22 and JFLA  56, as well as a successful industrial technology transfer from Inria to DGFiP.

2021 has seen the development of a new domain-specific language, Catala, targeted specifically for legal expert systems. This new domain-specific language has been built in close collaboration with lawyers, and advertised to that community with a number of legal-oriented papers  52, 51. On the formal methods side, the simple and clean design of the Catala semantics 12 allows for extension into a proper proof platform for the law 23.

9.1 Bilateral grants with industry

10.1 National initiatives

11.1 Promoting scientific activities

11.2 Teaching - Supervision - Juries

11.3 Popularization

12.1 Major publications

• 1 articleM.Martín Abadi, B.Bruno Blanchet and C.Cédric Fournet. The Applied Pi Calculus: Mobile Values, New Names, and Secure Communication.Journal of the ACM (JACM)651October 2017, 1 - 103
  HALDOI
• 2 inproceedingsD.David Baelde, S.Stéphanie Delaune, C.Charlie Jacomme, A.Adrien Koutsos and S.Solène Moreau. An Interactive Prover for Protocol Verification in the Computational Model.SP 2021 - 42nd IEEE Symposium on Security and PrivacyProceedings of the 42nd IEEE Symposium on Security and Privacy (S&P'21)San Fransisco / Virtual, United StatesMay 2021
  HAL
• 3 inproceedingsK.Karthikeyan Bhargavan, B.Bruno Blanchet and N.Nadim Kobeissi. Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate.38th IEEE Symposium on Security and PrivacySan Jose, United StatesMay 2017, 483 - 502
  HALDOI
• 4 inproceedingsK.Karthikeyan Bhargavan, A.Antoine Delignat-Lavaud, C.Cédric Fournet, A.Alfredo Pironti and P.-Y.Pierre-Yves Strub. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS.IEEE Symposium on Security and Privacy (Oakland)2014, 98--113
  HAL
• 5 inproceedingsB.Bruno Blanchet, V.Vincent Cheval and V.Véronique Cortier. ProVerif with Lemmas, Induction, Fast Subsumption, and Much More.S&P'22 - 43rd IEEE Symposium on Security and PrivacySan Francisco, United StatesMay 2022
  HAL
• 6 articleB.Bruno Blanchet. Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif.Foundations and Trends in Privacy and Security11--2OCT 2016, 1--135
  HAL
• 7 inproceedingsV.Vincent Cheval, S.Steve Kremer and I.Itsaka Rakotonirina. DEEPSEC: Deciding Equivalence Properties in Security Protocols - Theory and Practice.39th IEEE Symposium on Security and PrivacySan Francisco, United StatesMay 2018
  HAL
• 8 inproceedingsA.Adrien Koutsos. The 5G-AKA Authentication Protocol Privacy.EuroS&P 2019 - IEEE European Symposium on Security and PrivacyStockholm, SwedenIEEEJune 2019, 464-479
  HALDOI
• 9 inproceedingsN.Nikhil Swamy, C.Cătălin Hriţcu, C.Chantal Keller, A.Aseem Rastogi, A.Antoine Delignat-Lavaud, S.Simon Forest, K.Karthikeyan Bhargavan, C.Cédric Fournet, P.-Y.Pierre-Yves Strub, M.Markulf Kohlweiss, J. K.Jean Karim Zinzindohoué and S.Santiago Zanella-Béguelin. Dependent Types and Multi-Monadic Effects in F*.43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL)ACMJanuary 2016, 256-270
  HAL
• 10 inproceedingsJ. K.Jean Karim Zinzindohoué, K.Karthikeyan Bhargavan, J.Jonathan Protzenko and B.Benjamin Beurdouche. HACL*: A Verified Modern Cryptographic Library.Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 20172017, 1789--1806
  HAL

12.2 Publications of the year

12.3 Cited publications

• 29 articleM.Martín Abadi and B.Bruno Blanchet. Analyzing Security Protocols with Secrecy Types and Logic Programs.Journal of the ACM521January 2005, 102--146URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/AbadiBlanchetJACM7037.pdf
  back to text
• 30 articleM.Martín Abadi, B.Bruno Blanchet and C.Cédric Fournet. Just Fast Keying in the Pi Calculus.ACM Transactions on Information and System Security (TISSEC)103July 2007, 1--59URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/AbadiBlanchetFournetTISSEC07.pdf
  back to text
• 31 inproceedingsC.Carmine Abate, A. A.Arthur Azevedo de Amorim, R.Roberto Blanco, A. N.Ana Nora Evans, G.Guglielmo Fachini, C.Cătălin Hriţcu, T.Théo Laurent, B. C.Benjamin C. Pierce, M.Marco Stronati and A.Andrew Tolmach. When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise.25th ACM Conference on Computer and Communications Security (CCS)ACMOctober 2018, 1351--1368URL: https://arxiv.org/abs/1802.00588
  back to text
• 32 inproceedingsC.Carmine Abate, R.Roberto Blanco, D.Deepak Garg, C.Cătălin Hriţcu, M.Marco Patrignani and J.Jérémy Thibault. Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation.32nd IEEE Computer Security Foundations Symposium (CSF)IEEEJune 2019, 256-271URL: https://arxiv.org/abs/1807.04603
  DOIback to text
• 33 inproceedingsD.Danel Ahman, C.Cătălin Hriţcu, K.Kenji Maillard, G.Guido Mart\'inez, G.Gordon Plotkin, J.Jonathan Protzenko, A.Aseem Rastogi and N.Nikhil Swamy. Dijkstra Monads for Free.44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL)ACMJanuary 2017, 515-529URL: https://www.fstar-lang.org/papers/dm4free/
  DOIback to textback to text
• 34 techreportJ.Joël Alwen, B.Bruno Blanchet, E.Eduard Hauck, E.Eike Kiltz, B.Benjamin Lipp and D.Doreen Riepel. Analysing the HPKE Standard.IACR Cryptology ePrint ArchiveNovember 2020
  HALback to text
• 35 inproceedingsA. A.Arthur Azevedo de Amorim, M.Maxime Dénès, N.Nick Giannarakis, C.Catalin Hritcu, B. C.Benjamin C. Pierce, A.Antal Spector-Zabusky and A.Andrew Tolmach. Micro-Policies: Formally Verified, Tag-Based Security Monitors.36th IEEE Symposium on Security and Privacy (Oakland S&P)IEEE Computer SocietyMay 2015, 813--830URL: http://prosecco.gforge.inria.fr/personal/hritcu/publications/micro-policies.pdf
  DOIback to text
• 36 conferenceG.Gergei Bana, P.Pedro Adaõ and H.Hideki Sakurada. Computationally Complete Symbolic Adversary and Computationally Sound Veri?cation of Security Protocols (in Japanese).Proceedings of The 30th Symposium on Cryptography and Information SecurityCD-ROM (4D1-3)Jan 2013
  back to text
• 37 inproceedingsG.Gergei Bana and H.Hubert Comon-Lundh. A Computationally Complete Symbolic Attacker for Equivalence Properties.ACM Conference on Computer and Communications Security (CCS'14)New York, NY, USAACMNov 2014, 609--620
  back to text
• 38 inproceedingsK.Karthikeyan Bhargavan, B.Bruno Blanchet and N.Nadim Kobeissi. Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate.38th IEEE Symposium on Security and PrivacySan Jose, United StatesMay 2017, 483 - 502
  HALDOIback to textback to text
• 39 inproceedingsK.Karthikeyan Bhargavan, B.Barry Bond, A.Antoine Delignat-Lavaud, C.Cédric Fournet, C.Chris Hawblitzel, C.Cătălin Hriţcu, S.Samin Ishtiaq, M.Markulf Kohlweiss, R.Rustan Leino, J.Jay Lorch, K.Kenji Maillard, J.Jianyang Pan, B.Bryan Parno, J.Jonathan Protzenko, T.Tahina Ramananandro, A.Ashay Rane, A.Aseem Rastogi, N.Nikhil Swamy, L.Laure Thompson, P.Perry Wang, S.Santiago Zanella-Béguelin and J. K.Jean Karim Zinzindohoué. Everest: Towards a Verified, Drop-in Replacement of HTTPS.2nd Summit on Advances in Programming Languages (SNAPL)May 2017, URL: http://drops.dagstuhl.de/opus/volltexte/2017/7119/pdf/LIPIcs-SNAPL-2017-1.pdf
  back to text
• 40 inproceedingsK.Karthikeyan Bhargavan, A.Antoine Delignat-Lavaud, C.Cédric Fournet, M.Markulf Kohlweiss, J.Jianyang Pan, J.Jonathan Protzenko, A.Aseem Rastogi, N.Nikhil Swamy, S.Santiago Zanella-Béguelin and J. K.Jean Karim Zinzindohoué. Implementing and Proving the TLS 1.3 Record Layer.IEEE Symposium on Security and Privacy (Oakland)2017
  back to textback to text
• 41 articleK.Karthikeyan Bhargavan, C.Cédric Fournet, R.Ricardo Corin and E.Eugen Zalinescu. Verified Cryptographic Implementations for TLS.ACM Transactions Inf. Syst. Secur.151March 2012, 3:1--3:32URL: http://doi.acm.org/10.1145/2133375.2133378
  DOIback to text
• 42 inproceedingsK.Karthikeyan Bhargavan, C.Cédric Fournet, A. D.Andrew D. Gordon and N.Nikhil Swamy. Verified implementations of the information card federated identity-management protocol.ACM Symposium on Information, Computer and Communications Security (ASIACCS)2008, 123-135
  back to text
• 43 articleB.Bruno Blanchet, M.Martín Abadi and C.Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols.Journal of Logic and Algebraic Programming751feb # -- 2008, 3--51
  back to text
• 44 inproceedingsB.Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules.14th IEEE Computer Security Foundations Workshop (CSFW'01)2001, 82--96
  back to text
• 45 articleB.Bruno Blanchet. Automatic Verification of Correspondences for Security Protocols.Journal of Computer Security174July 2009, 363--434URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/BlanchetJCS08.pdf
  back to text
• 46 articleB.Bruno Blanchet and A.Andreas Podelski. Verification of Cryptographic Protocols: Tagging Enforces Termination.Theoretical Computer Science3331-2Special issue FoSSaCS'03.March 2005, 67--90URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/BlanchetPodelskiTCS04.html
  back to text
• 47 articleD.David Cadé and B.Bruno Blanchet. Proved Generation of Implementations from Computationally Secure Protocol Specifications.Journal of Computer Security2332015, 331--402
  back to text
• 48 inproceedingsA.Antoine Delignat-Lavaud, K.Karthikeyan Bhargavan and S.Sergio Maffeis. Language-Based Defenses Against Untrusted Browser Origins.Proceedings of the 22th USENIX Security Symposium2013, URL: http://prosecco.inria.fr/personal/karthik/pubs/language-based-defenses-against-untrusted-origins-sec13.pdf
  back to text
• 49 articleD.D. Dolev and A.A.C. Yao. On the security of public key protocols.IEEE Transactions on Information TheoryIT--2921983, 198--208
  back to text
• 50 inproceedingsC.Cédric Fournet, M.Markulf Kohlweiss and P.-Y.Pierre-Yves Strub. Modular Code-Based Cryptographic Verification.ACM Conference on Computer and Communications Security2011
  back to text
• 51 unpublishedL.Liane Huttner and D.Denis Merigoux. Catala: Moving Towards the Future of Legal Expert Systems.January 2022, working paper or preprint
  HALback to text
• 52 inproceedingsL.Liane Huttner and D.Denis Merigoux. Traduire la loi en code grâce au langage de programmation Catala.Intelligence artificielle et finances publiquesNice, FranceOctober 2020
  HALback to text
• 53 inproceedingsN.Nadim Kobeissi, K.Karthikeyan Bhargavan and B.Bruno Blanchet. Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach.2nd IEEE European Symposium on Security and PrivacyParis, FranceApril 2017, 435 - 450
  HALDOIback to textback to text
• 54 inproceedingsA.Adrien Koutsos. Decidability of a Sound Set of Inference Rules for Computational Indistinguishability.32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, USA, June 25-28, 2019IEEE2019, 48--61URL: https://doi.org/10.1109/CSF.2019.00011
  DOIback to text
• 55 articleK.Kenji Maillard, D.Danel Ahman, R.Robert Atkey, G.Guido Martínez, C.Cătălin Hriţcu, E.Exequiel Rivas and É.Éric Tanter. Dijkstra Monads for All.PACMPL3ICFP2019, 104:1--104:29URL: https://arxiv.org/abs/1903.01237
  DOIback to text
• 56 inproceedingsD.Denis Merigoux, R.Raphaël Monat and C.Christophe Gaie. Étude formelle de l'implémentation du code des impôts.JFLA 2020 - 31ème Journées Francophones des Langages ApplicatifsGruissan, FranceJanuary 2020
  HALback to text
• 57 articleR.R.M. Needham and M.M.D. Schroeder. Using encryption for authentication in large networks of computers.Communications of the ACM21121978, 993--999
  back to text
• 58 inproceedingsM.Marina Polubelova, K.Karthikeyan Bhargavan, J.Jonathan Protzenko, B.Benjamin Beurdouche, A.Aymeric Fromherz, N.Natalia Kulatova and S.Santiago Zanella-Béguelin. HACLxN: Verified Generic SIMD Crypto (for all your favourite platforms).CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications SecurityVirtual Event, United StatesNovember 2020
  HALback to textback to text
• 59 inproceedingsJ.Jonathan Protzenko, B.Bryan Parno, A.Aymeric Fromherz, C.Chris Hawblitzel, M.Marina Polubelova, K.Karthikeyan Bhargavan, B.Benjamin Beurdouche, J.Joonwon Choi, A.Antoine Delignat-Lavaud, C.Cedric Fournet, N.Natalia Kulatova, T.Tahina Ramananandro, A.Aseem Rastogi, N.Nikhil Swamy, C.Christoph Wintersteiger and S.Santiago Zanella-Béguelin. EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider.SP 2020 - IEEE Symposium on Security and PrivacySan Francisco / Virtual, United StatesIEEEMay 2020, 983-1002
  HALDOIback to textback to text
• 60 articleJ.Jonathan Protzenko, J. K.Jean Karim Zinzindohoué, A.Aseem Rastogi, T.Tahina Ramananandro, P.Peng Wang, S.Santiago Zanella-Béguelin, A.Antoine Delignat-Lavaud, C.Cătălin Hriţcu, K.Karthikeyan Bhargavan, C.Cédric Fournet and N.Nikhil Swamy. Verified Low-Level Programming Embedded in F*.PACMPL1ICFPSeptember 2017, 17:1--17:29URL: http://arxiv.org/abs/1703.00053
  DOIback to textback to textback to text
• 61 inproceedingsT.Tahina Ramananandro, A.Antoine Delignat-Lavaud, C.Cédric Fournet, N.Nikhil Swamy, T.Tej Chajed, N.Nadim Kobeissi and J.Jonathan Protzenko. EverParse: Verified Secure Zero-Copy Parsers for Authenticated Message Formats.28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019USENIX Association2019, 1465--1482URL: https://www.usenix.org/conference/usenixsecurity19/presentation/delignat-lavaud
  back to text
• 62 inproceedingsN.Nikhil Swamy, C.Cédric Fournet, A.Aseem Rastogi, K.Karthikeyan Bhargavan, J.Juan Chen, P.-Y.Pierre-Yves Strub and G. M.Gavin M. Bierman. Gradual typing embedded securely in JavaScript.41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL)2014, 425-438URL: http://prosecco.inria.fr/personal/karthik/pubs/tsstar-popl14.pdf
  back to text
• 63 inproceedingsN.Nikhil Swamy, C.Cătălin Hriţcu, C.Chantal Keller, A.Aseem Rastogi, A.Antoine Delignat-Lavaud, S.Simon Forest, K.Karthikeyan Bhargavan, C.Cédric Fournet, P.-Y.Pierre-Yves Strub, M.Markulf Kohlweiss, J. K.Jean Karim Zinzindohoué and S.Santiago Zanella-Béguelin. Dependent Types and Multi-Monadic Effects in F*.43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL)ACMJanuary 2016, 256-270URL: https://www.fstar-lang.org/papers/mumon/
  back to textback to text
• 64 articleN.Nikhil Swamy, A.Aseem Rastogi, A.Aymeric Fromherz, D.Denis Merigoux, D.Danel Ahman and G.Guido Mart\'inez. SteelCore: an extensible concurrent separation logic for effectful dependently typed programs.Proceedings of the ACM on Programming Languages4ICFPAugust 2020, 1-30
  HALDOIback to text
• 65 inproceedingsJ. K.Jean Karim Zinzindohoué, K.Karthikeyan Bhargavan, J.Jonathan Protzenko and B.Benjamin Beurdouche. HACL*: A Verified Modern Cryptographic Library.Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 20172017, 1789--1806URL: http://doi.acm.org/10.1145/3133956.3134043
  back to textback to text