- A1.1. Architectures
- A1.1.8. Security of architectures
- A1.2. Networks
- A1.2.8. Network security
- A1.3. Distributed Systems
- A2. Software
- A2.1. Programming Languages
- A2.1.1. Semantics of programming languages
- A2.1.4. Functional programming
- A2.1.7. Distributed programming
- A2.1.11. Proof languages
- A2.2. Compilation
- A2.2.1. Static analysis
- A2.2.5. Run-time systems
- A2.4. Formal method for verification, reliability, certification
- A2.4.2. Model-checking
- A2.4.3. Proofs
- A2.5. Software engineering
- A4. Security and privacy
- A4.3. Cryptography
- A4.3.3. Cryptographic protocols
- A4.5. Formal methods for security
- A4.6. Authentication
- A4.8. Privacy-enhancing technologies
- B6. IT and telecom
- B6.1. Software industry
- B6.1.1. Software engineering
- B6.3. Network functions
- B6.3.1. Web
- B6.3.2. Network protocols
- B6.4. Internet of things
- B9. Society and Knowledge
- B9.10. Privacy
1 Team members, visitors, external collaborators
- Karthikeyan Bhargavan [Team leader, INRIA, Senior Researcher, HDR]
- Bruno Blanchet [INRIA, Senior Researcher, HDR]
- Vincent Cheval [INRIA, Researcher]
- Aymeric Fromherz [INRIA, Researcher]
- Adrien Koutsos [INRIA, Researcher]
- Denis Merigoux [INRIA, Starting Research Position]
- Kristina Sojakova [INRIA, Starting Research Position, Break from July-Sep 2022]
- Lucas Franceschino [INRIA, from Feb 2022]
- Charlie Jacomme [INRIA, from Feb 2022]
- Alain Delaet–Tixeuil [ENS DE LYON, Break in Sep 2022]
- Son Ho [INRIA]
- Theo Laurent [INRIA]
- Justine Sauvage [INRIA, until Jan 2022]
- Theophile Wallez [INRIA]
- Sidney Congard [Inria, Engineer, from May 2022]
- Louis Gesbert [Inria, Engineer, from May 2022]
- Paul-Nicolas Madelaine [Inria, Engineer]
- Antonin Reitz [INRIA, Engineer]
Interns and Apprentices
- Justine Sauvage [INRIA, from Sep 2022]
- Christelle Guiziou [INRIA]
- Scheherazade Rouag [INRIA, until Nov 2022]
- Marie Alauzen [LISIS, from Jun 2022]
- Benjamin Beurdouche [MOZILLA]
- Franziskus Kiefer [CRYSPEN, from Aug 2022]
- Damian Poddebniak [CRYPTOENG UG, from Aug 2022]
- Jonathan Protzenko [MICROSOFT RESEARCH]
2 Overall objectives
2.1 Programming securely with cryptography
In recent years, an increasing amount of sensitive data is being generated, manipulated, and accessed online, from bank accounts to health records. Both national security and individual privacy have come to rely on the security of web-based software applications. But even a single design flaw or implementation bug in an application may be exploited by a malicious criminal to steal, modify, or forge the private records of innocent users. Such attacks are becoming increasingly common and now affect millions of users every year.
The risks of deploying insecure software are too great to tolerate anything less than mathematical proof, but applications have become too large for security experts to examine by hand, and automated verification tools do not scale. Today, there is not a single widely-used web application for which we can give a proof of security, even against a small class of attacks. In fact, design and implementation flaws are still found in widely-distributed and thoroughly-vetted security libraries designed and implemented by experts.
Software security is in crisis. A focused research effort is needed if security programming and analysis techniques are to keep up with the rapid development and deployment of security-critical distributed applications based on new cryptographic protocols and secure hardware devices. The goal of our team Prosecco is to draw upon our expertise in cryptographic protocols and program verification to make decisive contributions in this direction.
Our vision is that, over its lifetime, Prosecco will contribute to making the use of formal techniques when programming with cryptography as natural as the use of a software debugger. To this end, our long-term goals are to design and implement programming language abstractions, cryptographic models, verification tools, and verified security libraries that developers can use to deploy provably secure distributed applications. Our target applications include cryptographic libraries, network protocol implementations, web applications, and cloud-based web services. In particular, we aim to verify full software applications, including both the cryptographic core and the high-level application code. Furthermore, we aim to verify implementations, not just models. Finally, we aim to account for computational cryptography, not just its symbolic abstraction.
We identify five key focus areas for our research in the short- to medium term.
New programming languages for verified software
Building realistic verified applications requires new programming languages that enable the systematic development of efficient software hand-in-hand with their proofs of correctness. Our current focus is on designing and implementing the programming language F*, in collaboration with Microsoft Research. F* (pronounced F star) is a general-purpose functional programming language with a state-of-the-art type-and-effect system aimed at program verification. Its type system includes polymorphism, dependent types, monadic effects, refinement types, and a weakest precondition calculus. Together, these features allow expressing precise and compact specifications for programs, including functional correctness and security properties. The F* type-checker aims to prove that programs meet their specifications using a combination of SMT solving and interactive proofs. Programs written in F* can be translated to efficient OCaml, F#, or C for execution. The main ongoing use case of F* in our group is HACL*, a verified cryptographic library, and DY*, a framework for verifying protocol implementations.
Symbolic verification of cryptographic applications
We aim to develop our own security verification tools for models and implementations of cryptographic protocols and security APIs using symbolic cryptography. Our starting point is the tools we have previously developed: the specialized cryptographic prover ProVerif and the F* verification system. These tools are already used to verify industrial-strength cryptographic protocol implementations and commercial cryptographic hardware. We plan to extend and combine these approaches to capture more sophisticated attacks on applications consisting of protocols, software, and hardware, as well as to prove symbolic security properties for such composite systems.
Computational verification of cryptographic applications
We aim to develop our own cryptographic application verification tools that use the computational model of cryptography. The tools include the computational prover CryptoVerif, and the F* verification system. Working together, we plan to extend these tools to analyze, for the first time, cryptographic protocols, security APIs, and their implementations under fully precise cryptographic assumptions. We also plan to pursue links between symbolic and computational verification, such as computational soundness results that enable computational proofs by symbolic techniques.
Efficient formally secure compilers for tagged architectures
We aim to leverage emerging hardware capabilities for fine-grained protection to build the first, efficient secure compilation chains for realistic low-level programming languages (the C language, and Low* a safe subset of C embedded in F* for verification). These compilation chains will provide a secure semantics for all programs and will ensure that high-level abstractions cannot be violated even when interacting with untrusted low-level code. To achieve this level of security without sacrificing efficiency, our secure compilation chains target a tagged architecture, which associates a metadata tag to each word and efficiently propagates and checks tags according to software-defined rules.
Building provably secure web applications
3 Research program
3.1 Symbolic verification of cryptographic applications
Despite decades of experience, designing and implementing cryptographic applications remains dangerously error-prone, even for experts. This is partly because cryptographic security is an inherently hard problem, and partly because automated verification tools require carefully-crafted inputs and are not widely applicable. To take just the example of TLS, a widely-deployed and well-studied cryptographic protocol designed, implemented, and verified by security experts, the lack of a formal proof about all its details has regularly led to the discovery of major attacks (including several in Prosecco) on both the protocol and its implementations, after many years of unsuspecting use.
As a result, the automated verification for cryptographic applications is an active area of research, with a wide variety of tools being employed for verifying different kinds of applications.
In previous work, we have developed the following approaches:
- ProVerif: a symbolic prover for cryptographic protocol models
- F*: a new language that enables the verification of cryptographic applications
Verifying cryptographic protocols with ProVerif
Given a model of a cryptographic protocol, the problem is to verify that an active attacker, possibly with access to some cryptographic keys but unable to guess other secrets, cannot thwart security goals such as authentication and secrecy 71; it has motivated a serious research effort on the formal analysis of cryptographic protocols, starting with 60 and eventually leading to effective verification tools, such as our tool ProVerif.
To use ProVerif, one encodes a protocol model in a formal language, called the applied pi-calculus, and ProVerif abstracts it to a set of generalized Horn clauses. This abstraction is a small approximation: it just ignores the number of repetitions of each action, so ProVerif is still very precise, more precise than, say, tree automata-based techniques. The price to pay for this precision is that ProVerif does not always terminate; however, it terminates in most cases in practice, and it always terminates on the interesting class of tagged protocols57. ProVerif can handle a wide variety of cryptographic primitives, defined by rewrite rules or by some equations, and prove a wide variety of security properties: secrecy 55, 37, correspondences (including authentication) 56, and observational equivalences 54. Observational equivalence means that an adversary cannot distinguish two processes (protocols); equivalences can be used to formalize a wide range of properties, but they are particularly difficult to prove. Even if the class of equivalences that ProVerif can prove is limited to equivalences between processes that differ only by the terms they contain, these equivalences are useful in practice and ProVerif has long been the only tool that proves equivalences for an unbounded number of sessions. (Maude-NPA in 2014 and Tamarin in 2015 adopted ProVerif's approach to proving equivalences.)
Using ProVerif, it is now possible to verify large parts of industrial-strength protocols, such as TLS 49, Signal 66, JFK 38, and Web Services Security 53, against powerful adversaries that can run an unlimited number of protocol sessions, for strong security properties expressed as correspondence queries or equivalence assertions. ProVerif is used by many teams at the international level, and has been used in more than 140 research papers (references).
Verifying cryptographic applications using F*
Verifying the implementation of a protocol has traditionally been considered much harder than verifying its model. This is mainly because implementations have to consider real-world details of the protocol, such as message formats 75, that models typically ignore. So even if a protocol has been proved secure in theory, its implementation may be buggy and insecure. However, with recent advances in both program verification and symbolic protocol verification tools, it has become possible to verify fully functional protocol implementations in the symbolic model. One approach is to extract a symbolic protocol model from an implementation and then verify the model, say, using ProVerif. This approach has been quite successful, yielding a verified implementation of TLS in F# 52. However, the generated models are typically quite large and whole-program symbolic verification does not scale very well.
An alternate approach is to develop a verification method directly for implementation code, using well-known program verification techniques. Our current focus is on designing and implementing the programming language F* 77, 41, 67, in collaboration with Microsoft Research. F* is an ML-like functional programming language aimed at program verification. Its type system includes polymorphism, dependent types, monadic effects, refinement types, and a weakest precondition calculus. Together, these features allow expressing precise and compact specifications for programs, including functional correctness and security properties. The F* type-checker aims to prove that programs meet their specifications using a combination of SMT solving and interactive proofs. Programs written in F* can be translated to efficient OCaml, F#, or C for execution 74. The main ongoing use case of F* is building a verified, drop-in replacement for the whole HTTPS stack in Project Everest 50 (a larger collaboration with Microsoft Research). This includes a verified implementation of TLS 1.2 and 1.3 51 and of the underlying cryptographic primitives 79. More recently, we have built a new symbolic protocol verification framework in F* called DY* 48 and used it to verify real-world cryptographic protocols like Signal, ACME and Noise.
3.2 Computational verification of cryptographic applications
Proofs done by cryptographers in the computational model are mostly manual. Our goal is to provide computer support to build or verify these proofs. In order to reach this goal, we have designed the automatic tool CryptoVerif, which generates proofs by sequences of games. We already applied it to important protocols such as TLS 49 and Signal 66 but more work is still needed in order to develop this approach, so that it is easier to apply to more protocols.
Another tool we develop, called the Squirrel Prover, uses a symbolic approach called the compuatationally complete symbolic adversary (CCSA) 45 to verify cryptographic protocols in the computational model. Squirrel is an interactive theorem prover, hence provides less automation than CryptoVerif, but allows the user to guide the proof more easily when complex arguments are needed; and it is better-suited for some protocols, notably for stateful protocols.
A third approach is to directly verify executable cryptographic code by typing. A recent work 61 shows how to use refinement typechecking to prove computational security for protocol implementations. In this method, henceforth referred to as computational F*, typechecking is used as the main step to justify a classic game-hopping proof of computational security. The correctness of this method is based on a probabilistic semantics of F# programs and crucially relies on uses of type abstraction and parametricity to establish strong security properties, such as indistinguishability.
In principle, the three approaches—game-based proofs in CryptoVerif, interactive proofs in Squirrel, and typechecking proofs in F*—are complementary. Understanding how to combine these approaches remains an open and active topic of research. For example, CryptoVerif can generate OCaml implementations from CryptoVerif specifications that have been proved secure 58. We are currently working on this approach to generate implementations in F*.
3.3 F*: A Higher-Order Effectful Language for Program Verification
F* 77, 41 is a verification system for effectful programs developed collaboratively by Inria and Microsoft Research. It puts together the automation of an SMT-backed deductive verification tool with the expressive power of a proof assistant based on dependent types. After verification, F* programs can be extracted to efficient OCaml, F#, or C code 74. This enables verifying the functional correctness and security of realistic applications. F*'s type system includes dependent types, monadic effects, refinement types, and a weakest precondition calculus. Together, these features allow expressing precise and compact specifications for programs, including functional correctness and security properties. The F* type-checker aims to prove that programs meet their specifications using a combination of SMT solving and interactive proofs. The main ongoing use case of F* is building a verified, drop-in replacement for the whole HTTPS stack in Project Everest. This includes verified implementations of TLS 1.2 and 1.3 51 and of the underlying cryptographic primitives 79, 73, 72.
3.4 Efficient Formally Secure Compilers to a Tagged Architecture
Severe low-level vulnerabilities abound in today’s computer systems, allowing cyber-attackers to remotely gain full control. This happens in big part because our programming languages, compilers, and architectures were designed in an era of scarce hardware resources and too often trade off security for efficiency. The semantics of mainstream low-level languages like C is inherently insecure, and even for safer languages, establishing security with respect to a high-level semantics does not guarantee the absence of low-level attacks. Secure compilation using the coarse-grained protection mechanisms provided by mainstream hardware architectures would be too inefficient for most practical scenarios.
We aim to leverage emerging hardware capabilities for fine-grained protection to build the first, efficient secure compilation chains for realistic low-level programming languages (the C language, and Low* a safe subset of C embedded in F* for verification 74). These compilation chains will provide a secure semantics for all programs and will ensure that high-level abstractions cannot be violated even when interacting with untrusted low-level code. To achieve this level of security without sacrificing efficiency, our secure compilation chains target a tagged architecture 42, which associates a metadata tag to each word and efficiently propagates and checks tags according to software-defined rules. We hope to experimentally evaluate and carefully optimize the efficiency of our secure compilation chains on realistic workloads and standard benchmark suites. We are also using property-based testing and formal verification to provide high confidence that our compilation chains are indeed secure. Formally, we are constructing machine-checked proofs of a new security criterion we call robustly safe compilation, which is defined as the preservation of safety properties even against an adversarial context 40, 39. This strong criterion complements compiler correctness and ensures that no machine-code attacker can do more harm to securely compiled components than a component already could with respect to a secure source-level semantics.
3.5 Provably secure web applications
Web applications are fast becoming the dominant programming platform for new software, probably because they offer a quick and easy way for developers to deploy and sell their apps to a large number of customers. Third-party web-based apps for Facebook, Apple, and Google, already number in the hundreds of thousands and are likely to grow in number. Many of these applications store and manage private user data, such as health information, credit card data, and GPS locations. To protect this data, applications tend to use an ad hoc combination of cryptographic primitives and protocols. Since designing cryptographic applications is easy to get wrong even for experts, we believe this is an opportune moment to develop security libraries and verification techniques to help web application programmers.
As a typical example, consider commercial password managers, such as LastPass, RoboForm, and 1Password. They are implemented as browser-based web applications that, for a monthly fee, offer to store a user's passwords securely on the web and synchronize them across all of the user's computers and smartphones. The passwords are encrypted using a master password (known only to the user) and stored in the cloud. Hence, no-one except the user should ever be able to read her passwords. When the user visits a web page that has a login form, the password manager asks the user to decrypt her password for this website and automatically fills in the login form. Hence, the user no longer has to remember passwords (except her master password) and all her passwords are available on every computer she uses.
3.6 Design and Verification of next-generation protocols: identity, blockchains, and messaging
Building on our work on verifying and re-designing pre-existing protocols like TLS and Web Security in general, with the resources provided by the NEXTLEAP project, we are working on both designing and verifying new protocols in rapidly emerging areas like identity, blockchains, and secure messaging. These are all areas where existing protocols, such as the heavily used OAuth protocol, are in need of considerable re-design in order to maintain privacy and security properties. Other emerging areas, such as blockchains and secure messaging, can have modifications to existing pre-standard proposals or even a complete 'clean slate' design. As shown by Prosecco's work, newer standards, such as IETF OAuth, W3C Web Crypto, and W3C Web Authentication API, can have vulnerabilities fixed before standardization is complete and heavily deployed. We hope that the tools used by Prosecco can shape the design of new protocols even before they are shipped to standards bodies. We are currently contributing to the design and analysis of new extensions to the TLS protocol, such as Encrypted Client Hello, new secure messaging protocol such as IETF Messaging Layer Security (MLS), and to IoT protocols like the IETF Lightweight Authenticated Key Exchange (LAKE).
4 Application domains
4.1 High-Assurance Cryptographic Libraries
Cryptographic libraries implement algorithms for symmetric and asymmetric encryption, digital signatures, message authentication, hashing, and key exchange. Popular libraries like OpenSSL, NSS, and BoringSSL are widely used in web browsers, operating system, and cloud services. We aim to apply our tools and verification techniques to build high-assurance high-performance cryptographic libraries that can be deployed in mainstream software applications. Our flagship project is HACL*, a verified cryptographic library that is written in the F* programming language.
4.2 Design and Analysis of Protocol Standards
Cryptographic protocol standards such as TLS, SSH, IPSec, and Kerberos are the trusted base on which the security of modern distributed systems is built. Our work enables the analysis and verification of such protocols, both in their design and implementation. We participate in standards organizations like the IETF and collaborate with industry groups to help them design and deploy secure protocols. For example, we built and verified models and reference implementations for the well-known TLS 1.3 protocol, using our tools ProVerif and CryptoVerif, before it was standardaized at he IETF and contributed to the protocol's final design.
4.3 Web application security
5 Social and environmental responsibility
5.1 Footprint of research activities
Our team's work focuses on the design, analysis, and implementation of cryptographic protocols. As such, we are dedicated to improving the security and privacy of all Web users. The output of our research is used, for example, to protect HTTPS connections used daily by millions of Mozilla Firefox users. On the whole, we strive to perform ethical research that improves the digital lives of citizens everywhere.
Our research does not by itself have any environmental impact, but our team does travel to conferences, and we regularly host international visitors, which incurs multiple international flights each year.
6 Highlights of the year
This year, we recruited one permanent member (Aymeric Fromherz) and one SRP (Denis Merigoux), 3 of our PhD students defended their theses and graduated, we published 12 papers in leading conferences and journals in our area, and many of our members won research awards, as detailed below.
- Adrien Koutsos won a Distinguished Paper Award at IEEE Computer Security Foundations Symposium
- Denis Merigoux won the Prix de thèse Gilles Kahn for his Ph.D. dissertation
- Aymeric Fromherz won the ACM SIGSAC Dissertation award and the A.G. Milnes Award for his Ph.D. dissertation
- Karthikeyan Bhargavan was awarded an ERC Proof Of Concept Grant (Cryspen)
7 New software and platforms
7.1 New software
Cryptographic protocol verifier in the computational model
Security, Verification, Cryptographic protocol
CryptoVerif is an automatic protocol prover sound in the computational model. In this model, messages are bitstrings and the adversary is a polynomial-time probabilistic Turing machine. CryptoVerif can prove secrecy and correspondences, which include in particular authentication. It provides a generic mechanism for specifying the security assumptions on cryptographic primitives, which can handle in particular symmetric encryption, message authentication codes, public-key encryption, signatures, hash functions, and Diffie-Hellman key agreements. It also provides an explicit formula that gives the probability of breaking the protocol as a function of the probability of breaking each primitives, this is the exact security framework.
News of the Year:
The main new features of the year are:
1) Allow saving and showing executed interactive commands (command-line option -ocommands, interactive commands show_commands and out_commands)
2) Extended the "guess" transformation to be able to guess any variable, not only replication indices, and to guess the whole sequence of replication indices up to a replication. Also extended the "guess" transformation to deal with injective correspondences, by proving injectivity and leaving a non-injective query to prove.
3) New command "guess_branch" to guess which branch of a test (if, find, let) is taken at a certain program point.
4) New probability formula #(O foreach a) (number of calls to oracle O for each value of a, where a can be random variable or a sequence of replication indices).
5) Allow common events introduced by insert_event or insert in both sequences of games of an indistinguishability proof.
These changes are included in CryptoVerif version 2.06 available at https://cryptoverif.inria.fr.
We have work in progress on links between CryptoVerif and EasyCrypt (by Bruno Blanchet, Pierre Boutry, Christian Doczkal, Benjamin Grégoire, and Pierre-Yves Strub) and between CryptoVerif and F* (by Karthikeyan Bhargavan, Bruno Blanchet, and Benjamin Lipp).
Bruno Blanchet, David Cadé
Programming language, Software Verification
F* continues to evolve and is actively developed on GitHub (https://github.com/FStarLang/FStar). This year, we continued working on the stateful core of F* using a new formal foundation called Steel (which was published at ICFP 2020 and ICFP 2021) and on improving the libraries and tooling of F* to support meta-programming, which is heavily used in the EverCrypt and HACL* projects. We also use F* to implement a symbolic protocol verification framework called DY* and apply it to verified cryptographic software like Noise*.
Antoine Delignat-Lavaud, Catalin Hritcu, Cedric Fournet, Chantal Keller, Karthikeyan Bhargavan, Pierre-Yves Strub
Cryptographic protocol, Software Verification
miTLS is a verified reference implementation of the TLS protocol. Our code fully supports its wire formats, ciphersuites, sessions and connections, re-handshakes and resumptions, alerts and errors, and data fragmentation, as prescribed in the RFCs, it interoperates with mainstream web browsers and servers. At the same time, our code is carefully structured to enable its modular, automated verification, from its main API down to computational assumptions on its cryptographic algorithms.
There was no new development on this project this year.
Alfredo Pironti, Antoine Delignat-Lavaud, Cedric Fournet, Jean-Karim Zinzindohoué, Karthikeyan Bhargavan, Pierre-Yves Strub, Santiago Zanella
Security, Verification, Cryptographic protocol
ProVerif is an automatic security protocol verifier in the symbolic model (so called Dolev-Yao model). In this model, cryptographic primitives are considered as black boxes. This protocol verifier is based on an abstract representation of the protocol by Horn clauses. Its main features are:
It can verify various security properties (secrecy, authentication, process equivalences).
It can handle many different cryptographic primitives, specified as rewrite rules or as equations.
It can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space.
News of the Year:
There was no new release of ProVerif in 2022. A paper by Bruno Blanchet, Vincent Cheval, and Véronique Cortier about important extensions released in 2021 (lemmas, fast subsumption, ...) was published at Security and Privacy 2022 17. We are working on many extensions (liveness properties, hash consing to save memory, more equational theories, ...). Stay tuned!
Bruno Blanchet, Marc Sylvestre, Vincent Cheval
High Assurance Cryptography Library
Cryptography, Software Verification
HACL* is a formally verified cryptographic library in F*, developed by the Prosecco team at INRIA Paris in collaboration with Microsoft Research, as part of Project Everest.
HACL stands for High-Assurance Cryptographic Library and its design is inspired by discussions at the HACS series of workshops. The goal of this library is to develop verified C reference implementations for popular cryptographic primitives and to verify them for memory safety, functional correctness, and secret independence.
New in 2020: In 2020, we worked on two major updates to the HACL* library
(1) EverCrypt: We built a new cryptographic provider called EverCrypt that combines verified C code from HACL* with verified Intel assembly code from the Vale projects and integrates them under a verified agile multiplexed API that seamlessly works across multiple platforms. The resulting verified code provides best-in-class performance for popular primitives like AES-GCM and X25519. This work resulted in a paper at IEEE S&P 2020 and a new HACL* release. The resulting code was deployed in the Linux kernel, Mozilla Firefox, WireGuard VPN, and Microsoft MsQuic.
(2) HACLxN: We developed a new methodology for writing and verifying generic SIMD crypto code that can be compiled to efficient code on multiple platforms that support vector instructions, including ARM Neon and Intel AVX, AVX2, and AVX512. We used this methodology to develop high-performance verified SIMD implementations for Chacha20-Poly1305, Blake2, and SHA-2. This work resulted in a paper at ACM CCS 2020 and a new HACL* release. The resulting code is deployed in Mozilla Firefox and Tezos Blockchain.
New in 2021: We added new primitives to HACL* including RSA-PSS and FFDHE, along with a generic verified Bignum library. We also added support for IBMz and Power architectures.
New in 2022: We moved HACL* to its own GitHub organization and set up a governance structure and a core team of maintainers. We made many usability changes to the library, including a new packaging infrastructure in collaboration with Cryspen, funded as part of an ERC Proof-of-Concept grant.
In France, income tax is computed from taxpayers' individual returns, using an algorithm that is authored, designed and maintained by the French Public Finances Directorate (DGFiP). This algorithm relies on a legacy custom language and compiler originally designed in 1990, which unlike French wine, did not age well with time. Owing to the shortcomings of the input language and the technical limitations of the compiler, the algorithm is proving harder and harder to maintain, relying on ad-hoc behaviors and workarounds to implement the most recent changes in tax law. Competence loss and aging code also mean that the system does not benefit from any modern compiler techniques that would increase confidence in the implementation. We overhaul this infrastructure and present Mlang, an open-source compiler toolchain whose goal is to replace the existing infrastructure. Mlang is based on a reverse-engineered formalization of the DGFiP's system, and has been thoroughly validated against the private DGFiP test suite. As such, Mlang has a formal semantics, eliminates previous handwritten workarounds in C, compiles to modern languages (Python), and enables a variety of instrumentations, providing deep insights about the essence of French income tax computation. The DGFiP is now officially transitioning to Mlang for their production system.
Denis Merigoux, Raphaël Monat
Direction Générale des Finances Publiques (DGFiP)
Specification language, Rust
Hacspec is a domain specific language embedded inside Rust geared towards cryptographic specifications. It allows easier communication between formal methods experts and cryptographers that write their implementations in Rust. Hacspec compiles to various proof backends including F* and Coq.
In 2022, we significantly improved the tools around hacspec to accept a larger subset of Rust. hacspec now has working compilers to F* and Coq, with an EasyCrypt backend in the works. Hacspec was also used to specify many cryptographic constructions by groups at Inria and Aarhus, with some of these specifications being used as part of standardization efforts.
Concordium Blockchain Research Center, Aarhus University, Denmark, Université de Porto
Domain specific, Programming language, Law
Catala is a domain-specific programming language designed for deriving correct-by-construction implementations from legislative texts. Its specificity is that it allows direct translation from the text of the law using a literate programming style, that aims to foster interdisciplinary dialogue between lawyers and software developers. By enjoying a formal specification and a proof-oriented design, Catala also opens the way for formal verification of programs implementing legislative specifications.
- Performance improvements - Better error message formatting - New Markdown syntax - Better lexer factorization - ...
Proof assistant, Cryptography
EasyCrypt is a toolset for reasoning about relational properties of probabilistic computations with adversarial code. Its main application is the construction and verification of game-based cryptographic proofs. EasyCrypt can also be used for reasoning about differential privacy.
News of the Year:
In 2021, Benjamin Gregoire, Adrien Koutsos and Pierre-Yves Strub extended the EasyCrypt proof assistant to reason about complexity, by adding a Hoare logic to prove computational complexity (execution time and oracle calls) of adversarial computations. This Hoare logic is built on top of EasyCrypt module system used to model adversaries, which has been extended to support complexity restrictions.
Benjamin Grégoire, Gilles Barthe, Pierre-Yves Strub, Adrien Koutsos
Proof assistant, Cryptographic protocol
Squirrel is a proof assistant based designed to prove that security protocols are computationally secure. It is based on a meta-logic built above CCSA logic.
Squirrel allows to specify security protocol in a variant of the applied pi-calculus, and handles unbounded replication and stateful protocols. It can be used to prove both correspondence (e.g. authentication) and equivalence security properties (e.g. strong secrecy, unlinkability).
News of the Year:
In 2021, Adrien Koutsos made several new improvements to the Squirrel prover: i) improved user interface, with the addition of an include system and a small general purpose library, better error messages, and a type system, ii) a new mode allowing for explicit handling of proof contexts (e.g. explicit variable and hypothesis naming, structured proofs), which permit to have more stable and maintainable proofs, iii) advanced tactics (rewrite, apply, rewriting hints) supporting a proof style a la SSReflect, which help reduce user inputs.
In 2022, David Baelde, Stéphanie Delaune, Adrien Koutsos and Solène Moreau extended the Squirrel prover with: - support for stateful protocols - an improved two-layered logic allowing to mix reachability and equivalence reasonings - a bi-deduction proof system, which can be used to automatically simplify or close proof goals involving deducibility arguments.
David Baelde, Stephanie Delaune, Charlie Jacomme, Solene Moreau, Adrien Koutsos
IRISA, ENS Rennes
7.2 New platforms
No new platforms in 2022
8 New results
8.1 Verification of security protocols in the symbolic model: ProVerif
Participants: Bruno Blanchet, Vincent Cheval.
Bruno Blanchet, Vincent Cheval, and Véronique Cortier published a paper at IEEE Security and Privacy 2022 17 on important improvements of ProVerif: 1) support for integer counters, with incrementation and inequality tests, 2) lemmas and axioms to give intermediate results to ProVerif, which it exploits to help proving subsequent queries, by deriving additional information in the Horn clauses that it uses to perform the proofs, 3) proofs by induction on the length of the trace, by giving as lemma the property to prove, but obviously for strictly shorter traces, 4) temporal queries, which allow to order events. The soundness of these features is proved (by hand). Moreover, many algorithms used in ProVerif (generation of clauses, resolution, subsumption ...) were optimized, resulting in impressive speedups on large examples.
8.2 Verification of security protocols in the computational model: CryptoVerif
Participants: Karthikeyan Bhargavan, Bruno Blanchet, Benjamin Lipp.
Bruno Blanchet continued the development of our protocol verification tool CryptoVerif. The new features of this year are detailed in the section on software. We used the recent extensions to deal with security proofs in the presence of compromise of keys, filling gaps in important previous case studies: in particular, we proved forward secrecy with respect to the compromise of the pre-shared key in the PSK-DHE (pre-shared key and Diffie-Hellman) key exchange of TLS 1.3 and in the VPN protocol WireGuard.
Benjamin Lipp, Bruno Blanchet, and Karthikeyan Bhargavan implemented a compiler from CryptoVerif models to executable F* implementations. This compiler extends a previous translation from CryptoVerif to OCaml by generating lemmas for equational assumptions made on primitives in CryptoVerif. These assumptions can then be proved in F*. For instance, we prove that message parsing composed with the corresponding serialization is the identity. In the future, we plan to translate the security properties proved by CryptoVerif into F*, so that these properties can be assumed in subsequent F* proofs.
In collaboration with Pierre-Yves Strub (Ecole Polytechnique), Pierre Boutry, Benjamin Grégoire (Inria Sophia), and Christian Doczkal (MPI-SP), team member Bruno Blanchet worked on a translation from CryptoVerif security assumptions on primitives to EasyCrypt. These assumptions can then be proven in EasyCrypt from lower-level cryptographic assumptions. This is useful since CryptoVerif provides a high degree of automation but is better at proving protocols than primitives, while EasyCrypt has the expressive power needed to reason both about protocols and about the correctness of primitives, but this expressive power comes at the cost of providing less automation. Hence, proving primitives in EasyCrypt and protocols in CryptoVerif provides the best trade-off. We applied our approach to the proof of the Computational Diffie-Hellman (CDH) and Gap Diffie-Hellman (GDH) models in CryptoVerif (which include several Diffie-Hellman pairs and allow key compromise) from the standard CDH, resp. GDH, assumption for one Diffie-Hellman pair. We also applied it to an authenticated Key Encapsulation Mechanism (AKEM).
8.3 Verification of Security Protocols in the Computational Model: Squirrel
Participants: Adrien Koutsos, Charlie Jacomme.
In collaboration with David Baelde, Stephanie Delaune, Charlie Jacomme and Solene Moreau, Adrien Koutsos designed a new framework and an interactive prover – the Squirrel Prover – allowing to mechanize proofs of security protocols for an arbitrary number of sessions in the computational model. This framework consists of a meta-logic based upon the CCSA logic 46, and a proof system for deriving security properties. Proofs in Squirrel only deal with high-level, symbolic representations of protocol executions, similar to proofs in the symbolic model, but providing security guarantees at the computational level. We have performed a number of case studies in Squirrel, covering a variety of primitives (e.g. hashes, encryption) and security properties (e.g. authentication, unlinkability). This work has been published at IEEE Security and Privacy 2021 43, and the Squirrel Prover is open source, and continues to be developed.
Squirrel approach to protocol security is complementary w.r.t. existing tools in the computational model (e.g. CryptoVerif or EasyCrypt). Squirrel particularly shines when analyzing stateful protocols (i.e. protocols with mutable state such as key updates, counters, etc.), which are often out-of-reach of existing tools, or require a very large amount of work. Work in that direction started, and early results have been presented at the LFMTP'21 workshop 44.
In 2022, we finished our extention of the tool to handle stateful protocols. We also extended Squirrel's proof system to be able to express the complex proof arguments that are sometimes required for these protocols: i) Squirrel now supports arguments mixing reachability and equivalence reasoning; ii) we added a bi-deduction proof system, which can be used to automatically simplify or close proof goals involving deducibility arguments. These theoretical contributions have been implemented in Squirrel and validated on a number of case studies, including a proof of the YubiKey and YubiHSM protocols. This work has been published at the IEEE Computer Security Foundations Symposium 2022 14, where it won a Distinguished Paper Award.
8.4 High-Assurance High-Performance Crypto
Participants: Karthikeyan Bhargavan, Marina Polubelova, Benjamin Beurdouche, Natalia Kulatova, Jonathan Protzenko, Adrien Koutsos, Aymeric Fromherz.
Since 2017, we maintain and distribute the HACL* verified cryptographic library, which is currently deployed in many mainstream software applications and high-performance networking stacks including Mozilla Firefox, Linux Kernel, WireGuard VPN, Microsoft WinQuic, Tezos Blockchain, and ElectionGuard.
While HACL* includes best-in-class C implementations of many popular cryptographic algorithms, on certain platforms, significantly improved performance can be obtained by exploiting low-level instructions that are only available to assembly code. The EverCrypt API brings together verified C code from HACL* with verified Intel assembly code from the Vale project and packages them in a verified multiplexed agile API that can be conveniently used by applications. Our work resulted in a new release of HACL* and a paper at the IEEE Security and Privacy conference 73.
In a second line of work, we propose a new methodology called HACLxN for building formally verified cryptographic code that exploits single-instruction multiple data (SIMD) parallelism. We show how to write and verify code once and then compile it to multiple platforms that support vector instructions, including ARM Neon and Intel AVX, AVX2, and AVX512. We apply our methodology to obtain verified vectorized implementations in C on all these platforms for the ChaCha20 encryption algorithm, the Poly1305 one-time MAC, and the SHA-2 and Blake2 families of hash algorithms. The resulting C code has performance that is comparable to hand-optimized assembly for these platforms. This work led to a new release of HACL* and a paper at ACM CCS 2020 72. This year we extended HACL* with code for more primitives, such as RSA-PSS and FFDHE, based on a generic verified Bignum library. We also added support for IBMz and Power architectures.
High-assurance cryptography aims at building efficient cryptographic software with machine-checked proofs of memory safety, functional correctness, provable security, and absence of timing leaks. Traditionally, these guarantees are established under a sequential execution semantics. However, this semantics does not correspond to the behavior of modern processors, that make use of speculative execution to improve performance. This semantics mismatch has been exploited to conduct attacks (e.g. Spectre). In a new line of work, published at IEEE Security and Privacy 2021 47, we showed that the benefits of high-assurance cryptography can be extended to speculative execution, costing only a modest performance overhead. To do this, we built atop the Jasmin verification framework an end-to-end approach for proving properties of cryptographic software under speculative execution. This approach has been validated experimentally with efficient, functionally correct assembly implementations of ChaCha20 and Poly1305, which have been proved secure against both traditional timing and speculative execution attacks.
8.5 Verification of cryptographic protocol implementations in the symbolic model: the DY* framework
Participants: Karthikeyan Bhargavan.
In collaboration with colleagues at the University of Stuttgart and IIT Gandhinagar, we developed DY*, a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks.
Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security.
DY* is built as a library of F* modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F*. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.
The design of DY* and a detailed analysis of Signal was published at IEEE Euro S&P 2021 48. This year, we applied DY* to the formal analysis of the Noise family of cryptographic protocols, which was publised at IEEE S&P 2022 21.
8.6 Extensions to F*
Participants: Aymeric Fromherz, Denis Merigoux.
Since 2010, our group contributes to the design, implementation, and application of the F* programming language and verification work.
In 2020, we developed a semantics for concurrent separation logic (CSL), called SteelCore, within the F* proof assistant in a manner that enables dependently-typed, effectful F* programs to make use of concurrency and to be specified and verified using a full-featured, extensible CSL. In contrast to prior approaches, we directly derive the partial-correctness Hoare rules for CSL from the denotation of computations in the effectful semantics of non-deterministically interleaved atomic actions. Demonstrating the flexibility of our semantics, we build generic, verified libraries that support various concurrency constructs, ranging from dynamically allocated, storable spin locks, to protocol-indexed channels. This work has led to on ongoing re-architecture of the core of the F* framework, and was published at ICFP 2020 78.
This work was extended to provide a framework, called Steel 62, for developing and proving concurrent programs embedded in F*. Building on top of the SteelCore concurrent separation logic, Steel proposes a new formalism of Hoare quintuples which involve both separation logic and first-order logic, and enable an efficient verification condition generation and proof discharge using a combination of tactics and SMT solving. We show how verification conditions in Steel can be expressed as a system of associativity-commutativity (AC) unification constraints and develop tactics to (partially) solve these constraints using AC-matching modulo SMT-dischargeable equations. This work was published at ICFP 2021 62.
New work this year focused on the development of core libraries and improved usability of the framework, which led to a demonstration at the JFLA 2022 25.
8.7 Formalizing and Implementing Tax Law
Participants: Denis Merigoux, Aymeric Fromherz.
In France, income tax is computed from taxpayers' individual returns, using an algorithm that is authored, designed and maintained by the French Public Finances Directorate (DGFiP). Owing to the shortcomings of its custom programming language and the technical limitations of the compiler, the algorithm is proving harder and harder to maintain, relying on ad-hoc behaviors and workarounds to implement the most recent changes in tax law. As an improvement to this infrastructure, we developed Mlang, an open-source compiler toolchain that has been thoroughly validated against the private DGFiP test suite. Mlang has a formal semantics; eliminates previous handwritten workarounds in C; compiles to modern languages (Python); and enables a variety of instrumentations, providing deep insights about the essence of French income tax computation. The DGFiP is now officially transitioning to Mlang for their production system. This line of work has yielded papers at CC 2020 70 and JFLA 69, as well as a successful industrial technology transfer from Inria to DGFiP.
2021 has seen the development of a new domain-specific language, Catala, targeted specifically for legal expert systems. This new domain-specific language has been built in close collaboration with lawyers, and advertised to that community with a number of legal-oriented papers 65, 64. On the formal methods side, the simple and clean design of the Catala semantics 68 allows for extension into a proper proof platform for the law 27.
8.8 Semantic foundations for cost analysis of pipeline-optimized programs
Participants: Adrien Koutsos.
In collaboration with colleagues at Université de Rennes and the Max Planck Institute for Security and Privacy, we developed semantic foundations for the precise cost analyses of programs running on architectures with multi-scalar pipelines and in-order execution with branch prediction. We then used this model to prove the correction of an automatic cost analysis we designed, which is based on abstract interpretation techniques. The analysis is implemented and evaluated in the Jasmin framework for high-assurance cryptography.
This work has been published at the Static Analysis Symposium 15 in 2022.
8.9 Symbolic Analysis of Privacy for TLS 1.3 with Encrypted Client Hello
Participants: Karthikeyan Bhargavan, Vincent Cheval.
In collaboration with Karthikeyan Bhargavan and Christopher Wood, we (Vincent Cheval) wrote a paper on an complete analysis of Privacy for TLS 1.3 with the new extension Encrypted Client Hello. In this paper, we present the first mechanized formal analysis of privacy properties for TLS 1.3. We study all standard modes of TLS 1.3 with and without ECH using the symoblic protocol analyze ProVerif. We discuss attacks on ECH, some found during the course of this study, and show how they are accounted for in the latest version. This work appeared at CCS 2022 (long version 31).
8.10 Symbolic protocol verification of equivalences in the presence of probabilities
Participants: Vincent Cheval.
In collaboration with Raphaëlle Crubillé and Steve Kremer, we (Vincent Cheval) wrote a paper on the symbolic protocol verification of process equivalences in the presence of probabilities. In symbolic models, probabilities are most often abstracted typically assuming that computations that succeed with neglibible probability (e.g. guessing random numbers, breaking encryption shceme) are impossible. This work takes a look at probabilities that occurs in the control flow of the protocol where they are not negligible, for example when the protocol relies on a toin coss. We introduce a process calculus with a choice operator, namely the probabilistic applied pi calculus; and we define and explore the relationships between several behavioral equivalences in the general settings. However, as mixing non-deterministic and probabilitic choices can lead to unrealistic behaviors, we also look at two subclasses of processes that avoid this problem. In particular, we look at purely non-deterministic protocols in the presence of a probabilitic attackers as well as purely probabilistic processes. This paper appeared at IEEE Computer Security Foundations Symposium (CSF'22) 19 (long version 32).
8.11 Protocol verification platform: SAPIC+
Participants: Vincent Cheval, Charlie Jacomme.
In collaboration with Charlie Jacomme, Steve Kremer and Robert Künnemann, we (Vincent Cheval) wrote a paper on a major extension of the compiler SAPIC and developed the new protocol verification platform called SAPIC+. Originally, SAPIC was a compiler from a applied-pi calculus-like model to the automated verifier TAMARIN. We extended it with automated translations from SAPIC+ to PROVERIF and DEEPSEC, as well as powerful, protocol-independent optimizations of the existing translation. We prove each part of these translations sound. A user can thus, with a single SAPIC+ file, verify reachability and equivalence properties on the specified protocol, either using PROVERIF, TAMARIN or DEEPSEC. Moreover, the soundness of the translation allows to directly assume results proven by another tool which allows to exploit the respective strengths of each tool. We demonstrate our approach by analyzing various existing models (e.g. LAKE, Privacy-Pass protocols, SSH, KEMTLS). This paper appeared at USENIX Security 2022 20.
In collaboration with Elise Klein, Steve Kremer and Maïwenn Racouchot, we (Charlie Jacomme) used the SAPIC+ platform, and thus the underlying tools PROVERIF, TAMARIN and DEEPSEC, to perform an extensive analysis of a new security protocol, LAKE-EDHOC. It is a protocol under standardization at the IETF, and we have been following its development from draft 13 to 18. We verified over draft 13 all the security claims of the standard by making a model of the protocol as precise as possible. Our analysis involved the automated verification of hundreds of scenarios involving distinct attacker capabilities and primitive models. We uncovered in the process multiple weaknesses of the protocol that were acknowledged by the developers of the protocol, as well as fixed in later versions according to our verification. We kept our models up to date until the final version of the standard, where our models confirm the various security claims of the standard. This paper is to appear at USENIX Security 2023 22.
8.12 Verification of Rust programs: Aeneas and hacspec
Participants: Son Ho, Jonathan Protzenko, Aymeric Fromherz, Karthikeyan Bhargavan, Lucas Franceschino, Denis Merigoux.
In collaboration with Jonathan Protzenko, Son Ho developed on a new verification toolchain for Rust programs called Aeneas. Aeneas leverages Rust's rich region-based type system to eliminate memory reasoning for a large class of Rust programs, as long as they do not rely on interior mutability or unsafe code. Doing so, Aeneas relieves the proof engineer of the burden of memory-based reasoning, allowing them to instead focus on functional properties of their code. Aeneas proposes a new Low-Level Borrow Calculus (LLBC) that captures a large subset of Rust programs, and a translation from LLBC to a pure lambda-calculus, which enables the verification of Rust programs through different theorem provers. Aeneas was presented at ICFP 2022 12
Karthikeyan Bhargavan and Lucas Franceschino worked on the development of hacspec, a purely functional subset of Rust that is used to specify and verify cryptographic algorithms. Specifications in hacspec can be compiled to F* and Coq, and an EasyCrypt backend is being developed. The hacspec framework has been used to specify a large set of cryptographic algorithms and is being used as part of new standardization efforts.
8.13 Equational proofs for distributed cryptographic protocols: tool IPDL
Participants: Kristina Sojakova.
Joint work with Joshua Gancher, Leo Fan, Elaine Shi, and Greg Morrisett, to appear at the Symposium on Principles of Programming Languages (POPL 2023). Short for Interactive Probabilistic Dependency Logic, IPDL is a process calculus specifically designed to prove observational equivalences between message-passing protocols using equational techniques. The logic for approximate equivalence is sound in the computational model: whenever we construct a proof that two families of protocols indexed by the security parameter are approximately equivalent, then no probabilistic polynomial-time distinguisher can distinguish them with greater than negligible error.
The approach of IPDL is complementary to that of Squirrel and Cryptoverif. IPDL is designed to express and prove observational equivalences between protocols that are structurally dissimilar, for example because they employ different internal communication topologies. Secondly, IPDL is compositional, in the sense that we can embed security proofs for subprotocols into larger proof developments. Finally, Both Squirrel and CryptoVerif assume that protocol participants only communicate through the adversary, who controls the untrusted network. This restriction does not exist in IPDL, and as a result we can model many different kinds of dataflow in protocols, such as ideal communication channels between parties and functionalities. For instance, to construct a secure channel using the Diffie-Hellman Key Exchange, we first prove that the sender and receiver can securely exchange a secret key according to the Diffie-Hellman protocol. Once the security of the DHKE exchange has been established, by compositionality it suffices to show that that the sender and receiver can create a secure channel from an idealized key exchange.
Due to the equational style of the logic, the proof effort in IPDL is reasonably low, with proof scripts mostly consisting of bookkeeping around the introduction, substitution, and elimination of channels used for internal communication and computation. With additional proof engineering, the bulk of the bookkeeping steps can likely be eliminated. Current collaboration with Mihai Codescu, a research engineer, aims to use Maude, a fast rewriting engine, to create a semi-automated prover for IPDL.
8.14 Noise*: A Library of Verified High-Performance Secure Channel Protocol Implementations
Participants: Son Ho, Jonathan Protzenko, Karthikeyan Bhargavan.
The Noise protocol framework defines a succinct notation and execution framework for a large class of 59+ secure channel protocols, some of which are used in popular applications such as WhatsApp and WireGuard.
In a collaboration between Son Ho, Jonathan Protzenko, Abhishek Bichhawat, and Karthikeyan Bhargavan, we built a verified implementation of a Noise protocol compiler that takes any Noise protocol, and produces an optimized C implementation with extensive correctness and security guarantees. To this end, we formalize the complete Noise stack in F*, from the low-level cryptographic library to a high-level API. We write our compiler also in F*, prove that it meets our formal specification once and for all, and then specialize it on-demand for any given Noise protocol, relying on a novel technique called hybrid embedding. We thus establish functional correctness, memory safety and a form of side-channel resistance for the generated C code for each Noise protocol. We propagate these guarantees to the high-level API, using defensive dynamic checks to prevent incorrect uses of the protocol. Finally, we formally state and prove the security of our Noise code, by building on a symbolic model of cryptography in F*, and formally link high-level API security goals stated in terms of security levels to low-level cryptographic guarantees.
Ours are the first comprehensive verification results for a protocol compiler that targets C code and the first verified implementations of any Noise protocol. This work was published at IEEE S&P 2022 21.
9 Bilateral contracts and grants with industry
9.1 Bilateral grants with industry
Evolution, Semantics, and Engineering of the F* Verification System
- Grant from Nomadic Labs - Inria
- PIs: Catalin Hritcu and Exequiel Rivas
- Duration: March 2019 - April 2023
Abstract: While the F* verification system shows great promise in practice, many challenging conceptual problems remain to be solved, many of which can directly inform the further evolution and design of the language. Moreover, many engineering challenges remain in order to build a truly usable verification system. This proposal promises to help address this by focusing on the following 5 main topics:
(1) Generalizing Dijkstra monads, i.e., a program verification technique for arbitrary monadic effects; (2) Relational reasoning in F*: devising scalable verification techniques for properties of multiple program executions (e.g., confidentiality, noninterference) or of multiple programs (e.g., program equivalence); (3) Making F*'s effect system more flexible, by supporting tractable forms of effect polymorphism and allowing some of the effects of a computation to be hidden if they do not impact the observable behavior; (4) Working out more of the F* semantics and metatheory; (5) Solving the engineering challenges of building a usable verification system.
10 Partnerships and cooperations
10.1 International initiatives
10.1.1 Inria associate team not involved in an IIL or an international program
Verifying Security Properties of Group Messaging Protocols
Abhishek Bichhawat (email@example.com)
- IIT Gandhinagar (Inde)
Modern instant messaging systems allow multiple parties to communicate with each other in pairs and in groups. The security of these conversations depends on complex cryptographic protocols with subtle security guarantees. These protocols allow the addition and deletion of members, as well as the exchange of confidential and authentic messages between (current) members. It is difficult to be confident that these protocols and their implementations are correct. Formal mechanized security analysis of protocols has been widely accepted as a necessary step for designing robust cryptographic protocols but has not been previously used to analyze group messaging. This proposal focuses on formally verifying security properties (like forward secrecy and post-compromise security) of group messaging protocols. We propose to extend DY*, a symbolic verification tool, to build a generic formal framework to model group-messaging protocols. We will model various group messaging protocols and verify different security properties ranging from authentication of peers in a group to the confidentiality of messages exchanged between the peers. Finally, we will use our generic framework to empirically compare of performance of those protocols.
10.1.2 Visits to international teams
Research stays abroad
Chennai Mathematical Institute
Context of the visit:
Teaching and Research Collaborations with CMI, IIT Delhi, and IIT Gandhinagar
Mobility program/type of mobility:
10.2 European initiatives
10.2.1 Horizon Europe
Custom Cryptographic Solutions with Formal Security Guarantees
From April 1, 2022 to September 30, 2023
- INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET AUTOMATIQUE (INRIA), France
Modern web applications routinely rely on standardized cryptographic protocols and algorithms to protect sensitive user data. Furthermore, with the advent of blockchains, the imminence of quantum computers, and widespread concerns about privacy in an era of surveillance and machine learning algorithms, enterprises are increasingly turning to sophisticated non-standard cryptographic solutions customized for specific usage scenarios. Unfortunately, cryptographic design and implementation is notoriously error-prone with a long history of design flaws, implementation bugs, and high-profile attacks. This leaves software companies with a difficult choice: every time they deploy a new crypto standard or an innovative cryptographic application that improves the security and privacy of their users, they risk exposing embarrassing flaws in their design or code.
10.3 National initiatives
TECAP: Protocol Analysis - Combining Existing Tools (ANR générique 2017.)
Inria Nancy/EPI PESTO, Inria Sophia Antipolis/EPI MARELLE, IRISA, LIX, LSV - ENS Cachan.
January 2018 - June 2022
Vincent Cheval, EPI Prosecco, Inria Paris (France)
Bruno Blanchet, Benjamin Lipp, Vincent Cheval
A large variety of automated verification tools have been developed to prove or find attacks on security protocols. These tools differ in their scope, degree of automation, and attacker models. The aim of this project is to get the best of all these tools, meaning, on the one hand, to improve the theory and implementations of each individual tool towards the strengths of the others and, on the other hand, build bridges that allow the cooperations of the methods/tools. We will focus in this project on the tools CryptoVerif, EasyCrypt, Scary, ProVerif, Tamarin, AKiSs and APTE.
11.1 Promoting scientific activities
11.1.1 Scientific events: organisation
Member of the organizing committees
- Karthikeyan Bhargavan: Organizing Committee member for the HACS workshop
Member of the conference program committees
- Karthikeyan Bhargavan: PC member for IEEE S&P, IEEE CSF
- Bruno Blanchet: PC member for the meeting of the CNRS working group on formal methods for security.
- Aymeric Fromherz: PC member for USENIX 2022.
- Kristina Sojakova: External Review Committee member for Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 20022 and OOPSLA 2023).
Member of the editorial boards
- Bruno Blanchet: Associate Editor of the International Journal of Applied Cryptography (IJACT) – Inderscience Publishers: until June 2022.
- Karthikeyan Bhargavan: Associate Editor of ACM Transaction on Privacy and Security (TOPS)
11.1.3 Invited talks
- Karthikeyan Bhargavan: Invited talks at the CNRS, CMI, and College de France
- Bruno Blanchet: Invited talk at HCVS'22 (9th workshop on Horn clauses for Verification and Synthesis)
- Bruno Blanchet: Invited talk at the meeting of the CNRS working group on formal methods for security.
- Aymeric Fromherz: Invited talk at the Iris workshop 2022.
11.1.4 Scientific expertise
- Vincent Cheval: Member of the hiring committee of Assistant Professor position in ENS Paris-Saclay.
11.2 Teaching - Supervision - Juries
- Master: Karthikeyan Bhargavan, Cryptographic protocols: formal and computational proofs, 18h equivalent TD, master M2 MPRI, université Paris VII
- Master: Bruno Blanchet, Cryptographic protocols: formal and computational proofs, 27h equivalent TD, master M2 MPRI, université Paris VII
- Master: Adrien Koutsos, Cryptographic protocols: formal and computational proofs, 18h equivalent TD, master M2 MPRI, université Paris VII
- Master: Vincent Cheval, Cryptographic protocols: formal and computational proofs, 18h equivalent TD, master M2 MPRI, université Paris VII
- License: Vincent Cheval, Programming project, 12h equivalent TD, Licence 2 UFR Informatique, université Paris VII
- License: Vincent Cheval, Algorithmics, 36h equivalent TD, Licence 2 UFR Informatique, université Paris VII
- Master and PhD: Karthikeyan Bhargavan, Formal Software Analysis, IIT Delhi
- Master and PhD: Karthikeyan Bhargavan, Formal Software Analysis, Chennai Mathematical Institute
- PhD: Adrien Koutsos (with David Baelde), Formal Proofs of Cryptographic Protocols in Squirrel, Cyber in Nancy, 4-8 July 2022
- PhD in progress: Antonin Reitz, A Methodology for Programming and Verifying Secure Systems, since November 2022, supervised by Karthikeyan Bhargavan and Aymeric Fromherz.
- PhD in progress: Justine Sauvage, Games and Logic for the Verification of Cryptographic Protocols, since September 2022, supervised by Bruno Blanchet, David Baelde and Adrien Koutsos.
- PhD in progress: Son Ho, Verification of Rust Programs, since September 2020, supervised by Karthikeyan Bhargavan and Jonathan Protzenko.
- PhD in progress: Theophile Wallex, Verification of Cryptographic Protocols, since September 2021, supervised by Karthikeyan Bhargavan and Jonathan Protzenko.
- PhD defended: Marina Polubelova, Building a Formally Verified High-Performance Multi-Platform Cryptographic Library in F*, PSL, defended on January 17, 2022, supervised by Karthikeyan Bhargavan.
- PhD defended: Natalia Kulatova, Formally Verified Imple- mentations of Elliptic Curve Cryptography Standards, PSL, defended on January 18, 2022, supervised by Karthikeyan Bhargavan and Graham Steel.
- PhD defended: Benjamin Lipp, On Mechanised Cryptographic Proofs of Protocols and their Link with Verified Implementations, ENS Paris, defended on June 28, 2022, supervised by Bruno Blanchet and Karthikeyan Bhargavan.
- M2 internship: Benjamin Bonnaud on improving the generation of verification conditions in Steel. Supervised by Aymeric Fromherz
- M2 internship: Benjamin Catinaud on adding hash consing techniques in ProVerif for the purpose of reducing the memory consumption of the tool. Supervised by Vincent Cheval.
- M2 internship: Sidney Congard on extending Aeneas to support reasoning about Rust loops and closures. Supervised by Karthikeyan Bhargavan and Aymeric Fromherz
- L3 internship: Ellenor Taghayor on introducing unification modulo XOR and abelian groups in ProVerif. Supervised by Vincent Cheval.
- Karthikeyan Bhargavan participated in the PhD juries of Mohamed El Laz and Leo Libert
12 Scientific production
12.1 Major publications
- 1 articleThe Applied Pi Calculus: Mobile Values, New Names, and Secure Communication.Journal of the ACM (JACM)651October 2017, 1 - 103
- 2 inproceedingsAn Interactive Prover for Protocol Verification in the Computational Model.SP 2021 - 42nd IEEE Symposium on Security and PrivacyProceedings of the 42nd IEEE Symposium on Security and Privacy (S&P'21)San Fransisco / Virtual, United StatesMay 2021
- 3 inproceedingsVerified Models and Reference Implementations for the TLS 1.3 Standard Candidate.38th IEEE Symposium on Security and PrivacySan Jose, United StatesMay 2017, 483 - 502
- 4 inproceedingsTriple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS.IEEE Symposium on Security and Privacy (Oakland)2014, 98--113
- 5 inproceedingsProVerif with Lemmas, Induction, Fast Subsumption, and Much More.S&P'22 - 43rd IEEE Symposium on Security and PrivacySan Francisco, United StatesMay 2022
- 6 articleModeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif.Foundations and Trends in Privacy and Security11--2OCT 2016, 1--135
- 7 inproceedingsDEEPSEC: Deciding Equivalence Properties in Security Protocols - Theory and Practice.39th IEEE Symposium on Security and PrivacySan Francisco, United StatesMay 2018
- 8 inproceedingsThe 5G-AKA Authentication Protocol Privacy.EuroS&P 2019 - IEEE European Symposium on Security and PrivacyStockholm, SwedenIEEEJune 2019, 464-479
- 9 inproceedingsDependent Types and Multi-Monadic Effects in F*.43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL)ACMJanuary 2016, 256-270
- 10 inproceedingsHACL*: A Verified Modern Cryptographic Library.Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 20172017, 1789--1806
12.2 Publications of the year
International peer-reviewed conferences
National peer-reviewed Conferences
Conferences without proceedings
Doctoral dissertations and habilitation theses
Reports & preprints
Other scientific publications
12.3 Cited publications
- 37 articleAnalyzing Security Protocols with Secrecy Types and Logic Programs.Journal of the ACM521January 2005, 102--146URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/AbadiBlanchetJACM7037.pdf
- 38 articleJust Fast Keying in the Pi Calculus.ACM Transactions on Information and System Security (TISSEC)103July 2007, 1--59URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/AbadiBlanchetFournetTISSEC07.pdf
- 39 inproceedingsWhen Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise.25th ACM Conference on Computer and Communications Security (CCS)ACMOctober 2018, 1351--1368URL: https://arxiv.org/abs/1802.00588
- 40 inproceedingsJourney Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation.32nd IEEE Computer Security Foundations Symposium (CSF)IEEEJune 2019, 256-271URL: https://arxiv.org/abs/1807.04603
- 41 inproceedingsDijkstra Monads for Free.44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL)ACMJanuary 2017, 515-529URL: https://www.fstar-lang.org/papers/dm4free/
- 42 inproceedingsMicro-Policies: Formally Verified, Tag-Based Security Monitors.36th IEEE Symposium on Security and Privacy (Oakland S&P)IEEE Computer SocietyMay 2015, 813--830URL: http://prosecco.gforge.inria.fr/personal/hritcu/publications/micro-policies.pdf
- 43 inproceedingsAn Interactive Prover for Protocol Verification in the Computational Model.SP 2021 - 42nd IEEE Symposium on Security and PrivacyProceedings of the 42nd IEEE Symposium on Security and Privacy (S&P'21)San Fransisco / Virtual, United StatesMay 2021
- 44 unpublishedExtending the SQUIRREL meta-logic for reasoning over security protocols.June 2021, LFMTP workshop
- 45 conferenceComputationally Complete Symbolic Adversary and Computationally Sound Veri?cation of Security Protocols (in Japanese).Proceedings of The 30th Symposium on Cryptography and Information SecurityCD-ROM (4D1-3)Jan 2013
- 46 inproceedingsA Computationally Complete Symbolic Attacker for Equivalence Properties.ACM Conference on Computer and Communications Security (CCS'14)New York, NY, USAACMNov 2014, 609--620
- 47 inproceedingsHigh-Assurance Cryptography in the Spectre Era.S&P 2021 - IEEE Symposium of Security and PrivacyVirtual, FranceMay 2021
- 48 inproceedingsDY* : A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code.EuroS&P 2021 - 6th IEEE European Symposium on Security and PrivacyVirtual, AustriaSeptember 2021
- 49 inproceedingsVerified Models and Reference Implementations for the TLS 1.3 Standard Candidate.38th IEEE Symposium on Security and PrivacySan Jose, United StatesMay 2017, 483 - 502
- 50 inproceedingsEverest: Towards a Verified, Drop-in Replacement of HTTPS.2nd Summit on Advances in Programming Languages (SNAPL)May 2017, URL: http://drops.dagstuhl.de/opus/volltexte/2017/7119/pdf/LIPIcs-SNAPL-2017-1.pdf
- 51 inproceedingsImplementing and Proving the TLS 1.3 Record Layer.IEEE Symposium on Security and Privacy (Oakland)2017
- 52 articleVerified Cryptographic Implementations for TLS.ACM Transactions Inf. Syst. Secur.151March 2012, 3:1--3:32URL: http://doi.acm.org/10.1145/2133375.2133378
- 53 inproceedingsVerified implementations of the information card federated identity-management protocol.ACM Symposium on Information, Computer and Communications Security (ASIACCS)2008, 123-135
- 54 articleAutomated Verification of Selected Equivalences for Security Protocols.Journal of Logic and Algebraic Programming751feb # -- 2008, 3--51
- 55 inproceedingsAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules.14th IEEE Computer Security Foundations Workshop (CSFW'01)2001, 82--96
- 56 articleAutomatic Verification of Correspondences for Security Protocols.Journal of Computer Security174July 2009, 363--434URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/BlanchetJCS08.pdf
- 57 articleVerification of Cryptographic Protocols: Tagging Enforces Termination.Theoretical Computer Science3331-2Special issue FoSSaCS'03.March 2005, 67--90URL: http://prosecco.gforge.inria.fr/personal/bblanche/publications/BlanchetPodelskiTCS04.html
- 58 articleProved Generation of Implementations from Computationally Secure Protocol Specifications.Journal of Computer Security2332015, 331--402
- 59 inproceedingsLanguage-Based Defenses Against Untrusted Browser Origins.Proceedings of the 22th USENIX Security Symposium2013, URL: http://prosecco.inria.fr/personal/karthik/pubs/language-based-defenses-against-untrusted-origins-sec13.pdf
- 60 articleOn the security of public key protocols.IEEE Transactions on Information TheoryIT--2921983, 198--208
- 61 inproceedingsModular Code-Based Cryptographic Verification.ACM Conference on Computer and Communications Security2011
- 62 articleSteel: proof-oriented programming in a dependently typed concurrent separation logic.Proceedings of the ACM on Programming Languages5ICFPAugust 2021, 1-30
- 63 articleAeneas: Rust verification by functional translation.Proceedings of the ACM on Programming Languages6ICFPAugust 2022, 711-741
- 64 unpublishedCatala: Moving Towards the Future of Legal Expert Systems.January 2022, working paper or preprint
- 65 inproceedingsTraduire la loi en code grâce au langage de programmation Catala.Intelligence artificielle et finances publiquesNice, FranceOctober 2020
- 66 inproceedingsAutomated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach.2nd IEEE European Symposium on Security and PrivacyParis, FranceApril 2017, 435 - 450
- 67 articleDijkstra Monads for All.PACMPL3ICFP2019, 104:1--104:29URL: https://arxiv.org/abs/1903.01237
- 68 articleCatala: A Programming Language for the Law.Proceedings of the ACM on Programming Languages5ICFPAugust 2021, 77:1-29
- 69 inproceedingsÉtude formelle de l'implémentation du code des impôts.JFLA 2020 - 31ème Journées Francophones des Langages ApplicatifsGruissan, FranceJanuary 2020
- 70 inproceedingsA Modern Compiler for the French Tax Code.CC '21: 30th ACM SIGPLAN International Conference on Compiler ConstructionCC 2021: Proceedings of the 30th ACM SIGPLAN International Conference on Compiler ConstructionVirtual, South KoreaACMMarch 2021, 71-82
- 71 articleUsing encryption for authentication in large networks of computers.Communications of the ACM21121978, 993--999
- 72 inproceedingsHACLxN: Verified Generic SIMD Crypto (for all your favourite platforms).CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications SecurityVirtual Event, United StatesNovember 2020
- 73 inproceedingsEverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider.SP 2020 - IEEE Symposium on Security and PrivacySan Francisco / Virtual, United StatesIEEEMay 2020, 983-1002
- 74 articleVerified Low-Level Programming Embedded in F*.PACMPL1ICFPSeptember 2017, 17:1--17:29URL: http://arxiv.org/abs/1703.00053
- 75 inproceedingsEverParse: Verified Secure Zero-Copy Parsers for Authenticated Message Formats.28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019USENIX Association2019, 1465--1482URL: https://www.usenix.org/conference/usenixsecurity19/presentation/delignat-lavaud
- 77 inproceedingsDependent Types and Multi-Monadic Effects in F*.43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL)ACMJanuary 2016, 256-270URL: https://www.fstar-lang.org/papers/mumon/
- 78 articleSteelCore: an extensible concurrent separation logic for effectful dependently typed programs.Proceedings of the ACM on Programming Languages4ICFPAugust 2020, 1-30
- 79 inproceedingsHACL*: A Verified Modern Cryptographic Library.Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 20172017, 1789--1806URL: http://doi.acm.org/10.1145/3133956.3134043