Keywords
Computer Science and Digital Science
 A2.1.11. Proof languages
 A2.4.3. Proofs
 A4.5. Formal methods for security
 A5.10.3. Planning
 A7.2. Logic in Computer Science
 A7.2.3. Interactive Theorem Proving
 A7.2.4. Mechanized Formalization of Mathematics
 A8.3. Geometry, Topology
 A8.4. Computer Algebra
 A8.10. Computer arithmetic
Other Research Topics and Application Domains
 B6.1. Software industry
 B9.5.1. Computer science
 B9.5.2. Mathematics
1 Team members, visitors, external collaborators
Research Scientists
 Yves Bertot [Team leader, INRIA, Senior Researcher, HDR]
 Cyril Cohen [INRIA, Researcher]
 Benjamin Grégoire [INRIA, Researcher]
 Laurence Rideau [INRIA, Researcher]
 Enrico Tassi [INRIA, Researcher]
 Laurent Théry [INRIA, Researcher]
PhD Student
 Swarn Priya [INRIA]
Technical Staff
 Pierre Boutry [INRIA, Engineer]
 Maxime Denes [INRIA]
 JeanChristophe Lechenet [INRIA, Engineer]
Interns and Apprentices
 Quentin Corradi [ENS Lyon, Intern, from May 2022 until Aug 2022]
 Léon Ducruet [ENS Lyon, Intern, from May 2022 until Jul 2022]
 Lucas TabaryMaujean [ENS ParisSaclay, Intern, from Jun 2022 until Jul 2022]
 Mohit Kumar Tekriwal [University of Michigan, from Oct 2022, Visit supported by the French Embassy in the USA]
Administrative Assistant
 Nathalie Bellesso [INRIA]
Visiting Scientists
 Andreas Hulsing [UNIV EINDHOVEN, from Sep 2022]
 Matteo Manighetti [UNIV BOLOGNE, from Oct 2022 until Oct 2022]
External Collaborator
 Gilles Barthe [INSTITUT MAXPLANCK, HDR]
2 Overall objectives
Computers and programs running on these computers are powerful tools for many domains of human activities. In some of these domains, program errors can have enormous consequences. It will become crucial for all stakeholders that the best techniques are used when designing these programs.
We advocate using higherorder logic proof assistants as tools to obtain better quality programs and designs. These tools make it possible to build designs where all decisive arguments are explicit, ambiguity is alleviated, and logical steps can be verified precisely. In practice, we are intensive users of the Coq system and we participate actively to the development of this tool, in collaboration with other teams at Inria, and we also take an active part in promoting its usage by academic and industrial users around the world.
Many domains of modern computer science and engineering make a heavy use of mathematics. If we wish to use proof assistants to avoid errors in designs, we need to develop corpora of formally verified mathematics that are adapted to these domains. Developing libraries of formally verified mathematics is the main motivation for our research. In these libraries, we wish to capture not only the knowledge that is usually recorded in definitions and theorems, but also the practical knowledge that is recorded in mathematical practice, idioms, and work habits. Thus, we are interested in logical facts, algorithms, and notation habits. Also, the very process of developing an ambitious library is a matter of organisation, with design decisions that need to be evaluated and improved. Refactoring of libraries is also an important topic. Among all higherorder logic based proof assistants, we contend that those based on Type theory are the best suited for this work on libraries, thanks to their strong capabilities for abstraction and modular reuse.
The interface between mathematics, computer science and engineering is large. To focus our activities, we will concentrate on applications of proof assistants to two main domains: cryptography and robotics. We also develop specific tools for proofs in cryptography, mainly around a proof tool named EasyCrypt.
3 Research program
3.1 Theoretical background
The proof assistants that we consider provide both a programming language, where users can describe algorithms performing tasks in their domain of interest, and a logical language to reason about the programs, thus making it possible to ensure that the algorithms do solve the problems for which they were designed. Trustability is gained because algorithms and logical statements provide multiple views of the same topic, thus making it possible to detect errors coming from a mismatch between expected and established properties. The verification process is itself a logical process, where the computer can bring rigor in aligning expectations and guarantees.
The foundations of proof assistants rest on the very foundations of mathematics. As a consequence, all aspects of reasoning must be made completely explicit in the process of formally verifying an algorithm. All aspects of the formal verification of an algorithm are expressed in a discourse whose consistency is verified by the computer, so that unclear or intuitive arguments need to be replaced by precise logical inferences.
One of the foundational features on which we rely extensively is Type Theory. In this approach a very simple programming language is equiped with a powerful discipline to check the consistency of usage: types represent sets of data with similar behavior, functions represent algorithms mapping types to other types, and the consistency can be verified by a simple computer program, a typechecker. Although they can be verified by a simple program, types can express arbitrary complex objects or properties, so that the verification work lives in an interesting realm, where verifying proofs is decidable, but finding the proofs is undecidable.
This process for producing new algorithms and theorems is a novelty in the development of mathematical knowledge or algorithms, and new working methods must be devised for it to become a productive approach to high quality software development. Questions that arise are numerous. How do we avoid requiring human assistance to work on mundane aspects of proofs? How do we take advantage of all the progress made in automatic theorem proving? How do we organize the maintenance of ambitious corpora of formally verified knowledge in the long term?
To acquire handson expertise, we concentrate our activity on three aspects. The first one is foundational: we develop and maintain a library of mathematical facts that covers many aspects of algebra. In the past, we applied this library to proofs in group theory, but it is increasingly used for many different areas of mathematics and by other teams around the world, from combinatorics to elliptic cryptography, for instance. The second aspect is applicative: we develop a specific tool for proofs in cryptography, where we need to reason on the probability that opponents manage to access information we wish to protect. For this activity, we develop a specific proof system, relying on a wider set of automatic tools, with the objective of finding the tools that are well adapted to this domain and to attract users that are initially specialists in cryptography but not in formal verification. The third domain is robotics, as we believe that the current trend towards more and more autonomous robots and vehicles will raise questions of safety and trustability where formal verification can bring significant added value.
4 Application domains
4.1 Mathematical Components
The Mathematical Components library is the main byproduct of an effort started almost two decades ago to provide a formally verified proof for a major theorem in group theory. Because this major theorem had a proof published in books of several hundreds of pages, with elements coming from character theory, other coming from algebra, and some coming from real analysis, it was an exercice in building a large library, with results in many domains, and in establishing clear guidelines for further increase and data search.
This library has proved to be a useful repository of mathematical facts for a wide area of applications, so that it has a growing community of users in many countries (Denmark, France, Germany, Japan, Singapore, Spain, Sweden, UK, USA) and for a wide variety of topics (transcendental number theory, elliptic curve cryptography, articulated robot kinematics, recently block chain foundations).
Interesting questions on this library range around the importance of decidability and proof irrelevance, the way to structure knowledge to automatically inherit theorems from one topic to another, the way to generate infrastructure to make this automation efficient and predictable. In particular, we want to concentrate on adding a new mathematical topic to this library: real analysis and then complex analysis (Mathematical Components Analysis).
On the front of automation, we are convinced that a higher level language is required to describe similarities between theories, to generate theorems that are immediate consequences of structures, etc, and for this reason, we invest in the development of a new language on top of the proof assistant (ELPI).
4.2 Proofs in cryptography
When we work on cryptography, we are interested in the formal verification of proofs showing that some cryptographic primitives provide good guarantees against unwanted access to information. Over the years we have developed a technique for this kind of reasoning that relies on a programing logic (close to Hoare logic) with probabilistic aspects and the capability to establish relations between several implementations of a problem. The resulting programming logic is called probabilistic relational Hoare logic. We also study questions of sidechannel attacks, where we wish to guarantee that opponents cannot gain access to protected knowledge, even if they observe specific features of execution, like execution time (to which the answer lies in constanttime execution) or partial access to memory bits (to which the answer lies in masking).
For this domain of application, we choose to work with a specific proof tool (EasyCrypt), which combines powerful firstorder reasoning and use of automatic tools, with a specific support for probabilistic relational Hoare Logic. The development of this EasyCrypt proof tool is one of the objectives of our team.
When it comes to formal proofs of resistance to sidechannel attacks, we contend that it is necessary to verify formally that the compiler used in the production of actually running code respects the resistance properties that were established in formally verified proofs. One of our objectives is to develop such a compiler (Jasmin) and show its strength on a variety of applications.
The pair of tools EasyCrypt and Jasmin has also proved its worth in the formal verification of correctness for postquantum cryptography.
4.3 Proofs for robotics
Robots are manmade artifacts where numerous design decisions can be argued based on logical or mathematical principles. For this reason, we wish to use this domain of application as a focus for our investigations. The questions for which we are close to providing answers involve precision issues in numeric computation, obstacle avoidance and motion planning (including questions of graph theory), articulated limb kinematics and dynamics, and balance and active control.
From the mathematical perspective, these topics require that we improve our library to cover real algebraic geometry, computational geometry, real analysis, graph theory, and refinement relations between abstract algorithms and executable programs.
In the long run, we hope to exhibit robots where pieces of software and part of the design have been subject to formal verification.
5 Highlights of the year
The software tool EasyCrypt and Jasmin that we develop are instrumental for the Libjade library, with a notable application to the formal verification of NISTapproved postquantum cryptography algorithms like Dilithium.
6 New software and platforms
6.1 New software
6.1.1 Coq

Name:
The Coq Proof Assistant

Keywords:
Proof, Certification, Formalisation

Scientific Description:
Coq is an interactive proof assistant based on the Calculus of (Co)Inductive Constructions, extended with universe polymorphism. This type theory features inductive and coinductive families, an impredicative sort and a hierarchy of predicative universes, making it a very expressive logic. The calculus allows to formalize both general mathematics and computer programs, ranging from theories of finite structures to abstract algebra and categories to programming language metatheory and compiler verification. Coq is organised as a (relatively small) kernel including efficient conversion tests on which are built a set of higherlevel layers: a powerful proof engine and unification algorithm, various tactics/decision procedures, a transactional document model and, at the very top an integrated development environment (IDE).

Functional Description:
Coq provides both a dependentlytyped functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semiautomatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...

Release Contributions:
Coq version 8.16 integrates changes to the Coq kernel and performance improvements along with a few new features. We highlight some of the most impactful changes here:
The guard checker (see Guarded) now ensures strong normalization under any reduction strategy.
Irrelevant terms (in the SProp sort) are now squashed to a dummy value during conversion, fixing a subject reduction issue and making proof conversion faster.
Introduction of reversible coercions, which allow coercions relying on metalevel resolution such as typeclasses or canonical structures. Also allow coercions that do not fullfill the uniform inheritance condition.
Generalized rewriting support for rewriting with Typevalued relations and in Type contexts, using the Classes.CMorphisms library.
Added the boolean equality scheme command for decidable inductive types.
Added a Print Notation command.
Incompatibilities in name generation for Program obligations, eauto treatment of tactic failure levels, use of ident in notations, parsing of module expressions.
Standard library reorganization and deprecations.
Improve the treatment of standard library numbers by Extraction.
See https://coq.inria.fr/refman/changes.html#version816 for a detailed changelog.

News of the Year:
Coq version 8.16 integrates changes to the Coq kernel and performance improvements along with a few new features. See the detailed changes at https://coq.inria.fr/refman/changes.html#version816 for an overview of the new features and changes, along with the full list of contributors.
 URL:

Contact:
Matthieu Sozeau

Participants:
Yves Bertot, Frederic Besson, Tej Chajed, Cyril Cohen, Pierre Corbineau, Pierre Courtieu, Maxime Denes, Jim Fehrle, Julien Forest, Emilio Jesús Gallego Arias, Gaetan Gilbert, Georges Gonthier, Benjamin Grégoire, Jason Gross, Hugo Herbelin, Vincent Laporte, Olivier Laurent, Assia Mahboubi, Kenji Maillard, Érik MartinDorel, Guillaume Melquiond, PierreMarie Pedrot, Clément PitClaudel, Kazuhiko Sakaguchi, Vincent Semeria, Michael Soegtrop, Arnaud Spiwack, Matthieu Sozeau, Enrico Tassi, Laurent Théry, Anton Trunov, LiYao Xia, Theo Zimmermann, Gaetan Gilbert

Partners:
CNRS, Université ParisSud, ENS Lyon, Université ParisDiderot
6.1.2 MathComponents

Name:
Mathematical Components library

Keyword:
Proof assistant

Functional Description:
The Mathematical Components library is a set of Coq libraries that cover the prerequiste for the mechanization of the proof of the Odd Order Theorem.
 URL:

Contact:
Assia Mahboubi

Participants:
Alexey Solovyev, Andrea Asperti, Assia Mahboubi, Cyril Cohen, Enrico Tassi, François Garillot, Georges Gonthier, Ioana Pasca, Jeremy Avigad, Laurence Rideau, Laurent Théry, Russell O'Connor, Sidi Ould Biha, Stéphane Le Roux, Yves Bertot
6.1.3 Easycrypt

Keywords:
Proof assistant, Cryptography

Functional Description:
EasyCrypt is a toolset for reasoning about relational properties of probabilistic computations with adversarial code. Its main application is the construction and verification of gamebased cryptographic proofs. EasyCrypt can also be used for reasoning about differential privacy.

News of the Year:
In 2021, Benjamin Gregoire, Adrien Koutsos and PierreYves Strub extended the EasyCrypt proof assistant to reason about complexity, by adding a Hoare logic to prove computational complexity (execution time and oracle calls) of adversarial computations. This Hoare logic is built on top of EasyCrypt module system used to model adversaries, which has been extended to support complexity restrictions.
 URL:
 Publications:

Contact:
Gilles Barthe

Participants:
Benjamin Grégoire, Gilles Barthe, PierreYves Strub, Adrien Koutsos
6.1.4 ELPI

Name:
Embeddable Lambda Prolog Interpreter

Keywords:
Constraint Programming, Programming language, Higherorder logic

Scientific Description:
The programming language has the following features
 Native support for variable binding and substitution, via an Higher Order Abstract Syntax (HOAS) embedding of the object language. The programmer does not need to care about technical devices to handle bound variables, like De Bruijn indices.
 Native support for hypothetical context. When moving under a binder one can attach to the bound variable extra information that is collected when the variable gets out of scope. For example when writing a typechecker the programmer needs not to care about managing the typing context.
 Native support for higherorder unification variables, again via HOAS. Unification variables of the metalanguage (lambdaProlog) can be reused to represent the unification variables of the object language. The programmer does not need to care about the unificationvariable assignment map and cannot assign to a unification variable a term containing variables out of scope, or build a circular assignment.
 Native support for syntactic constraints and their metalevel handling rules. The generative semantics of Prolog can be disabled by turning a goal into a syntactic constraint (suspended goal). A syntactic constraint is resumed as soon as relevant variables get assigned. Syntactic constraints can be manipulated by constraint handling rules (CHR).
 Native support for backtracking, to ease implementation of search.
 The constraint store is extensible. The host application can declare nonsyntactic constraints and uses custom constraint solvers to check their consistency.
 Clauses are graftable. The user is free to extend an existing program by inserting/removing clauses, both at runtime (using implication) and at "compilation" time by accumulating files.
Most of these features come with lambdaProlog. Constraints and propagation rules are novel in ELPI.

Functional Description:
ELPI implements a variant of lambdaProlog enriched with Constraint Handling Rules, a programming language well suited to manipulate syntax trees with binders and unification variables.
ELPI is a research project aimed at providing a programming platform for the so called elaborator component of an interactive theorem prover.
ELPI is designed to be embedded into larger applications written in OCaml as an extension language. It comes with an API to drive the interpreter and with an FFI for defining builtin predicates and data types, as well as quotations and similar goodies that come in handy to adapt the language to the host application.

Release Contributions:
 Support for recent ocaml  New parser based on menhir  New tracing facility and corresponding GUI for vscode

News of the Year:
New parser based on Menhir. New trace browsing facility.
 URL:
 Publications:

Contact:
Enrico Tassi

Participants:
Enrico Tassi, Claudio Sacerdoti Coen
6.1.5 coqelpi

Keywords:
Metaprogramming, Extension

Scientific Description:
Coqelpi provides a Coq plugin that embeds ELPI. It also provides a way to embed Coq's terms into lambdaProlog using the HigherOrder Abstract Syntax approach (HOAS) and a way to read terms back. In addition to that it exports to ELPI a set of Coq's primitives, e.g. printing a message, accessing the environment of theorems and data types, defining a new constant and so on. For convenience it also provides a quotation and antiquotation for Coq's syntax in lambdaProlog. E.g. {{nat}} is expanded to the type name of natural numbers, or {{A > B}} to the representation of a product by unfolding the > notation. Finally it provides a way to define new vernacular commands and new tactics.

Functional Description:
Coq plugin embedding ELPI

Release Contributions:
 support for universe polymorphism  support for raw or elaborated arguments  new APIs for reduction and modules  new schema to derive equality tests

News of the Year:
Experimental support for universe polymorphism. New schema for efficient synthesis of equality tests. New API for modules and functors.
 Publications:

Contact:
Enrico Tassi

Participant:
Enrico Tassi
6.1.6 Jasmin

Name:
Jasmin compiler and analyser

Keywords:
Cryptography, Static analysis, Compilers

Functional Description:
The Jasmin programming language smoothly combines highlevel and lowlevel constructs, so as to support “assembly in the head” programming. Programmers can control many lowlevel details that are performancecritical: instruction selection and scheduling, what registers to spill and when, etc. The language also features highlevel abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of highlevel abstractions incurs no runtime penalty.
The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machinechecked by the Coq proof assistant). This justifies that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…
Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against sidechannel attacks (constanttime).

Release Contributions:
It contains the following major improvements:  a new instruction "#randombytes" to fill an array with “random” data,  access to mmx registers,  support for Windows calling convention, in addition to Linux,  "else if" blocks for readability,  strict preservation of sourcelevel intrinsics,  an option to extract all the functions of a file to EasyCrypt,  many fixes to the extraction to EasyCrypt.

News of the Year:
In 2022, two major versions were released. The first one, 2022.04.0, is the result of more than two years of development, and thus brings major new features to the language, including the support for local functions and subarrays. The second one, 2022.09.0, adds in particular the support for system calls, which allows for instance to call an operating system function returning random data.
Work to support multiple architecture has progressed well. The support for ARM 32 bits was merged and is being polished.
Work on "Speculative Load Hardening", a transformation making a program resistant to some Spectre attacks, are ongoing. In parallel, another line of work tries to add arrays whose length is not known at compile time.
 URL:
 Publications:

Contact:
Benjamin Grégoire

Participants:
Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte, JeanChristophe Lechenet, Swarn Priya

Partners:
The IMDEA Software Institute, Ecole Polytechnique, Universidade do Minho, Université de Porto, Max Planck Institute for Security and Privacy
6.1.7 Mathcompanalysis

Name:
Mathematical Components Analysis

Keyword:
Proof assistant

Functional Description:
This library adds definitions and theorems to the Mathcomponents library for real numbers and their mathematical structures.

Release Contributions:
The main change is the split into two packages coqmathcompclassical and coqmathcompanalysis.

News of the Year:
In 2022 were added  the theory of simple functions, Lebesgue measure and Lebesgue integral,  Arzelà–Ascoli theorem,  support for subspace topology  part of the theory of continuity of real functions on a segment,  the theory of finitely supported sums and infinite sums of extended reals,  the theory of partial and total surjections, injections and bijections,  fast and adhoc automated positivity proofs,  splitting in two subpackages mathcompclassical and mathcompanalysis.
 URL:
 Publications:

Contact:
Cyril Cohen

Participants:
Cyril Cohen, Georges Gonthier, Marie Kerjean, Assia Mahboubi, Damien Rouhling, Pierre Roux, Laurence Rideau, PierreYves Strub, Reynald Affeldt, Laurent Théry, Yves Bertot, Zachary Stone

Partners:
Ecole Polytechnique, AIST Tsukuba, Onera
6.1.8 Hierarchy Builder

Keywords:
Coq, Metaprogramming

Scientific Description:
It is nowadays customary to organize libraries of machine checked proofs around hierarchies of algebraic structures. One influential example is the Mathematical Components library on top of which the long and intricate proof of the Odd Order Theorem could be fully formalized. Still, building algebraic hierarchies in a proof assistant such as Coq requires a lot of manual labor and often a deep expertise in the internals of the prover. Moreover, according to our experience, making a hierarchy evolve without causing breakage in client code is equally tricky: even a simple refactoring such as splitting a structure into two simpler ones is hard to get right. Hierarchy Builder is a high level language to build hierarchies of algebraic structures and to make these hierarchies evolve without breaking user code. The key concepts are the ones of factory, builder and abbreviation that let the hierarchy developer describe an actual interface for their library. Behind that interface the developer can provide appropriate code to ensure retro compatibility. We implement the Hierarchy Builder language in the hierarchybuilder addon for the Coq system using the Elpi extension language.

Functional Description:
Hierarchy Builder is a high level language for Coq to build hierarchies of algebraic structures and to make these hierarchies evolve without breaking user code. The key concepts are the ones of factory, builder and abbreviation that let the hierarchy developer describe an actual interface for their library. Behind that interface the developer can provide appropriate code to ensure retro compatibility.

Release Contributions:
Support for hierarchy of morphisms and bugfixes. Adding compatibility with Coq 8.16

News of the Year:
Support for structures on function spaces (eg morphisms). New HB.howto command to find missing instances on a key.
 URL:
 Publication:

Contact:
Enrico Tassi

Participants:
Enrico Tassi, Cyril Cohen

Partners:
University of Tsukuba, Onera
6.1.9 Abel  Ruffini

Name:
A proof of AbelRuffini theorem.

Keywords:
Number theory, Formalisation, Proof assistant

Functional Description:
A proof of Galois Theorem (equivalence between being solvable by radicals and having a solvable Galois group) and Abel  Ruffini Theorem (unsolvability of quintic equations) in the Coq proofassistant and using the Mathematical Components library.

Release Contributions:
This is a full proof Coq/mathcomp of Galois and AbelRuffini theorem about the unsolvability of the quintic. It is compatible with mathcomp version 1.12 to 1.15 and Coq from 8.10 to 8.16.
 URL:

Contact:
Cyril Cohen

Partner:
Ecole Polytechnique
6.1.10 Semantics

Keywords:
Semantic, Programming language, Coq

Functional Description:
A didactical Coq development to introduce various semantics styles. Shows how to derive an interpreter, a compiler, a verifier, or a program analyser from formal descriptions, and how to prove their consistency.
This is a library for the Coq system, where the description of a toy programming language is presented. The value of this library is that it can be reused in classrooms to teach programming language semantics or the Coq system. The topics covered include introductory notions to domain theory, pre and postconditions, abstract interpretation, compilation, and the proofs of consistency between all these points of view on the same programming language. Standalone tools for the object programming language can be derived from this development.

Release Contributions:
This version now contains an example of small compiler and a partial correctness proof (completeness).
 URL:

Contact:
Yves Bertot

Participants:
Christine Paulin, Yves Bertot
7 New results
7.1 A logic for expectation
Participants: Martin Avanzini [Focus], Gilles Barthe [MPISP, Germany, IMDEA, Spain], Benjamin Grégoire, Georg Moser [University of Innsbruck], Gabriele Vanoni [Focus].
We have developed a new logic for bounding the expectation of a function in a probabilistic program. This logic has been integrated in the tool Eassycrypt and used to bound the expected cost of two algorithms: randomized qselect (a variant of quick sort) and the skiplist datastructure.
7.2 Formal verification of Dilithium
Participants: Manuel Barbosa [University of Porto, INESC TEC, Portugal], Gilles Barthe [MPISP, Germany, IMDEA, Spain], Christian Doczkal [MPISP, Germany], Jelle Don [Centrum voor Wiskunde en Informatica, the Netherlands], Serge Fehr [Centrum voor Wiskunde en Informatica, Leiden University, the Netherlands], Benjamin Grégoire, Andreas Hülsing [Eindhoven University of Technology, the Netherlands], YuHsuan Huang [Centrum voor Wiskunde en Informatica, the Netherlands], Yi Lee [University of Maryland, USA], PierreYves Strub [Meta], Xiaodi Wu [University of Maryland, USA].
In 2016, NIST initiated a competition for standardizing cryptographic algorithms that could withstand quantum adversaries. The competition recently reached an important milestone with the selection of four standards: one KEM (Kyber) and three signature algorithms (Dilithium, Falcon, Sphincs+). Dilithium is a latticebased digital signature based on the FiatShamir with aborts (FSa) paradigm introduced by Lyubashevsky. We identified a subtle gap that appears in several ROM and QROM security proofs of Dilithium and other schemes based on FSa. Second, we provided fixed proofs, both for the ROM and the QROM. Third, we mechanized the ROM proof completely in the EasyCrypt proof assistant. This work is based on the logic for expectation presented in the previous section.7.3 Resistance to timing attacks and Spectre
Participants: Basavesh Ammanaghatta Shivakumar [MPISP, Germany], Gilles Barthe [MPISP, Germany, IMDEA, Spain], Benjamin Grégoire, Vincent Laporte, Tiago Oliveira [University of Porto, INESC TEC, Portugal], Swarn Priya, Peter Schwabe [MPISP, Germany and Radboud University, the Netherlands], Lucas TabaryMaujean [Ens Paris Saclay].
The current gold standard of cryptographic software is to write efficient libraries with systematic protections against timing attacks. In order to meet this goal, cryptographic engineers increasingly use highassurance cryptography tools. However, highassurance tools reason about overly simple execution models that elide transient execution leakage. Thus, implementations validated by highassurance cryptography tools remain potentially vulnerable to transient execution attacks such as Spectre or Meltdown. Moreover, proposed countermeasures are not used in practice due to performance overhead. We have proposed, analyzed, implemented and evaluated an approach for writing efficient cryptographic implementations that are protected against Spectre v1 attacks in Jasmin. Our approach ensures speculative constanttime. Speculative constanttime is enforced by means of a (valuedependent) information flow type system. We implemented our approach in the Jasmin framework for highassurance cryptography, and use it for protecting all implementations of an experimental cryptographic library named Libjade that includes highly optimized implementations of symmetric primitives, of ellipticcurve cryptography, and of Kyber, a latticebased KEM recently selected by NIST for standardization. The performance impact of our protections is very low; for example, less than 1% for Kyber and essentially zero for the curve X25519.7.4 Enforcing finegrained constanttime policies
Participants: Basavesh Ammanaghatta Shivakumar [MPISP, Germany], Gilles Barthe [MPISP, Germany, IMDEA, Spain], Benjamin Grégoire, Vincent Laporte, Swarn Priya.
Cryptographic constanttime (CT) is a popular programming discipline used by cryptographic libraries to protect themselves against timing attacks. The CT discipline aims to enforce that program execution does not leak secrets, where leakage is defined by a formal leakage model. Constanttimeness can be checked automatically by many tools. However, most sound tools are focused on a baseline (BL) leakage model where memory addresses and conditional branches leak but other basic operations do not leak. In other models, operation like division can leak the value of its arguments or only the cache line of a memory address can leak. We have developed a verification infrastructure, which proves that source programs are constanttime, and a compiler infrastructure, which provably preserves constanttimeness for these finegrained policies. By making these infrastructures parametric in the leakage model, we achieve the first approach that supports finegrained constanttime policies. We implemented the approach in the Jasmin tool, and we evaluated our approach with examples from the literature: OpenSSL and wolfSSL. We found a bug in OpenSSL and provided a formally verified fix. This work has been published in CCS 2022 8.7.5 Fast equality tests with coqelpi
Participants: Benjamin Grégoire, JeanChristophe Léchenet, Enrico Tassi.
We studied how to use coqelpi to implement fast equality tests for inductive datatypes in Coq. The complete work, including benchmarks to verify asymptotic behavior with respect to numbers of constructors, is ready for publication and will appear in 2023 11.7.6 Formal study of Doubleword arithmetic algorithms
Participants: Laurence Rideau, JeanMichel Muller [CNRS, ENS de Lyon], Joris Picot [ENS Lyon], Nicolas Louvet [ENS Lyon], Vincent lefèvre.
The article describing the work on the formalization of "basic building blocks of doubleword arithmetics" has been published in Transactions on Mathematical Software5.Our collaboration continues on the formalization of algorithms for Euclidean norms. This year we formalized the algorithm presented in the article in the case without overflow or underflow. This algorithm uses a result of Rump and Lange on iterated sums of floatingpoint numbers, which we also formalized. The article describing this work has just been published (Transactions on Mathematical Software)4.
7.7 Formal study of Fast Fourier Transforms
Participants: Laurence Rideau, Laurent Théry.
Currently, within the ANR project Nuscap, we have undertaken a work of formalization of the FFT.As a first milestone, we formalized the correctness proof of the classic algorithm that works on an arbitrary integral ring 13.
We also formalized algorithms for the multiplication of complex numbers, as well as the proofs of different algorithms of an article of Kahan concerning the efficient multiplication/sum of four floating point numbers "a*b+c*d". This is useful for the multiplication of complex numbers.
7.8 A generic library for injective, surjective, and bijective functions
Participants: Reynald Affeldt, Cyril Cohen.
In order to support function handling in the development of Lebesgue integral, we developed a library of injective/surjective/bijective functions from a subset to another, with automated inference of compositions, and overloading of the function inverse symbol and its theory.7.9 Simple automatic positivity
Participants: Cyril Cohen, Pierre Roux [ONERA].
We formalized a dedicated type for positive elements of a numeric domain (like the rationals, real numbers or complex numbers), but also for the positive extended reals. We designed it with enough generality so as to encompass positive, negative, nonpositive, nonnegative and nonzero elements, with fast automated inference of positivity in many cases. This makes it possible to discharge automatically many trivial proofs of positivity.7.10 Lebesgue measure and Lebesgue integral for Mathematical Components
Participants: Reynald Affeldt, Cyril Cohen.
After we provided a construction of the Lebesgue measure, we continued with Lebesgue integration. We proved the monotone convergence theorem, the dominated convergence theorem, and Fubini's theorem. This is part of MathComp analysis.7.11 Semantics of Probabilistic Programs using sFinite Kernels in Coq
Participants: Reynald Affeldt [AIST, Japan], Cyril Cohen, Ayumu Saito [Tokyo Institute of Technology, Japan].
We extend an existing formalization of measure and integration theory with sfinite kernels, a mathematical structure to interpret typing judgments in the semantics of a probabilistic programming language. The resulting library makes it possible to reason formally about transformations of probabilistic programs and their execution. This is published in a paper to appear in early 2023 7.7.12 A stratified variant of univalent parametricity
Participants: Cyril Cohen, Assia Mahboubi [Gallinette], Enzo Crance [Misubishi Electric, France].
In this ongoing work, we rephrase and restructure the results from "The Marriage of Univalence and Parametricity", in order to retain translations even without univalence.7.13 A new design pattern for the formalization of subsets in mathematics
Participant: Cyril Cohen.
We explore an alternative to the packaging of signatures and sets, based on a mixture of class based inference and structure based inference. The result of this experiment is available as teasing material for the LiberAbaci Inria challenge.7.14 Formalizing network sorting algorithms
Participants: Benjamin Grégoire, Laurent Théry.
We got interested in the djbsort library, a library for sorting numbers in a cryptographic context. As an initial step, we formalized the proof of the main network sorting algorithms : bitonic, oddeven merge, oddeven exchange 12.7.15 Toward a type class engine for Coq written in Elpi
Participants: Matteo Manighetti [University of Bologna], Claudio Sacerdoti Coen [University of Bologna], Enrico Tassi.
The mechanism of type classes is a typical addition to dependent type theory that makes the overloading of notations and the reuse of generic theorems elegant. In this work, we explore how such a system can be implemented using the ELPI language. With such a highlevel language description we hope to clarify the key points of the mechanism and ease its finetuning and improvements.Two prototypes have been developed: one for Coq and one for Lambdapi (the basis of Dedukti).
7.16 Hierarchy Builder
Participants: Cyril Cohen, Enzo Crance [Mitsubishi Electric], Enrico Tassi.
Hierarchy builder is still being improved, aiming for complete integration in released version of mathematical components and mathcompanalysis.7.17 Jasmin development
Participants: Benjamin Grégoire, Vincent Laporte, JeanChristophe Léchenet, Santiago Arranz Olmos [MPISP, Germany].
We added a new feature to the Jasmin compiler: clearing the stack when exiting functions. The proof of correctness for this feature is still ongoing work. We finished the work on generalizing the compiler so that it will be able to generate code for different architectures. We started implementing an ARM code producer, but it is not completely functional yet. Three releases of Jasmin were published in 2022.7.18 CryptoVerif to EasyCrypt
Participants: Bruno Blanchet, Pierre Boutry, Christian Doczkal, Benjamin Grégoire, PierreYves Strub [Meta].
We continue our study of approaches to combine two mechanized tools to verify protocols.
We developed a translation from CryptoVerif to EasyCrypt that allows cryptographic assumptions that cannot be proved in CryptoVerif to be translated to EasyCrypt and proved there. We used the translation to prove different hypotheses assumed in CryptoVerif:
 The reduction of the $N$ query formulation of the Computational/Gap DiffieHellman (CDH/GDH) games in CryptoVerif to the standard, singlequery formulation. The obtained bounds are better than what can be obtained by a direct hybrid argument.
 The reduction from the $N$ participant games (e.g. insider or outsider adversaries) for authenticated Key encapsulation mechanisms (KEM) to 1 or 2 participant games (almost done).
7.19 Models of nominal groups
Participant: Pierre Boutry.
For the formalization of the proof of the reduction linked to the Computational/Gap DiffieHellman (CDH/GDH) games we relied on a set of properties, denoted as nominal groups by Bruno Blanchet, common to primeorder groups, Curve25519 and Curve448. We worked on verifying that Curve25519 and Curve448 are actually models of nominal groups using Easycrypt as a proofchecker and we spotted two problems in the formalization of these properties as used in 7.18. The first one was a mistake on our part. The second one was a property that turned out to be too strong and was not holding for Curve25519 and Curve448. However, the proof from 7.18 did not need to be modified since the restrictions that we needed to add to fix these problems were already met.
In the process we found another needed correction. There are several definitions of the concept of statistical distance between distributions. The penandpaper proof was using them as if they were equivalent. Though they are indeed related, they are not equivalent. Beside allowing to fix three problems in the proof of these reductions, showing yet again the benefit of a complete formal proof, the formalization of properties of Curve25519 and Curve448 will make it possible to increase the level of confidence in some of the proofs in Libjade. These curves are commonly used in reference cryptographic algorithms but until now there was no Easycrypt proofs of their properties which then needed to be axiomatized. This work will be completed shortly after the completion of 7.20, making it easier to justify the minor remaining gaps.
7.20 Towards a library of field extensions
Participants: Pierre Boutry, Antoine Séré [École Polytechnique], PierreYves Strub [Meta].
As an effort to complete Easycrypt with proofs of properties that should be needed for future developments, we started working on a library of field extensions. Most of the remaining work is about adding missing lemmas about permutation and polynomial Euclidean division, the latter being the main focus locally. We are done with the properties of the division when the considered polynomials are defined over rings, while the case of fields still needs to be completed. We take inspiration from the development about polynomial Euclidean division done in the Mathcomp library for the choice of the statements of the lemmas. However, the definition of the operations differ. In the Mathcomp library, the operators that capture these definitions are defined recursively, while in Easycrypt recursion is not allowed. So we use iterators to do so. since the operations do not have the same definitions, the Mathcomp proof is mostly just a source of inspiration as one can obviously not prove that the same property holds for two distinct operations in a unique way. Some of the lemmas about polynomial Euclidean division will also be used to conclude the proof of 7.19.
7.21 Easycrypt library
Participants: Pierre Boutry, Benjamin Grégoire.
In the library there were two different definitions of cyclic groups that were not taking advantage of existing material. So we gave a third definition that supersedes the previous ones and modified the rest of the library to make sure the new one is used everywhere. This made it possible to detect maintenance issues with the library, especially with respect to continuous integration.
7.22 Collisions between Bezier Curves and straight line segments
Participants: Yves Bertot, Quentin Vermande [ENS Paris], Reynald Affeldt [AIST, Japan].
We are working on a formal description of Bezier Curves and the formal verification that curves of that kind do not collide with obstacles given by straight line segments.7.23 Document management for the Coq system
Participants: Enrico Tassi, Maxime Dénès.
We have been redesigning the communication protocol between Coq and its userinterface software to make it compliant with the LSP protocol used in Visual Studio Code. We are now exploring the use of eventbased programming for this integrated development environment.8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
Participants: Benjamin Grégoire, Swarn Priya, Yves Bertot.
The STAMP team participates with the Grace team (Inria Saclay) in the JASMIN contract funded in the framework of the InriaNomadic Labs collaboration for research related to the Tezos blockchain. This contract funds the PhD thesis of Swarn Priya.9 Partnerships and cooperations
9.1 International initiatives
9.1.1 Inria associate team not involved in an IIL or an international program
FLAVOR
Participants: Yves Bertot, Cyril Cohen, Laurence Rideau, Enrico Tassi, Laurent Théry.

Title:
Formal Library of Analysis for the Verification of Robots

Duration:
2020 >

Coordinator:
Reynald Affeldt (reynald.affeldt@aist.go.jp)

Partners:
 National Institute of Advanced Industrial Science and Technology Tokyo (Japon)

Inria contact:
Yves Bertot

Summary:
The objective is to apply formal methods based on Coq to software and designs that are concerned with robots. Covered topics concern mathematical formalization for real analysis, control theory, kinematic chains, and motion planning.
9.2 International research visitors
9.2.1 Visits of international scientists
Reynald Affeldt

Status:
researcher

Institution of origin:
AIST

Country:
Japan

Dates:
June 27July 8, 2022 and December 512, 2022

Context of the visit:
Equipe associée FLAVOR
Takafumi Saikawa

Status:
postdoctoral researcher

Institution of origin:
Nagoya University

Country:
Japan

Dates:
December 512, 2022

Context of the visit:
Equipe associée FLAVOR
Reynald Affeldt (AIST, Japan) visited the STAMP team from June 27 to July 8, to discuss the development of the Mathcompanalysis library and the project to verify algorithms computing trajectories.
Reynald Affeldt (AIST, Japan), Takafumi Saikawa (Nagoya University, Japan), and Kazuhiko Sakaguchi (University Tsukuba, Japan) visited the STAMP team from December 5 to December 12 to participate in the Mathematical Components winter school that was organized in Sophia Antipolis and discuss research projects around the formal verification of probability theory.
Ralf Hulsing

Status:
Professor

Institution of origin:
Eindhoven University

Country:
the Netherlands

Dates:
SeptemberDecember2022

Context of the visit:
no information
Ralf Hulsing from University Eindhoven visited the team from September to December to collaborate with Benjamin Grégoire on postquantum cryptography.
9.3 National initiatives
9.3.1 ANR
 TECAP "Analyse de protocoles, Unir les outils existants", starting on October 1st, 2017, for 60 months, with a grant of 89 kEuros. Other partners are Inria teams PESTO (Inria Nancy grandest), Ecole Polytechnique, ENS Cachan, IRISA Rennes, and CNRS. The corresponding researcher for this contract is Benjamin Grégoire.
 Scrypt "Compilation sécurisée de primitives cryptographiques" started on February 1st, 2019, for 48 months, with a grant of 100 kEuros. Other partners are Inria team Celtique (Inria Rennes Bretagne Atlantique), Ecole polytechnique, and AMOSSYS SAS. The corresponding researcher for this contract is Benjamin Grégoire.
 NuSCAP "Numerical Safety for ComputerAided Proofs", started on February 1st, 2021 for 48 months, with a grant covering traveling costs. Other partners are CNRSLIP, Sorbonne University LIP6, and CNRSLAAS. The corresponding researcher for this contract is Laurence Rideau.
9.3.2 FUI
The acronym FUI stands for “fonds unique interministériel” and is aimed at research and development projects in preindustrial phase. The STAMP team is part of one such project.
 VERISICC (formal verification for masking techniques for security against sidechannel attacks). This contract concerns 5 partners: Cryptoexperts, a company from the Paris region (Île de France), ANSSI (Agence Nationale de Sécurité des Systèmes d'Information), Oberthur Technologies, University of Luxembourg, and STAMP. A sixth partner (Ninjalabs) acts as a subcontractant. The financial grant for STAMP is 391 kEuros, including 111kEuros that are reserved for the subcontractant. This project started in October 2018 for a duration of 4 years. The corresponding researcher for this contract is Benjamin Grégoire.
9.3.3 PEPR
 SVP PEPR Cybersecurity. We participate in a project concerned with the verification of security protocols. Partners in this project are CNRS IRISA Rennes (coordinator Stéphanie Delaune), Inria, University of ParisSaclay, University of Lorraine, University of Côte d'Azur, ENS Rennes. The funds allocated to our team in this collaboration are 333 kEuros. The corresponding researcher for this contract is Benjamin Grégoire.
9.3.4 Inria Challenges
 Liber Abaci. Yves Bertot coordinated the creation of Inria challenge Liber Abaci on the use of a Typetheory based proof assistant to improve mathematics education for the first years of higher education (undergraduate mathematics).
10 Dissemination
Participants: Yves Bertot, Pierre Boutry, Cyril Cohen, Benjamin Grégoire, Laurence Rideau, Enrico Tassi, Laurent Théry.
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
Participants: Cyril Cohen, Enrico Tassi.
Member of the organizing committees
Enrico Tassi organized a winter school on formalization using the Mathematical Components Library from December 5 to December 9, 2022. Yves Bertot, Cyril Cohen, Laurence Rideau, and Laurent Théry were also speakers at this school.
Assia Mahboubi and Enrico Tassi organized a workshop on the Mathematical Components Library on December 7.
Cyril Cohen was workshop chair for the conference ITP 2022 (Interactive Theorem Proving).
10.1.2 Scientific events: selection
Participants: Yves Bertot, cyril Cohen, Enrico Tassi, Laurent Théry.
Member of the conference program committees
Enrico Tassi was a member of the program committee for the workshop FIDE (Formal Integrated Development Environment).
Reviewer
Yves Bertot and Cyril Cohen reviewed papers for ITP 2022 (Interactive Theorem Provers). CSL (Computer Science Logic) CICM (Conference on intelligent computer mathematics), CoqPL (Coq for programming Languages).
10.1.3 Journal
Participants: Yves Bertot, Pierre Boutry, Cyril Cohen, Laurent Théry.
Reviewer  reviewing activities
Yves Bertot, Cyril Cohen, Pierre Boutry, and Laurent Théry reviewed articles for JAR (Journal of Automated Reasoning), MSCS (Mathematical Structures in Computer Science), and LMCS (Logical Methods in Computer Science).
10.1.4 Invited talks
Benjamin Grégoire gave an invited talk on EasyCrypt at "Journées Codage & Cryptographie" in April 2022.
10.1.5 Leadership within the scientific community
Yves Bertot is a member of the steering committee for the conference "Interactive Theorem Provers" (ITP).
10.1.6 Research administration
Yves Bertot is coordinator of the Inria Challenge "Liber Abaci" on formal proofs for first years of higher mathematical higher education.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Master : Yves Bertot, “Proofs and reliable programming using Coq”, 12hours ETD, NovDec 2022, Master Informatique et Interactions, Université Côte d'Azur, France.
 Benjamin Grégoire was a speaker at the Summer School on Cybersecurity in Nancy, July 48, 2022
10.2.2 Supervision
Yves Bertot and Benjamin Grégoire supervise the thesis of Swarn Priya (Université Côte d'Azur).
Cyril Cohen spervised the thesis of Chris Hughes until September 2022.
10.2.3 Juries
Yves Bertot was member of the Jury for the thesis of Lucien Rakotomalala (Université de Toulouse).
10.3 Popularization
10.3.1 Internal or external Inria responsibilities
Laurence Rideau is a member of the editorial board of Interstices, the Inria medium for outreach.
10.3.2 Interventions
Yves Bertot and Maxime Dénès gave outreach talks at the OSXP conference (OpenSource Experience) in Paris in November 2022.
11 Scientific production
11.1 Major publications
 1 inproceedingsCompeting inheritance paths in dependent type theory: a case study in functional analysis.IJCAR 2020  International Joint Conference on Automated ReasoningParis, FranceJune 2020, 119
 2 articleFormalization Techniques for Asymptotic Reasoning in Classical Analysis.Journal of Formalized ReasoningOctober 2018
 3 inproceedingsJasmin: HighAssurance and HighSpeed Cryptography.CCS 2017  Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityDallas, United StatesOctober 2017, 117
11.2 Publications of the year
International journals
 4 articleAccurate calculation of Euclidean Norms using Doubleword arithmetic.ACM Transactions on Mathematical SoftwareOctober 2022
 5 articleFormalization of doubleword arithmetic, and comments on "Tight and rigorous error bounds for basic building blocks of doubleword arithmetic".ACM Transactions on Mathematical Software481March 2022, 124
National journals
 6 articleICU Bed Availability Monitoring and analysis in the Grand Est region of France during the COVID19 epidemic.Statistique et SociétéMarch 2022
International peerreviewed conferences
 7 inproceedingsSemantics of Probabilistic Programs using sFinite Kernels in Coq.CPP 2023  Certified Programs and ProofsBoston, United StatesJanuary 2023
 8 inproceedingsEnforcing Finegrained Constanttime Policies.CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications SecurityProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS ’22)Los Angeles CA, United StatesACMNovember 2022, 8396
 9 inproceedingsSemantic foundations for cost analysis of pipelineoptimized programs.Static Analysis  29th International SymposiumStatic Analysis  29th International Symposium, {SAS} 2022, Auckland, New Zealand, December 57, 2022, ProceedingsAuckland, New ZealandDecember 2022
Conferences without proceedings
 10 inproceedingsReliably Reproducing MachineChecked Proofs with the Coq Platform.RRRR 2022  Workshop on Reproducibility and Replication of Research ResultsMunich, GermanyApril 2022
Reports & preprints
 11 miscPractical and sound equality tests, automaticallyDeriving eqType instances for Jasmin's data types with CoqElpi.October 2022
 12 miscA Formalisation of Algorithms for Sorting Network.March 2022
 13 miscA Formalisation of a Fast Fourier Transform.October 2022
 14 miscPrimality Tests and Prime Certificate.March 2022