2023Activity reportProjectTeamSTAMP
RNSR: 201923413W Research center Inria Centre at Université Côte d'Azur
 Team name: Safety Techniques based on Formalized Mathematical Proofs
 Domain:Algorithmics, Programming, Software and Architecture
 Theme:Proofs and Verification
Keywords
Computer Science and Digital Science
 A2.1.11. Proof languages
 A2.4.3. Proofs
 A4.5. Formal methods for security
 A7.2. Logic in Computer Science
 A7.2.3. Interactive Theorem Proving
 A7.2.4. Mechanized Formalization of Mathematics
 A8.3. Geometry, Topology
 A8.4. Computer Algebra
 A8.10. Computer arithmetic
Other Research Topics and Application Domains
 B6.1. Software industry
 B9.5.1. Computer science
 B9.5.2. Mathematics
1 Team members, visitors, external collaborators
Research Scientists
 Yves Bertot [Team leader, INRIA, Senior Researcher, HDR]
 Cyril Cohen [INRIA, Researcher]
 Benjamin Grégoire [INRIA, Researcher, until Jun 2023]
 Laurence Rideau [INRIA, Researcher]
 Enrico Tassi [INRIA, Researcher]
 Laurent Théry [INRIA, Researcher]
PostDoctoral Fellows
 Pierre Boutry [INRIA, until Aug 2023]
 JeanChristophe Léchenet [INRIA, until Sep 2023]
 Paolo Torrini [INRIA, PostDoctoral Fellow, from Jun 2023]
PhD Students
 Davide Fissore [UNIV COTE D'AZUR, from Oct 2023]
 Swarn Priya [UNIV COTE D'AZUR, until Jan 2023]
 Quentin Vermande [UNIV COTE D'AZUR, from Oct 2023]
Technical Staff
 Maxime Dénès [INRIA, Engineer, until Aug 2023]
 Thomas Portet [INRIA, Engineer, from Feb 2023]
 Romain Tetley [INRIA, Engineer, from Oct 2023]
Administrative Assistant
 Christine Foggia [INRIA, from Mar 2023]
2 Overall objectives
Computers and programs running on these computers are powerful tools for many domains of human activities. In some of these domains, program errors can have enormous consequences. It will become crucial for all stakeholders that the best techniques are used when designing these programs.
We advocate using higherorder logic proof assistants as tools to obtain better quality programs and designs. These tools make it possible to build designs where all decisive arguments are explicit, ambiguity is alleviated, and logical steps can be verified precisely. In practice, we are intensive users of the Coq system and we participate actively to the development of this tool, in collaboration with other teams at Inria, and we also take an active part in promoting its usage by academic and industrial users around the world.
Many domains of modern computer science and engineering make a heavy use of mathematics. If we wish to use proof assistants to avoid errors in designs, we need to develop corpora of formally verified mathematics that are adapted to these domains. Developing libraries of formally verified mathematics is the main motivation for our research. In these libraries, we wish to capture not only the knowledge that is usually recorded in definitions and theorems, but also the practical knowledge that is recorded in mathematical practice, idioms, and work habits. Thus, we are interested in logical facts, algorithms, and notation habits. Also, the very process of developing an ambitious library is a matter of organization, with design decisions that need to be evaluated and improved. Refactoring of libraries is also an important topic. Among all higherorder logic based proof assistants, we contend that those based on Type theory are the best suited for this work on libraries, thanks to their strong capabilities for abstraction and modular reuse.
The interface between mathematics, computer science and engineering is large. To focus our activities, we will concentrate on applications of proof assistants to two main domains: cryptography and robotics. We also develop specific tools for proofs in cryptography, mainly around a proof tool named EasyCrypt.
3 Research program
3.1 Theoretical background
The proof assistants that we consider provide both a programming language, where users can describe algorithms performing tasks in their domain of interest, and a logical language to reason about the programs, thus making it possible to ensure that the algorithms do solve the problems for which they were designed. Trustability is gained because algorithms and logical statements provide multiple views of the same topic, thus making it possible to detect errors coming from a mismatch between expected and established properties. The verification process is itself a logical process, where the computer can bring rigor in aligning expectations and guarantees.
The foundations of proof assistants rest on the very foundations of mathematics. As a consequence, all aspects of reasoning must be made completely explicit in the process of formally verifying an algorithm. All aspects of the formal verification of an algorithm are expressed in a discourse whose consistency is verified by the computer, so that unclear or intuitive arguments need to be replaced by precise logical inferences.
One of the foundational features on which we rely extensively is Type Theory. In this approach a very simple programming language is equiped with a powerful discipline to check the consistency of usage: types represent sets of data with similar behavior, functions represent algorithms mapping types to other types, and the consistency can be verified by a simple computer program, a typechecker. Although they can be verified by a simple program, types can express arbitrary complex objects or properties, so that the verification work lives in an interesting realm, where verifying proofs is decidable, but finding the proofs is undecidable.
This process for producing new algorithms and theorems is a novelty in the development of mathematical knowledge or algorithms, and new working methods must be devised for it to become a productive approach to high quality software development. Questions that arise are numerous. How do we avoid requiring human assistance to work on mundane aspects of proofs? How do we take advantage of all the progress made in automatic theorem proving? How do we organize the maintenance of ambitious corpora of formally verified knowledge in the long term?
To acquire handson expertise, we concentrate our activity on three aspects. The first one is foundational: we develop and maintain a library of mathematical facts that covers many aspects of algebra and analysis. In the past, we applied this library to proofs in group theory, but it is increasingly used for many different areas of mathematics and by other teams around the world, from combinatorics to elliptic cryptography, for instance. The second aspect is applicative: we develop a specific tool for proofs in cryptography, where we need to reason on the probability that opponents manage to access information we wish to protect. For this activity, we develop a specific proof system, relying on a wider set of automatic tools, with the objective of finding the tools that are well adapted to this domain and to attract users that are initially specialists in cryptography but not in formal verification. The third domain is robotics, as we believe that the current trend towards more and more autonomous robots and vehicles will raise questions of safety and trustability where formal verification can bring significant added value.
4 Application domains
4.1 Mathematical Components
The Mathematical Components library is the main byproduct of an effort started almost two decades ago to provide a formally verified proof for a major theorem in group theory. Because this major theorem had a proof published in books of several hundreds of pages, with elements coming from character theory, other coming from algebra, and some coming from real analysis, it was an exercise in building a large library, with results in many domains, and in establishing clear guidelines for further increase and data search.
This library has proved to be a useful repository of mathematical facts for a wide area of applications, so that it has a growing community of users in many countries (Denmark, France, Germany, Japan, Singapore, Spain, Sweden, UK, USA) and for a wide variety of topics (transcendental number theory, elliptic curve cryptography, articulated robot kinematics, recently block chain foundations).
Interesting questions on this library range around the importance of decidability and proof irrelevance, the way to structure knowledge to automatically inherit theorems from one topic to another, the way to generate infrastructure to make this automation efficient and predictable. In particular, we want to concentrate on adding a new mathematical topic to this library: real analysis and then complex analysis (Mathematical Components Analysis).
On the front of automation, we are convinced that a higher level language is required to describe similarities between theories, to generate theorems that are immediate consequences of structures, etc, and for this reason, we invest in the development of a new language on top of the proof assistant (ELPI, Embeddable Lambda Prolog Interpreter).
4.2 Proofs in cryptography
When we work on cryptography, we are interested in the formal verification of proofs showing that some cryptographic primitives provide good guarantees against unwanted access to information. Over the years we have developed a technique for this kind of reasoning that relies on a programing logic (close to Hoare logic) with probabilistic aspects and the capability to establish relations between several implementations of a problem. The resulting programming logic is called probabilistic relational Hoare logic. We also study questions of sidechannel attacks, where we wish to guarantee that opponents cannot gain access to protected knowledge, even if they observe specific features of execution, like execution time (to which the answer lies in constanttime execution) or partial access to memory bits (to which the answer lies in masking).
For this domain of application, we choose to work with a specific proof tool (EasyCrypt), which combines powerful firstorder reasoning and use of automatic tools, with a specific support for probabilistic relational Hoare Logic. The development of this EasyCrypt proof tool is one of the objectives of our team.
When it comes to formal proofs of resistance to sidechannel attacks, we contend that it is necessary to verify formally that the compiler used in the production of actually running code respects the resistance properties that were established in formally verified proofs. One of our objectives is to develop such a compiler (Jasmin) and show its strength on a variety of applications.
The pair of tools EasyCrypt and Jasmin has also proved its worth in the formal verification of correctness for postquantum cryptography.
4.3 Proofs for robotics
Robots are manmade artifacts where numerous design decisions can be argued based on logical or mathematical principles. For this reason, we wish to use this domain of application as a focus for our investigations. The questions for which we are close to providing answers involve precision issues in numeric computation, obstacle avoidance and motion planning (including questions of graph theory), articulated limb kinematics and dynamics, and balance and active control.
From the mathematical perspective, these topics require that we improve our library to cover real algebraic geometry, computational geometry, real analysis, graph theory, and refinement relations between abstract algorithms and executable programs.
In the long run, we hope to exhibit robots where pieces of software and part of the design have been subject to formal verification.
5 Highlights of the year
5.1 Awards
 Swarn Priya has been one of the winners of the Young Talents "Pour les femmes et la science" L'OréalUNESCO 2023 prize. She defended her PhD 18 in November.
 The paper ¨Typing HighSpeed Cryptography against Spectre v1" 10 has obtained a Distinguished Paper Award at the IEEE Symposium on Security and Privacy.
6 New software, platforms, open data
6.1 New software
6.1.1 Coq

Name:
The Coq Proof Assistant

Keywords:
Proof, Certification, Formalisation

Scientific Description:
Coq is an interactive proof assistant based on the Calculus of (Co)Inductive Constructions, extended with universe polymorphism. This type theory features inductive and coinductive families, an impredicative sort and a hierarchy of predicative universes, making it a very expressive logic. The calculus allows to formalize both general mathematics and computer programs, ranging from theories of finite structures to abstract algebra and categories to programming language metatheory and compiler verification. Coq is organised as a (relatively small) kernel including efficient conversion tests on which are built a set of higherlevel layers: a powerful proof engine and unification algorithm, various tactics/decision procedures, a transactional document model and, at the very top an integrated development environment (IDE).

Functional Description:
Coq provides both a dependentlytyped functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semiautomatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...

Release Contributions:
An overview of the new features and changes, along with the full list of contributors is available at https://coq.inria.fr/refman/changes.html#version818 .

News of the Year:
Coq version 8.18 integrates changes to several parts of the system : kernel, specification language, type inference, notation, tactics, Ltac2 language, commands and options, commandline tools, CoqIDE, standard library, infrastructure and dependencies, extraction. See https://coq.inria.fr/refman/changes.html#version818 for an overview of the new features and changes, along with the full list of contributors.
 URL:

Contact:
Matthieu Sozeau

Participants:
Yves Bertot, Frédéric Besson, Tej Chajed, Cyril Cohen, Pierre Corbineau, Pierre Courtieu, Maxime Dénès, Jim Fehrle, Julien Forest, Emilio Jesús Gallego Arias, Gaëtan Gilbert, Georges Gonthier, Benjamin Grégoire, Jason Gross, Hugo Herbelin, Vincent Laporte, Olivier Laurent, Assia Mahboubi, Kenji Maillard, Érik MartinDorel, Guillaume Melquiond, PierreMarie Pedrot, Clément PitClaudel, Kazuhiko Sakaguchi, Vincent Semeria, Michael Soegtrop, Arnaud Spiwack, Matthieu Sozeau, Enrico Tassi, Laurent Théry, Anton Trunov, LiYao Xia, Theo Zimmermann

Partners:
CNRS, Université ParisSud, ENS Lyon, Université ParisDiderot
6.1.2 coqelpi

Keywords:
Metaprogramming, Extension

Scientific Description:
Coqelpi provides a Coq plugin that embeds ELPI. It also provides a way to embed Coq terms into lambdaProlog using the HigherOrder Abstract Syntax approach (HOAS) and a way to read terms back. In addition to that it exports to ELPI a set of Coq primitives, e.g. printing a message, accessing the environment of theorems and data types, defining a new constant and so on. For convenience it also provides a quotation and antiquotation for Coq's syntax in lambdaProlog. E.g. {{nat}} is expanded to the type name of natural numbers, or {{A > B}} to the representation of a product by unfolding the > notation. Finally it provides a way to define new vernacular commands and new tactics.

Functional Description:
Coq plugin embedding ELPI

Release Contributions:
 parsing/execution separation

News of the Year:
 Separation of parsing/execution for modern UIs.  Application of typechecking to solve type class instances using an ELPI program.  Application of coercion to insert explicit type casts using an ELPI program.
 Publications:

Contact:
Enrico Tassi

Participants:
Enrico Tassi, Davide Fissore
6.1.3 ELPI

Name:
Embeddable Lambda Prolog Interpreter

Keywords:
Constraint Programming, Programming language, Higherorder logic

Scientific Description:
The programming language has the following features
 Native support for variable binding and substitution, via a Higher Order Abstract Syntax (HOAS) embedding of the object language. The programmer does not need to care about technical devices to handle bound variables, like De Bruijn indices.
 Native support for hypothetical context. When moving under a binder one can attach to the bound variable extra information that is collected when the variable gets out of scope. For example when writing a typechecker the programmer needs not to care about managing the typing context.
 Native support for higherorder unification variables, again via HOAS. Unification variables of the metalanguage (lambdaProlog) can be reused to represent the unification variables of the object language. The programmer does not need to care about the unificationvariable assignment map and cannot assign to a unification variable a term containing variables out of scope, or build a circular assignment.
 Native support for syntactic constraints and their metalevel handling rules. The generative semantics of Prolog can be disabled by turning a goal into a syntactic constraint (suspended goal). A syntactic constraint is resumed as soon as relevant variables get assigned. Syntactic constraints can be manipulated by constraint handling rules (CHR).
 Native support for backtracking, to ease implementation of search.
 The constraint store is extensible. The host application can declare nonsyntactic constraints and uses custom constraint solvers to check their consistency.
 Clauses are graftable. The user is free to extend an existing program by inserting/removing clauses, both at runtime (using implication) and at "compilation" time by accumulating files.
Most of these features come with lambdaProlog. Constraints and propagation rules are novel in ELPI.

Functional Description:
ELPI implements a variant of lambdaProlog enriched with Constraint Handling Rules, a programming language well suited to manipulate syntax trees with binders and unification variables.
ELPI is a research project aimed at providing a programming platform for the so called elaborator component of an interactive theorem prover.
ELPI is designed to be embedded into larger applications written in OCaml as an extension language. It comes with an API to drive the interpreter and with an FFI for defining builtin predicates and data types, as well as quotations and similar goodies that come in handy to adapt the language to the host application.

Release Contributions:
 Faster separate compilation/linking

News of the Year:
 Time complexity improvement of separate compilation/linking of program units, which is now pseudo linear.  The runtime was made reentrant, allowing multiple Elpi instances to live in the same process.  New deepindexing data structure based on discrimination trees.
 URL:
 Publications:

Contact:
Enrico Tassi

Participants:
Enrico Tassi, Claudio Sacerdoti Coen
6.1.4 Easycrypt

Keywords:
Proof assistant, Cryptography

Functional Description:
EasyCrypt is a toolset for reasoning about relational properties of probabilistic computations with adversarial code. Its main application is the construction and verification of gamebased cryptographic proofs. EasyCrypt can also be used for reasoning about differential privacy.

Release Contributions:
This version introduces a new logic (ehoare) allowing to bound the expectation of a function in a probabilistic program.

News of the Year:
The major release (2023.09) has been published. This release include the a new logic for bounding the expectation of function in a probabilistic program.
 URL:
 Publications:

Contact:
Gilles Barthe

Participants:
Benjamin Grégoire, Gilles Barthe, PierreYves Strub, Adrien Koutsos
6.1.5 Hierarchy Builder

Keywords:
Coq, Metaprogramming

Scientific Description:
It is nowadays customary to organize libraries of machine checked proofs around hierarchies of algebraic structures. One influential example is the Mathematical Components library on top of which the long and intricate proof of the Odd Order Theorem could be fully formalized. Still, building algebraic hierarchies in a proof assistant such as Coq requires a lot of manual labor and often a deep expertise in the internals of the prover. Moreover, according to our experience, making a hierarchy evolve without causing breakage in client code is equally tricky: even a simple refactoring such as splitting a structure into two simpler ones is hard to get right. Hierarchy Builder is a high level language to build hierarchies of algebraic structures and to make these hierarchies evolve without breaking user code. The key concepts are the ones of factory, builder and abbreviation that let the hierarchy developer describe an actual interface for their library. Behind that interface the developer can provide appropriate code to ensure retro compatibility. We implement the Hierarchy Builder language in the hierarchybuilder addon for the Coq system using the Elpi extension language.

Functional Description:
Hierarchy Builder is a high level language for Coq to build hierarchies of algebraic structures and to make these hierarchies evolve without breaking user code. The key concepts are the ones of factory, builder and abbreviation that let the hierarchy developer describe an actual interface for their library. Behind that interface the developer can provide appropriate code to ensure retro compatibility.

Release Contributions:
Support for hierarchy of morphisms and bugfixes. Adding compatibility with Coq 8.16

News of the Year:
 Major performance improvements in handling large hierarchies (e.g. MathComp 2.0)
 URL:
 Publication:

Contact:
Enrico Tassi

Participants:
Enrico Tassi, Cyril Cohen

Partners:
University of Tsukuba, Onera
6.1.6 Jasmin

Name:
Jasmin compiler and analyser

Keywords:
Cryptography, Static analysis, Compilers

Functional Description:
The Jasmin programming language smoothly combines highlevel and lowlevel constructs, so as to support “assembly in the head” programming. Programmers can control many lowlevel details that are performancecritical: instruction selection and scheduling, what registers to spill and when, etc. The language also features highlevel abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of highlevel abstractions incurs no runtime penalty.
The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machinechecked by the Coq proof assistant). This ensures that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…
Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against sidechannel attacks (constanttime).

Release Contributions:
2023.06.0 is a major release of Jasmin. It contains a few noteworthy changes:  local functions now use call and ret instructions,  experimental support for the ARMv7 (i.e., CortexM4) architecture,  a few aspects of the safety checker can be finely controlled through annotations or commandline flags,  shift and rotation operators have a simpler semantics.
As usual, it also brings in various fixes and improvements, such as bit rotation operators and automatic slicing of the input program.

News of the Year:
On June 2023, a major release (2023.06.0) has been published.
 URL:
 Publications:

Contact:
JeanChristophe Léchenet

Participants:
Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte, JeanChristophe Léchenet, Swarn Priya, Santiago Arranz Olmos

Partners:
The IMDEA Software Institute, Ecole Polytechnique, Universidade do Minho, Universidade do Porto, Max Planck Institute for Security and Privacy
6.1.7 Trocq

Keywords:
Proof synthesis, Proof transfer, Coq, Elpi, Logic programming, Parametricity, Univalence

Functional Description:
Trocq is a prototype of a modular parametricity plugin for Coq, aiming to perform proof transfer by translating the goal into an associated goal featuring the target data structures as well as a rich parametricity witness from which a function justifying the goal substitution can be extracted.
The plugin features a hierarchy of parametricity witness types, ranging from structureless relations to a new formulation of type equivalence, gathering several preexisting parametricity translations, including univalent parametricity and CoqEAL, in the same framework.
This modular translation performs a finegrained analysis and generates witnesses that are rich enough to preprocess the goal yet are not always a fullblown type equivalence, allowing to perform proof transfer with the power of univalent parametricity, but trying not to pull in the univalence axiom in cases where it is not required.
The translation is implemented in CoqElpi and features transparent and readable code with respect to a sequentstyle theoretical presentation.

News of the Year:
We released the first version of Trocq, for demo purposes and to support the claims made in the associated paper. Trocq is able to translate non trivial goals between isomorphic or partially isomorphic representations.
 URL:
 Publication:

Contact:
Cyril Cohen

Participants:
Cyril Cohen, Enzo Crance, Assia Mahboubi

Partner:
Mitsubishi Electric R&D Centre Europe, France
6.1.8 VsCoq

Name:
VsCoq

Keywords:
Coq, User Interfaces

Functional Description:
VsCoq is an extension for Visual Studio Code (VS Code) and VSCodium which provides support for the Coq Proof Assistant.
VsCoq is distributed in two flavours:
 VsCoq Legacy (required for Coq < 8.18, compatible with Coq >= 8.7) is based on the original VsCoq implementation by C.J. Bell. It uses the legacy XML protocol spoken by CoqIDE.
 VsCoq (recommended for Coq >= 8.18) is a full reimplementation around a language server which natively speaks the LSP protocol.

Release Contributions:
We have mainly been working on stability and bug fixes, in this release you’ll find :
 Some improvements to performance on large files.  Fixing document state invalidation bugs.  Goal view improvements.

News of the Year:
The first version (2.0.1) of VsCoq based on the LSP protocol has been released on September, 2023.
 URL:

Contact:
Laurent Théry
7 New results
7.1 Formal proof of postquantum cryptographic primitive
Participants: José Bacelar Almeida [INESC TEC], Manuel Barbosa [University of Porto & INESC TEC], Gilles Barthe [MPISP & IMDEA], Christian Doczkal [MPISP], Jelle Don [Centrum Wiskunde & Informatica], François Dupressoir [University of Bristol], Serge Fehr [Leiden University], Benjamin Grégoire, YuHsuan Huang [Leiden University], Andreas Hülsing [Eindhoven University], Vincent Laporte [Pesto], Yi Lee [MPISP], JeanChristophe Léchenet, Matthias Meijers [Eindhoven University], Tiago Oliveira [MPISP], Hugo Pacheco, Miguel Quaresma [MPISP], Peter Schwabe [MPISP & Radboud University], Antoine Séré [LIX], PierreYves Strub [PQShield], Xiaodi Wu [University of Maryland].
In July 2022, NIST announced the first batch of “winners” of the postquantum project, i.e., schemes that will be forwarded to standardization 25. This first batch contained three signature schemes (CRYSTALSDilithium 28, 32, Falcon 33, and ${\mathrm{SPHINCS}}^{+}$ 26, 29), and only one keyencapsulation mechanism (KEM): the latticebased scheme CRYSTALSKyber 27, 30.
We have started the formal verification of three of those primitives (CRYSTALSDilithium, ${\mathrm{SPHINCS}}^{+}$, and CRYSTALSKyber) following different directions.
For Kyber, we give a (readable) formal specification in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We also provide highassurance opensource implementations of Kyber written in the Jasmin language, along with machinechecked proofs that they are functionally correct with respect to the EasyCrypt specification. To make this possible it was necessary to extend the Jasmin language. This work has been published in 11.
For CRYSTALSDilithium and ${\mathrm{SPHINCS}}^{+}$, instead of proving the functional correctness of an implementation we have started to prove the semantic security of the schemes, i.e the correctness of the specification. The work on ${\mathrm{SPHINCS}}^{+}$ has been published in 17. The work on CRYSTALSDilithium has been published in 12. To accomplish this work we have extended EasyCrypt with a new logic allowing to bound the expectation of a function in a probabilistic program.
7.2 CryptoVerif to EasyCrypt
Participants: Bruno Blanchet [Prosecco], Pierre Boutry, Christian Doczkal [MPISP], Benjamin Grégoire, PierreYves Strub [PQShield].
We continue our study of approaches to combine two mechanized tools to verify protocols. We developed a translation from CryptoVerif to EasyCrypt that allows cryptographic assumptions that cannot be proved in CryptoVerif to be translated to EasyCrypt and proved there. We used the translation to prove different hypotheses assumed in CryptoVerif:
 The reduction of the N query formulation of the Computational/Gap DiffieHellman (CDH/GDH) games in CryptoVerif to the standard, singlequery formulation. The obtained bounds are better than what can be obtained by a direct hybrid argument.
 The reduction from the N participant games (e.g. insider or outsider adversaries) for authenticated Key encapsulation mechanisms (KEM) to 1 or 2 participant games.
We completed the translation to cover a wider range of the language that CryptoVerif uses for specifying assumptions on cryptographic primitives. This work 22 has been accepted for publication in CSF 2024.
7.3 Extending the Jasmin compiler
Participants: Basavesh Ammanaghatta Shivakumar [MPISP], Santiago Arranz Olmos [MPISP], Gilles Barthe [MPISP & IMDEA], Benjamin Grégoire, Vincent Laporte [Pesto], JeanChristophe Léchenet, Tiago Oliviera [MPISP], Swarn Priya, Peter Schwabe [MPISP & Radboud University], Lucas TabaryMaujean [ENS ParisSaclay].
We have extended Jasmin with a new backend for armv7. The main difficulty was to generalize the compiler to be independent from the architecture (different pointer size, different calling convention, different instruction set and so on). Before that, the only backend was for x8664 with avx2 extension. This generalization is an important step, because it will allow to easily add other backends, in particular we plan to add RISCV.
The language has been extended with new features for security.
 The compiler can introduce code that zeroizes the stack at the end of export functions. Three strategies are currently supported: `unrolled` (the code is a sequence of writes as long as needed), `loop` (the code is a loop) and `loopSCT` (same as `loop` but with a `LFENCE` at the end to defend against Spectre attacks).
 Protection against Spectre attacks: We have proposed, analyzed, implemented and evaluated an approach for writing efficient cryptographic implementations that are protected against Spectre v1 attacks in Jasmin. Our approach ensures speculative constanttime. Speculative constanttime is enforced by means of a (valuedependent) information flow type system and the use of primitives allowing to implement speculative load hardening protection. This work has been published in 10.
7.4 Collisions between trajectories and polygonal obstacles
Participants: Yves Bertot, Laurent Théry.
In an effort to synthesize several years of investigations around the computation of robot trajectories, we developed a Coq model for a program that takes as input a description of obstacles and a pair of points and produces as output a trajectory for a robot from one point to the other between these obstacles. The obstacles are given by a collection of straight line segments and the produced trajectory is composed of straight line segments and Bézier curves, so that the trajectory is smooth. An article describing the different phases of the program is submitted for publication 21. This Coq mod l is actually a program that can be run inside Coq. Thanks to the extraction tool, the same program can also be run in a web page. Proofs of correctness for this program are under construction.
7.5 Instance saturation in Hierarchy Builder
Participants: Yves Bertot, Cyril Cohen, Thomas Portet, Enrico Tassi.
In the initial revision of Hierarchy Builder, definitions needed to be added in a precise order, otherwise instances of structures would be missing in the final graph of inheritance. We developed an extension that verifies all the instances that would be missing and includes them. Thanks to this extension the Hierarchy Builder program is more robust, as the user does not need to respect a specific order of definitions anymore.
7.6 New type class solver
Participants: Davide Fissore, Enrico Tassi.
We are developing a new type class solver for Coq by compiling type class instances into rules for the Elpi programming language. Currently we are validating a prototype implementation on the Std++ and TLC Coq libraries, two widely used libraries that rely on type classes.
7.7 Automation for separation logic in Coq
Participants: Davide Fissore, Enrico Tassi, Robbert Krebbers [Radboud University], Ike Mulder [Radboud University].
We are trying to use the Elpi programming language to automate proofs in separation logic. Diaframe is an existing automatic prover based on Coq type classes that suffers from the limitations of the current Coq solver. We have improved the indexing data structures used by Elpi in order to make them scale to larger inputs. Also, we are trying to use partial evaluation in order to specialize, ahead of time, the rules used for type class search in the context of separation logic.
7.8 Porting to Mathcomp 2
Participants: Reynald Affeldt [AIST Japan], Yves Bertot, Cyril Cohen, Pierre Roux [Onera], Kazuhiko Sakaguchi [Galinette], Enrico Tassi.
We ported the entire Mathcomp ecosystem to the new major release (version 2) of the mathematical components library. Most software have been released, and Mathcomp analysis and Abel are ported but not released yet. The details of the port are described in 19
7.9 Trocq : Proof Transfer for Free
Participants: Cyril Cohen, Enzo Crance [Galinette], Assia Mahboubi [Galinette].
In interactive theorem proving, a range of different representations may be available for a single mathematical concept, and some proofs may rely on several representations. Without automated support such as proof transfer, theorems available with different representations cannot be combined, without manual input from the user. Tools with such a purpose exist, but in proof assistants based on dependent type theory, it still requires human effort to prove transfer, whereas it is obvious and often left implicit on paper. We present Trocq, a new proof transfer framework, based on a generalization of the univalent parametricity translation, thanks to a new formulation of type equivalence. This translation takes care to avoid dependency on the axiom of univalence for transfers in a delimited class of statements, and may be used with relations that are not necessarily isomorphisms. We motivate and apply our framework on a set of examples designed to show that it unifies several existing proof transfer tools. The article 23 also discusses an implementation of this translation for the Coq proof assistant, in the CoqElpi metalanguage.
7.10 VsCoq: a user interface for Coq
Participants: Maxime Dénès, Thomas Portet, Enrico Tassi, Romain Tetley, Laurent Théry.
A rewrite of the VSCoq extension has been completed this year. This leads to the publication of the release V2.0.1 in September. This effort is meant to continue for a few years and provide a modern and stable user interface for Coq. Maxime Dénès and Enrico Tassi have worked in regular sprints since February, helping Romain Tetley to dive into the Coq language server.
7.11 Handling subsets and subtypes in Hierarchy Builder
Participants: Cyril Cohen, Quentin Vermande.
We are experimenting with new design patterns to automate the conversion between sets and types, to automatically prove set membership and to automatically cast between types even when an external proof is required. The result of these experiments will be integrated in Hierarchy Builder in order to extend its expressiveness, in particular in the formalization of topology, number theory and category theory.
This is ongoing work without any publication yet. Early experiments were presented during meetings of the Liberabaci projects.
7.12 Handling enriched categories in Hierarchy Builder
Participants: Cyril Cohen, Enrico Tassi, Paolo Torrini.
We have been working since June 2023 on the CoREACT project, which addresses the development of applied category theory in Coq. Our workload involves using the Hierarchy Builder (HB) and improving it to match the project goal. HB is useful in the formalization of complex algebraic hierarchies, making it possible to automate inheritance and to manage efficiently hierarchy evolution relative to a type subject. First we extended HB in order to support reasoning about enriched categories. In fact, the subject localization associated with enrichment has made it necessary to implement an appropriate connector that we call wrapper, allowing the user to benefit from the automation provided by HB without having to resort to mathematically unnatural formulations. Part of our initial work also involved clarifying the operational meaning of wrapping with respect to the informal semantics of HB. Then, since October, we moved on to formalize categorical theories that make use of related notions, notably double categories and internal categories. We have currently provided two alternative characterizations of double categories and we are proving their equivalence, as part of the development of a Coq library.
7.13 Abel Galois Theorem
Participants: Cyril Cohen, Quentin Vermande.
We extended the AbelGalois theorem to the case of the positive characteristic. This involved the generalization of several definitions and lemmas, and in particular the contribution of Hilbert Theorem 90 in its additive version.
7.14 Lebesgue measure and integration
Participants: Reynald Affeldt [AIST Japan], Cyril Cohen.
The construction of the Lebesgue integral and its measure has been completed and published in 9. This paper describes the techniques of formalization that were needed to obtained comfortably usable definitions.
7.15 Building finite fields via irreducible polynomials
Participants: Cyril Cohen, Joshua Cohen [Princeton University], Laurent Théry.
We have introduced a construction for finite fields in the Mathcomp Library. We have first defined polynomials of a given size from which we have derived the standard module structure. Then, we use the theory of irreducible polynomials to get to finite fields. This contribution has been added to Mathcomp version 1.19.
7.16 Formal study of doubleword arithmetic algorithms
Participants: Tom Hubrecht [ENS Paris], ClaudePierre Jeannerot [Aric], Vincent Lefèvre [Aric], Nicolas Louvet [ENS Lyon], JeanMichel Muller [CNRS], Joris Picot [ENS Lyon], Laurence Rideau, Laurent Théry, Paul Zimmermann [Caramba].
We have continued our collaboration inside the ANR Nuscap about doubleword arithmetic. First, an article on the work on the formalization of algorithms for euclidian norm has been published 8. Second, we have started a formalization in Coq+Flocq of the proofs given in 34 (with an extended version in 35). This paper describes algorithms for the correct rounding of the power function ${x}^{y}$ in the binary64 IEEE 754 format, for all rounding modes. We have verified (and amended with the help of the authors) all the paper proofs given in the article. The formal proofs are available on github. For this work we also had to formalize the correctness of the FastTwoSum algorithm with directed roundings given in 36.
7.17 Formal study of the Fast Fourier Transform
Participants: Nicolas Brisebarre [CNRS], Laurence Rideau, Laurent Théry.
We have continued our collaboration inside the ANR Nuscap about the Fast Fourier Algorithm. First we have a formal proof of the relative error of the CooleyTukey Fast Fourier Transform given in 31. Second, we have developed a certified Fast Fourier algorithm that is executable inside Coq. It uses a complexnumber interval arithmetic built on top of the Coq interval library. It is used to get a toy implementation of a multiplication algorithm for complexnumber polynomials.
7.18 Simplification of a constructive version of Tarski's system of geometry
Participants: Pierre Boutry.
In work that was started in Pierre Boutry's thesis, we study how Tarski's work on axioms for reasoning in geometry can be made constructive. This is a followup of work on the same topic from 2020. We progressed on the independence of the new axioms. The current state has been presented at ADG 13.
8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
Participants: Benjamin Grégoire, Swarn Priya, Yves Bertot.
The STAMP team participates with the Grace team (Inria Saclay) in the JASMIN contract funded in the framework of the InriaNomadic Labs collaboration for research related to the Tezos blockchain. This contract funds the PhD thesis of Swarn Priya.
9 Partnerships and cooperations
9.1 International initiatives
9.1.1 Inria associate team not involved in an IIL or an international program
FLAVOR
Participants: Yves Bertot, Cyril Cohen, Laurence Rideau, Enrico Tassi, Laurent Théry.

Title:
Formal Library of Analysis for the Verification of Robots

Duration:
2020 >

Coordinator:
Reynald Affeldt (reynald.affeldt@aist.go.jp)

Partners:
 National Institute of Advanced Industrial Science and Technology Tokyo (Japan)

Inria contact:
Yves Bertot

Summary:
The objective is to apply formal methods based on Coq to software and designs that are concerned with robots. Covered topics concern mathematical formalization for real analysis, control theory, kinematic chains, and motion planning.
9.2 International research visitors
9.2.1 Visits of international scientists
International visits to the team
Robbert Krebbers

Status
Professor

Institution of origin:
Radboud University Nijmegen

Country:
the Netherlands

Dates:
June 1216, 2023

Context of the visit:
Work on merging mathematical components and Stdpp libraries

Mobility program/type of mobility:
research stay and lecture
9.3 National initiatives
9.3.1 ANR
 Scrypt "Compilation sécurisée de primitives cryptographiques" started on February 1st, 2019, for 48 months, with a grant of 100 kEuros. Other partners are Inria team Celtique (Inria Rennes Bretagne Atlantique), Ecole polytechnique, and AMOSSYS SAS. The corresponding researcher for this contract is Benjamin Grégoire. This action was used to fund postdoctoral researchers.
 NuSCAP "Numerical Safety for ComputerAided Proofs", started on February 1st, 2021 for 48 months, with a grant covering travel costs. Other partners are CNRSLIP, Sorbonne University LIP6, and CNRSLAAS. The corresponding researcher for this contract is Laurence Rideau.
 CoREACT “Coqbased Rewriting: towards Executable Applied Category Theory”, started on March 1st, 2023, for 48 months, with a grant of 67,3 kEuros for STAMP, funding a postdoc, instruments and material costs and travel costs. Other partners are IRIF (Université Paris Cité), LIP (ENSLyon) and LIX (École Polytechnique). The corresponding researcher for this contract is Cyril Cohen.
9.3.2 PEPR
 SVP PEPR Cybersecurity. We participate in a project concerned with the verification of security protocols. Partners in this project are CNRS IRISA Rennes (coordinator Stéphanie Delaune), Inria, University of ParisSaclay, University of Lorraine, University of Côte d'Azur, ENS Rennes. The funds allocated to our team in this collaboration are 333 kEuros. The corresponding researcher for this contract is Benjamin Grégoire. This action will be used to fund researchers (doctoral students or postdoctoral researchers).
9.3.3 Inria Challenges
 Liber Abaci. Yves Bertot coordinates the Inria challenge Liber Abaci on the use of a Typetheory based proof assistant to improve mathematics education for the first years of higher education (undergraduate mathematics).
10 Dissemination
Participants: Yves Bertot, Pierre Boutry, Cyril Cohen, Benjamin Grégoire, Enrico Tassi, Laurence Rideau.
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
General chair, scientific chair
 Yves Bertot and Enrico Tassi organized and chaired the program committee for the Coq workshop in July in Bialystok.
 Cyril Cohen is in the steering committee of ITP (Interactive Theorem Proving) since September.
 Cyril Cohen has been workshop chair for the conferences CPP 2023 (Certified Programs and Proofs), CADE 29 (Conference on Automated Deduction) and ITP 2923 (Interactive Theorem Proving).
 Enrico Tassi is in the steering committee of LFMTP (Logical Frameworks and Metalanguages, Theory and Practice).
 Enrico Tassi has been member of COQ 2023 (Coq Workshop), COQPL 2024 (Coq for Programming Languages), CADE 29 (Conference on Automated Deduction) and CPP 2024 (Certified Programs and Proofs).
Reviewer
 Pierre Boutry did a review for ThEdu 2024 (Theorem proving and Education).
 Yves Bertot reviewed a chapter for a book in honor of Herman Geuvers.
10.1.2 Invited talks
 Benjamin Grégoire gave an invited talk at the GDRSI (Sécurité Informatique) in June.
 Yves Bertot gave an invited talk at the conference ThEdu, Theorem Proving in Education in Rome in July.
10.1.3 Research administration
Cyril Cohen has created and is now a coadministrator of the Coq Zulip chat.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Yves Bertot and Nicolas Magaud (Université de Strasbourg) gave a course on using Coq to teach mathematics at the summer school "Proof assistants and teaching" in Val d'Ajol in June.
 Yves Bertot gave a course on using Coq for mathematics at the summer school "Interactions of Proof Assistants and Mathematics" in Regensburg, Germany, in September. The teaching material for these courses is available here.
 Yves Bertot gave an introductory course on Coq in the framework of Inria Academy in October.
 Pierre Boutry and Julien Narboux (Université de Strasbourg) gave a tutorial on GeoCoq 14 at ADG 2023.
10.2.2 Supervision
 Enrico Tassi has cosupervised (with Jesper Bentson) the master thesis "Expanding Coq with Type Aware Code Completion" by Hjalte Dalland, Jakob Israelsen and Simon Kristensen, ITU Copenhagen.
 Enrico Tassi has supervised the master thesis "Typeclass solver in Type Theory via Logic Programming" by Davide Fissore, UCADS4H, until Davide Fissore registered for a PhD program.
 Yves Bertot and Cyril Cohen supervise the thesis of Quentin Vermande (Université Côte d'Azur) starting in September.
 Yves Bertot and Enrico Tassi supervise the thesis of Davide Fissore (Université Côte d'Azur) starting in October.
 Yves Bertot and Benjamin Grégoire supervised the thesis of Swarn Priya (Université Côte d'Azur) until November.
10.2.3 Juries
 Yves Bertot was member of the jury with report duty (rapporteur) for Rebecca Zucchini (University of ParisSaclay) in June.
 Yves Bertot was member of the jury for Mohit Tekriwal (University of Michigan at Ann Arbor) in June and for Loïc GermerieGuizouarn (Université Côte d'Azur) in December.
 Enrico Tassi was member of the jury for Enzo Crance (Université de Nantes) in December.
10.3 Popularization
10.3.1 Internal or external Inria responsibilities
Laurence Rideau is member of the editorial board of Interstices.
10.3.2 Articles and contents
 Yves Bertot wrote an article for a technical magazine aimed at programming hobbyists and professionals. This article is available as a preprint on hal 24.
11 Scientific production
11.1 Major publications
 1 inproceedingsTyping HighSpeed Cryptography against Spectre v1.2023 IEEE Symposium on Security and Privacy (SP)SP 2023 IEEE Symposium on Security and PrivacySan Francisco, United StatesMay 2023, 15921609HALDOI
 2 inproceedingsUnsolvability of the Quintic Formalized in Dependent Type Theory.ITP 2021  12th International Conference on Interactive Theorem ProvingRome / Virtual, FranceJune 2021HAL
 3 inproceedingsHierarchy Builder: algebraic hierarchies made easy in Coq with Elpi.FSCD 2020  5th International Conference on Formal Structures for Computation and Deduction167Paris, France2020, 34:134:21HALDOI
 4 inproceedingsPractical and sound equality tests, automaticallyDeriving eqType instances for Jasmin's data types with CoqElpi.CPP '23: 12th ACM SIGPLAN International Conference on Certified Programs and ProofsCPP 2023: Proceedings of the 12th ACM SIGPLAN International Conference on Certified Programs and ProofsBoston MA USA, FranceACMJanuary 2023, 167181HALDOI
 5 articleFormalization of doubleword arithmetic, and comments on "Tight and rigorous error bounds for basic building blocks of doubleword arithmetic".ACM Transactions on Mathematical Software481March 2022, 124HALDOI
11.2 Publications of the year
International journals
 6 articleMeasure Construction by Extension in Dependent Type Theory with Application to Integration.Journal of Automated Reasoning673September 2023, 28HALDOI
 7 articleMechanized Proofs of Adversarial Complexity and Application to Universal Composability: Journal preprint: full version.ACM Transactions on Privacy and Security263August 2023, 134HALDOI
 8 articleAccurate calculation of Euclidean Norms using Doubleword arithmetic.ACM Transactions on Mathematical Software491March 2023, 134HALDOIback to text
International peerreviewed conferences
 9 inproceedingsSemantics of Probabilistic Programs using sFinite Kernels in Coq.CPP 2023  Certified Programs and ProofsCPP 2023: Proceedings of the 12th ACM SIGPLAN International Conference on Certified Programs and ProofsBoston, United States2023HALDOIback to text
 10 inproceedingsTyping HighSpeed Cryptography against Spectre v1.2023 IEEE Symposium on Security and Privacy (SP)SP 2023 IEEE Symposium on Security and PrivacySan Francisco, United StatesMay 2023, 15921609HALDOIback to textback to text
 11 inproceedingsFormally verifying Kyber: Episode IV: Implementation correctness.ACR Transactions on Cryptographic Hardware and Embedded SystemsCHES 2023  Conference on Cryptographic Hardware and Embedded Systems20233Praha, Czech RepublicJune 2023, 164193HALDOIback to text
 12 inproceedingsFixing and Mechanizing the Security Proof of FiatShamir with Aborts and Dilithium.Lecture Notes in Computer ScienceCRYPTO 2023  43rd International Cryptology ConferenceLNCS14085Advances in Cryptology – CRYPTO 2023 : 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part VSanta Barbara, United StatesAugust 2023, 358–389HALDOIback to text
 13 inproceedingsTowards an Independent Version of Tarski's System of Geometry.14th International Conference on Automated Deduction in GeometryBelgrade, SerbiaSeptember 2023HALback to text
 14 inproceedingsTutorial Laboratory  GeoCoq to formalize highschool geometry problems.ADG 2023  Automated Deduction in Geometry 2023Belgrade, Serbia2023HALback to text
 15 inproceedingsPractical and sound equality tests, automatically  Deriving eqType instances for Jasmin's data types with CoqElpi.CPP '23: 12th ACM SIGPLAN International Conference on Certified Programs and ProofsCPP 2023: Proceedings of the 12th ACM SIGPLAN International Conference on Certified Programs and ProofsBoston MA USA, FranceACMJanuary 2023, 167181HALDOI
Scientific book chapters
 16 inbookInductive Predicates.Proof Assistants and Their Applications to Mathematics and Computer Science042023, 37HAL
Edition (books, proceedings, special issue of a journal)
 17 proceedingsM.Manuel BarbosaF.François DupressoirB.Benjamin GrégoireA.Andreas HülsingM.Matthias MeijersP.Y.PierreYves StrubMachineChecked Security for XMSS as in RFC 8391 and SPHINCS +.2023HALDOIback to text
Doctoral dissertations and habilitation theses
 18 thesisFormally computerverified protections against timingbased sidechannel attacks.Université Côte d'AzurNovember 2023HALback to text
Reports & preprints
 19 reportPorting Coq Scripts to the Mathematical Components Library Version 2.Inria Sophia Antipolis  Méditerranée, Université Côte d'Azur; National Institute of Advanced Industrial Science and Technology (AIST), Japan; ONERA / DTIS, Université de Toulouse, FranceJune 2023, 112HALback to text
 20 miscDesign patterns of hierarchies for order structures.February 2023HAL
 21 miscSafe smooth paths between straight line obstacles.November 2023HALback to text
 22 miscCV2EC: Getting the Best of Both Worlds.December 2023HALback to text
 23 miscTrocq: Proof Transfer for Free, With or Without Univalence.July 2023HALback to text
11.3 Other
Scientific popularization
 24 articleProuvez que vos programmes fonctionnels n'ont pas de bugs avec Coq Première partie.Programmez !2562023, 35HALback to text
11.4 Cited publications
 25 miscStatus Report on the Third Round of the NIST PostQuantum Cryptography Standardization Process.https://csrc.nist.gov/publications/detail/nistir/8413/final2022back to text

26
miscSPHINCS
${}^{+}$ – Submission to the NIST postquantum project, v.3.1.https://sphincs.org/data/sphincs+r3.1specification.pdf2022back to text  27 miscCRYSTALSKyber: Algorithm Specifications And Supporting Documentation (version 3.02).https://pqcrystals.org/kyber/data/kyberspecificationround320210804.pdf2021back to text
 28 miscCRYSTALSDilithium: Algorithm Specifications and Supporting Documentation (Version 3.1).https://pqcrystals.org/dilithium/data/dilithiumspecificationround320210208.pdf2021back to text

29
inproceedingsThe SPHINCS
${}^{+}$ Signature Framework.ccs19nameccs19addrccspubccs19month 2019, 21292146DOIback to text  30 inproceedingsCRYSTALS  Kyber: a CCAsecure modulelatticebased KEM.2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018https://eprint.iacr.org/2017/634IEEE2018, 353367back to text
 31 articleError analysis of some operations involved in the CooleyTukey Fast Fourier Transform.ACM Transactions on Mathematical Software462May 2020, 134HALDOIback to text
 32 articleCRYSTALSDilithium: A LatticeBased Digital Signature Scheme.IACR Transactions on Cryptographic Hardware and Embedded Systems20181https://tches.iacr.org/index.php/TCHES/article/view/8392018, 238268DOIback to text
 33 miscFalcon: FastFourier Latticebased Compact Signatures over NTRU (Specification v1.2).https://falconsign.info/falcon.pdf2020back to text
 34 inproceedingsTowards a correctlyrounded and fast power function in binary64 arithmetic.2023 IEEE 30th Symposium on Computer Arithmetic (ARITH 2023)2023 IEEE 30th Symposium on Computer Arithmetic (ARITH)Portland, Oregon (USA), United StatesSeptember 2023HALback to text
 35 unpublishedTowards a correctlyrounded and fast power function in binary64 arithmetic, extended version.July 2023, This is the extended version of an article published in the proceedings of ARITH 2023.HALback to text
 36 unpublishedNote on FastTwoSum with Directed Roundings.September 2023, working paper or preprintHALback to text