3.2.1 Generic proof techniques

Most automated tools for verifying security properties rely on techniques stemming from automated deduction. Often existing techniques do however not apply directly, or do not scale up due to state explosion problems. For instance, the use of Horn clause resolution techniques requires dedicated resolution methods 47, 50. Another example is unification modulo equational theory, which is a key technique in several tools, e.g. 60. Security protocols however require to consider particular equational theories that are not naturally studied in classical automated reasoning. Sometimes, even new concepts have been introduced. One example is the finite variant property 53, which is used in several tools, e.g., Akiss  50, Maude-NPA 60 and TAMARIN  64. Another example is the notion of asymmetric unification 59 which is a variant of unification used in Maude-NPA to perform important syntactic pruning techniques of the search space, even when reasoning modulo an equational theory. For each of these topics we need to design efficient decision procedures for a variety of equational theories.

3.2.2 Dedicated procedures and tools

We design dedicated techniques for automated protocol verification. While existing techniques for security protocol verification are efficient and have reached maturity for verification of confidentiality and authentication properties (or more generally safety properties), our goal is to go beyond these properties and the standard attacker models, verifying the properties and attacker models identified in Section 3.1. This includes techniques that:

• can analyse indistinguishability properties, including for instance anonymity and unlinkability properties, but also properties stated in simulation-based (also known as universally composable) frameworks, which express the security of a protocol as an ideal (correct by design) system;
• take into account protocols that rely on a notion of mutable global state which does not arise in traditional protocols, but is essential when verifying tamper-resistant hardware devices, e.g., the RSA PKCS#11 standard, IBM's CCA and the trusted platform module (TPM);
• consider attacker models for protocols relying on weak secrets that need to be copied or remembered by a human, such as multi-factor authentication.

These goals are beyond the scope of most current analysis tools and require both theoretical advances in the area of verification, as well as the design of new efficient verification tools.

3.3.1 General design techniques

Design techniques include composition results that allow one to design protocols in a modular way 54, 52. Composition results come in many flavours: they may allow one to compose protocols with different objectives, e.g. compose a key exchange protocol with a protocol that requires a shared key or rely on a protocol for secure channel establishment, compose different protocols in parallel that may re-use some key material, or compose different sessions of the same protocol.

Another area where composition is of particular importance is Service Oriented Computing, where an “orchestrator” must combine some available component services, while guaranteeing some security properties. In this context, we work on the automated synthesis of the orchestrator or monitors for enforcing the security goals. These problems require the study of new classes of automata that communicate with structured messages.

3.3.2 New protocol design

We also design new protocols. Application areas that seem of particular importance are:

• External hardware devices such as security APIs that allow for flexible key management, including key revocation, and their integration in security protocols. The security fiasco of the PKCS#11 standard 49, 57 witnesses the need for new protocols in this area.
• Election systems that provide strong security guarantees. We have been working (in collaboration with the Caramba team) on a prototype implementation of an e-voting system, Belenios.
• Mechanisms for publishing personal information (e.g. on social networks) in a controlled way.

7.1.1 Belenios

• Name:
  Belenios - Verifiable online voting system
• Keyword:
  E-voting
• Functional Description:

  Belenios is an open-source online voting system that provides vote confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).

  Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters rank candidates and grade them.

  Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

• News of the Year:

  In 2024, our platform was used to run about 1500 elections, with about 215,000 registered voters and 62,000 ballots counted.

  The main change is the new interface for election administrators, based on a REST API, that is now the default interface. The source code have benefited from a lot of refactoring and removal of legacy code and this led to a major upgrade with Belenios 3.0.

  The voter's journey has also been simplified since voters no longer have to enter their credential. Instead, it is now included in the (private) link to the election that is sent to them.

• URL:
  https://­www.­belenios.­org/
• Contact:
  Stéphane Glondu
• Participants:
  Pierrick Gaudry, Stéphane Glondu, Véronique Cortier
• Partners:
  CNRS, Inria

7.1.2 Tamarin

• Name:
  Tamarin prover
• Keywords:
  Verification, Cryptographic protocol
• Functional Description:
  The Tamarin prover is a security protocol verification tool that supports both falsification and unbounded verification of security protocols specified as multiset rewriting systems with respect to (temporal) first-order properties and a message theory that models Diffie-Hellman exponentiation, bilinear pairing, multisets, and exclusive-or (XOR), combined with a user-defined convergent rewriting theory. Its main advantages are its ability to handle stateful protocols and its interactive proof mode. Moreover, it has been extended to verify equivalence properties. The tool is developed jointly by the PESTO team, the Institute of Information Security at ETH Zurich, and CISPA. In a joint effort, the partners wrote and published a user manual in 2016, available from the Tamarin website.
• Release Contributions:
  The latest version brings mostly technical and usability improvements. This includes a Tree-sitter grammar for spthy files, added warnings for non-subterm convergent theories, and improved graphs using clusters to represent roles and sessions. Moreover, public, fresh, and nat names can now be arbitrary single quoted strings (but may not include additional single quotes and newlines inside). There is a new interactive prover that stops when oracle returns nothing, and an option to output traces in batch mode. Moreover, the version includes numerous bug fixes, some refactoring and code cleanup. Finally, many examples from different published papers were added.
• News of the Year:

  In 2024, several interns worked on Tamarin and implemented multiple improvements concerning in particular the tool's error handling and graph visualization.

  A new major version has been released (1.10.0).

• URL:
  http://­tamarin-prover.­github.­io/
• Publications:
  hal-03767104, hal-02903620, hal-02358878, hal-03693843, hal-03795715
• Contact:
  Jannik Dreier
• Participants:
  Jannik Dreier, Elise Klein, Maiwenn Racouchot, Véronique Cortier, Steve Kremer, Charlie Jacomme

7.1.3 Jasmin

• Name:
  Jasmin compiler and analyser
• Keywords:
  Cryptography, Static analysis, Compilers
• Scientific Description:

  Jasmin is a workbench for high-assurance and high-speed cryptography. Jasmin implementations aim at being efficient, safe, correct, and secure.

  Jasmin is both a language and a compiler from this language to assembly. The compiler is written and formally verified for correctness in the Coq proof assistant. This justifies that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

  Jasmin comes with a set of tools to reason on Jasmin programs (a safety checker, a type-checker for Constant Time, a type-checker for Speculative Constant Time and an extraction to EasyCrypt to prove properties about the extracted Jasmin program, e.g. functional correctness).

• Functional Description:

  The Jasmin programming language smoothly combines high-level and low-level constructs, so as to support “assembly in the head” programming. Programmers can control many low-level details that are performance-critical: instruction selection and scheduling, what registers to spill and when, etc. The language also features high-level abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of high-level abstractions incurs no run-time penalty.

  The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machine-checked by the Coq proof assistant). This ensures that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

  Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against side-channel attacks (constant-time).

• Release Contributions:

  This year, four minor versions and one major version have been released. Here are some of the most significant changes brought by these different versions.

  The semantics of the Jasmin language has been extended to cover more use cases. On one hand programmers no longer need to prove that memory accesses and (direct) array accesses are properly aligned. Jasmin programs have a well-defined semantics even if unaligned accesses occur. On the other hand more functions can have arrays as arguments and results.

  The programming language has been improved to simplify program writing tasks. Namespaces allow reusing names: two things may have the same name, as long as they belong to different namespaces. Spilling and unspilling of registers can now be done implicitly thanks to the spill and unspill operators. Type aliases can be defined through the new type key-word. Local variables may be initialized when declared.

  So as to give more security guaranties about the emitted code, the compiler can introduce code that zeroizes the stack at the end of export functions. The user can enable the feature with an annotation or a compiler flag.

  This is a minor release of Jasmin. Here is a brief description of a few of the changes it features.

  The checker for Constant-Time security, now available as a separate tool (jasmin-ct), has been made more precise and can also verify security in spite of speculative executions (Spectre).

  Support of x86 and ARMv7 architectures has been fostered. Many more instructions are available and some issues with large immediates have been fixed.

• News of the Year:
  On July 2024, a major release (2024.07.0) has been published.
• URL:
  https://­github.­com/­jasmin-lang/­jasmin
• Publications:
  hal-04106448, hal-04218417, hal-04595591, hal-04691165, hal-03844366, hal-03430789, hal-03352062, hal-02404581, hal-02974993, hal-01649140
• Contact:
  Jean-Christophe Léchenet
• Participants:
  Alexandre Bourbeillon, Gaëtan Cassiers, Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte, Jean-Christophe Léchenet, Swarn Priya, Santiago Arranz Olmos
• Partners:
  The IMDEA Software Institute, Ecole Polytechnique, Universidade do Minho, Universidade do Porto, Max Planck Institute for Security and Privacy

7.1.4 tlspuffin

• Name:
  TLS Protocol Under FuzzINg
• Keywords:
  Fuzzing, Formal methods, Cryptographic protocol
• Functional Description:
  tlspuffin is a full-fledged and modular DY fuzzer implementation in Rust. DY Fuzzing is a novel approach to fuzzing cryptographic protocols. It is based on the idea of using formal Dolev-Yao (DY) models as domain-specific knowledge to guide the fuzzer and give it the ability to detect logical attacks in protocol implementations. tlspuffin revolves around three main layers and modules that are of independent interest. First, the protocol- and Program Under Test-agnostic DY fuzzer that we implemented in a standalone module puffin uses the main fuzzing loop of the modular, state-of-the art fuzzer LibAFL. It implements custom test cases using DY traces, mutations, and objective oracle. On top of puffin, we built protocol-dependent fuzzers. We currently support tlspuffin for TLS and the preliminary sshpuffin for SSH. Third, we connect PUTs such as OpenSSL, LibreSSL, BoringSSL, and wolfSSL to the fuzzers.
• News of the Year:
  In 2024, we published https://inria.hal.science/hal-04318710 that presents the DY fuzzer tlspuffin design, implementation, and evaluation. We released the first version of tlspuffin (v0.1.0) in June 2024. We also started to work on extensions: (i) addiing bit-level mutations on top of DY mutations (https://github.com/tlspuffin/tlspuffin/pull/348) and (ii) developing a DY differential fuzzer (https://github.com/tlspuffin/tlspuffin/pull/345).
• URL:
  https://­tlspuffin.­github.­io/
• Publication:
  hal-04318710
• Contact:
  Lucca Hirschi
• Participants:
  Tom Gouville, Lucca Hirschi, Steve Kremer, Michael Mera
• Partner:
  Trail of Bits

7.1.5 Squirrel

• Name:
  Squirrel Prover
• Keywords:
  Proof assistant, Cryptographic protocol
• Functional Description:

  Squirrel is an interactive proof assistant dedicated to the formal verification of cryptographic protocols in the computational model. It is based on a higher-order probabilistic logic which supports generic mathematical reasoning as well as cryptographic-specific reasoning.

  Concretely, Squirrel allows to specify security protocols in a variant of the applied pi-calculus, and properties of those protocols using its probabilistic logic. Then, these properties are to be proved by the users through tactics. Squirrel supports protocols with unbounded replication and persistent state, and can express both correspondence (e.g. authentication) and indistinguishability properties (e.g. strong secrecy, unlinkability).

• News of the Year:

  Squirrel development continued, with several new features: i) namespaces: objects can now be stored in namespaces, which allows to organize large developments, ii) basic builtin support for integer and string constants, iii) SMT support, and iv), system variables: lemmas and axioms can now be parameterized by systems, bringing a form of system parametricity where system arguments are inferred during lemma's applications, as for type variables.

  In addition, participants of the project published in the ACM SIGLOG newsletter a full presentation of the up to date theory behind the tool.

• URL:
  https://­squirrel-prover.­github.­io/
• Publications:
  hal-04577828, hal-04511718, hal-04579038, hal-03981949, hal-03620358, hal-03172119, hal-03264227
• Contact:
  Adrien Koutsos
• Participants:
  David Baelde, Stephanie Delaune, Clément Herouard, Charlie Jacomme, Adrien Koutsos, Solene Moreau, Thomas Rubiano, Justine Sauvage, Theo Vignon
• Partners:
  IRISA, ENS Rennes

7.1.6 CryptoVerif

• Name:
  Cryptographic protocol verifier in the computational model
• Keywords:
  Security, Verification, Cryptographic protocol
• Functional Description:
  CryptoVerif is an automatic protocol prover sound in the computational model. In this model, messages are bitstrings and the adversary is a polynomial-time probabilistic Turing machine. CryptoVerif can prove secrecy and correspondences, which include in particular authentication. It provides a generic mechanism for specifying the security assumptions on cryptographic primitives, which can handle in particular symmetric encryption, message authentication codes, public-key encryption, signatures, hash functions, and Diffie-Hellman key agreements. It also provides an explicit formula that gives the probability of breaking the protocol as a function of the probability of breaking each primitives, this is the exact security framework.
• News of the Year:

  The main new feature of the year is:

  * The library of cryptographic primitives has been adapted to support quantum adversaries. In particular, we now have model for KEMs (Key Encapsulation Mechanisms) often used in post-quantum protocols. Moreover, we have a version of the library that contains only primitives with a known post-quantum instantiation, and we have models for primitives without security assumption (useful to model broken primitives, e.g., classical schemes in the presence of a quantum adversary).

  These changes are included in CryptoVerif version 2.11 available at https://­cryptoverif.­inria.­fr.

• URL:
  http://­cryptoverif.­inria.­fr/
• Publications:
  hal-03113251, hal-03471218, hal-04246199, hal-04253820, hal-01947959, hal-01764527, hal-02396640, hal-02100345, hal-04321656, hal-04271666, hal-04577912, tel-01112630, hal-01102382, hal-01528752, hal-01575920, hal-01575861, hal-01575923
• Contact:
  Bruno Blanchet
• Participants:
  Charlie Jacomme, Bruno Blanchet, David Cade, Benjamin Lipp, Pierre-Yves Strub, Christian Doczkal, Pierre Boutry

7.1.7 CombCC

• Name:
  CombCC
• Keywords:
  Decision procedure, Congruence closure, Commutativity, Associativity, Union of theories
• Scientific Description:
  Implementation of the combination of congruence closure procedures for essential equational theories (C, A, AC).
• Functional Description:
  From a set of ground equalities et inequalities in which function symbols can have specific properties (commutativity, associativity, associativity-commutativity), CombCC builds a terminating and confluent term rewriting system by combining congruence closure procedures for each considered theory. If the initial system is unsatisfiable, a contradiction is generated.
• News of the Year:
  From a version where only the empty theory could be considered, implementation of all the inference rules of the orchestrator and of each equational theory (C, A, AC). Implementation of several options about the ordering of new constants, the flattening of the initial (dis-)equations and the ordering for selecting the initial equations.
• Publications:
  hal-04778178, hal-04778271
• Contact:
  Laurent Vigneron
• Participant:
  Laurent Vigneron

8.1.1 Foundations of Automated Verification: Semantics, Decidability and Complexity

Participants: Steve Kremer, Christophe Ringeissen, Laurent Vigneron.

Privacy-type properties are often modeled by indistinguishability statements, expressed as behavioral equivalences in a process calculus. In collaboration with Vincent Cheval (Oxford University) and Itsaka Rakotonirina (MPI-SP), Steve Kremer presents new results on the theory and practice of this verification problem 11. New complexity results have been established for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. The proposed procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives-those that can be represented by a subterm convergent destructor rewrite system. The implementation of the procedure in the DeepSec tool is also reported. It is shown through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raising the scope of the protocols that can be analysed. A previous extended abstract of this work appeared in 4; this extended version 11 provides an extensive presentation of the complexity results and the theory underlying DeepSec.

In collaboration with Erbatur (UT Dallas, USA), Marshall (Univ Mary Washington, USA), and Narendran (Univ Albany, SUNY, USA), Ringeissen studies decision procedures for verifying an intruder's knowledge, where the capabilities of an intruder are specified by an equational theory, possibly expressed by a term rewrite system. Previous results have developed decision procedures for a number of knowledge problems in many different equational and rewrite theories, such as subterm-convergent ones. Permutative theories such Associative-Commutative (AC) are of great interest with several procedures having been developed for AC and its extensions. This leads to the question of decidability of the knowledge problems of deduction and static equivalence in permutative theories in general. Deduction is known to be decidable in permutative theories. However, the decidability of static equivalence (and the related frame distinguishability problem) was still open. In 40, 27, static equivalence is shown to be undecidable in permutative theories. In addition, static equivalence remains undecidable in the more restrictive case of leaf permutative theories. On the positive side, static equivalence becomes decidable for a further restricted form of permutative theories defined in 27.

Christophe Ringeissen and Laurent Vigneron are also working on the definition of decision procedures based on congruence closure. In 41, 37, satisfiability procedures are designed thanks to congruence closure methods applied to unions of axiomatized theories, targeting equational axioms such as Associativity or Commutativity. In the proposed approach, any function symbol can be uninterpreted, associative only, commutative only, but also associative and commutative. To tackle the union of these theories, a combined congruence closure procedure is introduced. It can be viewed as a particular Nelson-Oppen combination method using particular congruence closure procedures for the individual theories. In this context, terminating congruence closure procedures are considered, as well as non-terminating ones. Hence, there are terminating ones for Commutativity and Associativity-Commutativity, while the one for Associativity is non-terminating. It is shown how all the congruence closure procedures, including the combined one, can be presented in a uniform and abstract way.

8.1.2 Improving Verification Tools

Participants: Véronique Cortier, Alexandre Debant, Jannik Dreier, Lucca Hirschi, Charlie Jacomme, Elise Klein, Steve Kremer, Maïwenn Racouchot.

8.1.3 Analysis of Deployed Protocols

Participants: Lucca Hirschi, Charlie Jacomme, Elise Klein, Steve Kremer, Dhekra Mahmoud, Maïwenn Racouchot.

8.1.4 DY fuzzing: Dolev-Yao model-guided Fuzzing of Cryptographic Protocols

Participants: Lucca Hirschi, Steve Kremer.

Critical and widely used cryptographic protocols have repeatedly been found to contain flaws in their design and their implementation. A prominent class of such vulnerabilities is logical attacks, i.e., attacks that solely exploit flawed protocol logic. Automated formal verification methods, based on the Dolev-Yao (DY) attacker, excel at finding such flaws, but operate only on abstract specification models. Fully automated verification of existing protocol implementations is today still out of reach. This leaves open whether widely used protocol implementations are secure. Unfortunately, this blind spot hides numerous attacks, notably recent logical attacks on widely used TLS implementations introduced by implementation bugs.

In collaboration with Max Ammann (former master student), Hirschi and Kremer propose a novel and effective technique called DY model-guided fuzzing, which precludes logical attacks against protocol implementations 17. The main idea is to consider as possible test cases the set of abstract DY executions of the DY attacker, and use a mutation-based fuzzer to explore this set. The DY fuzzer concretizes each abstract execution to test it on the program under test. This approach enables reasoning at a more structural and security-related level of messages (e.g., decrypt a message and re-encrypt it with a different key) as opposed to random bit-level modifications that are much less likely to produce relevant logical adversarial behaviors. A full-fledged and modular DY protocol fuzzer has been implemented, dubbed puffin. Its effectiveness is demonstrated by fuzzing three popular TLS implementations, resulting in the discovery of four novel vulnerabilities in WolfSSL, a lightweight implementation widely used by IoT and embedded devices, and able to run on OSs and CPUs otherwise not supported. Each of them has been responsibly disclosed to and fixed by WolfSSL. They have also been filed as CVEs.

8.1.5 Security of Cryptographic Implementations

Participant: Vincent Laporte.

8.2.1 Design of E-Voting Protocols

Participants: Véronique Cortier, Alexandre Debant, Anselme Goetschmann, Lucca Hirschi, Léo Louistisserand, Florian Moser.

8.2.2 Security analyses of E-Voting Protocols

Participants: Véronique Cortier, Alexandre Debant, Lucca Hirschi, Florian Moser.

8.3.1 Studying Frauds in Crypto-assets

Participants: Abdessamad Imine, Wail Zellagui.

Recent advances in the field of large language models (LLMs), particularly the ChatGPT family, have given rise to a powerful and versatile machine interlocutor, packed with knowledge and challenging our understanding of learning. Although ChatGPT is known for its adaptability and ethical considerations when used for harmful purposes, it is possible to highlight the deep connection that may exist between ChatGPT and fraudulent actions in the volatile cryptocurrency ecosystem. Based on a categorization of cryptocurrency frauds, it has been shown in 15 how to influence outputs, bypass ethical terms, and achieve specific fraud goals by manipulating ChatGPT prompts. Furthermore, the reported findings have emphasized the importance of realizing that ChatGPT could be a valuable instructor even for novice fraudsters, as well as understanding and safely deploying complex language models, particularly in the context of cryptocurrency frauds.

8.3.2 Privacy-Preserving Big Data Management

Participants: Abdessamad Imine, Ala Eddine Laouir.

The widespread use of software services in daily life has led to the collection of vast amounts of sensitive data by service providers. While modern big data analytics frameworks offer significant processing power, quickly obtaining accurate and private responses to large-scale queries without exposing sensitive information remains a challenging task. Approximate Query Processing (AQP) is recognized for its ability to speed up execution with acceptable accuracy trade-offs, and Differential Privacy (DP) is widely used to ensure privacy by adding noise to query results.

The contribution 31 tackles the problem of integrating AQP and DP for multidimensional data in the context of range queries. The proposed solution employs online sampling to accelerate range query execution and reduces the noise added to samples and query results to protect data privacy.

The contribution 32 presents a framework called SLIM-View, which uses a novel sampling technique relying on a bi-objective optimization to decide the best sample size and the exponential mechanism to select the best sample while ensuring privacy. Extensive experiments have demonstrated that SLIM-View outperforms existing approaches by orders of magnitude in terms of utility and scalability while ensuring the same level of privacy.

8.3.3 Efficient Management of Filtering Rules in Software-defined Networking

Participants: Michaël Rusinowitch, Wafik Zahwa.

In a joint project with the Resist project-team and the Numeryx company, Lahmadi (Resist) and Rusinowitch have developed algorithms to automatically distribute and compress filtering rules on a set of switches of limited capacity. They investigate with Zahwa an adaptive and autonomous approach based on reinforcement learning and graph neural networks, aiming an application to self-configurating firewalls 38.

10.1.1 Visits of international scientists

10.2.1 Other european programs/initiatives

• EUGAIN, COST Action, European Network For Gender Balance in Informatics, duration: 4 years, since 2020, participant and leader of Working Group 3 – From PhD to Professor: Steve Kremer

10.3.1 ANR

• ANR JCJC ProtoFuzz Cryptographic Protocol Logic Fuzz Testing, duration: January 2023 – December 2026, leader: Lucca Hirschi.

  State-of-the-art formal methods for the verification of cryptographic protocols provide no guarantee on implementations, which are the end products that must be secure. Testing, especially fuzzing, is usable by practitioners, operates on implementations and has been very successful at finding low-level flaws but is unable to capture logical flaws. Therefore, effective techniques to preclude logical flaws from protocol implementations are desperately lacking.

  To fill this gap, we will develop the foundations, the design, and the implementation of an innovative hybrid, synergetic framework combining symbolic verification and fuzzing. In particular, we will (i) devise a simple protocol language and model extractor that enable extracting formal models from lightly annotated implementations and then refining those models based on functional correctness counter-examples and (ii) develop a novel testing methodology, symbolic-model-guided fuzzing, that, assisted by symbolic verifiers, efficiently captures logical attacks. The former will leverage a novel hybrid framework where symbolic formal models and implementations are tied together and can animate each other via dual executions.

  This project's ambitions are to significantly advance fuzzing and to establish hybrid frameworks combining fuzzing and symbolic verification as a new research topic, as well as to attack and improve the security of real-world, high-profile cryptographic protocols.

• ANR Chaire IA ASAP Tools for automated, symbolic analysis of real-world cryptographic protocols, duration: September 2020 – December 2025, leader: Steve Kremer.

  The goal of this project is the development of efficient algorithms and tools for automated verification of cryptographic protocols, that are able to comprehensively analyse detailed models of real-world protocols building on techniques from automated reasoning. Automated reasoning is the subfield of AI whose goal is the design of algorithms that enable computers to reason automatically, and these techniques underlie almost all modern verification tools. Current analysis tools for cryptographic protocols do however not scale well, or require to (over)simplify models, when applied on real-world, deployed cryptographic protocols. We aim at overcoming these limitations: we therefore design new, dedicated algorithms, include these algorithms in verification tools, and use the resulting tools for the security analyses of real-world cryptographic protocols.

• ANR SEVERITAS Secure and Verifiable Test and Assessment System, duration: Mai 2021 – April 2025, local coordinator: Jannik Dreier, other partners: LIG/University Grenoble Alpes (coordinator France), SnT/University of Luxembourg (coordinator Luxembourg), LIMOS/Université Clermont Auvergne.

  SEVERITAS advances information socio-technical security for Electronic Test and Assessment Systems (e-TAS). These systems measure skills and performances in education and training. They improve management, reduce time-to-assessment, reach larger audiences, but they do not always provide security by design. This project recognizes that the security aspects for e-TAS are still mostly unexplored. We fill these gaps by studying current and other to-be-defined security properties. We develop automated tools to advance the formal verification of security and show how to validate e-TAS security rigorously. We develop new secure, transparent, verifiable and lawful e-TAS procedures and protocols. We also deploy novel run-time monitoring strategies to reduce frauds and study the user experience about processes to foster e-TAS usable security. Thanks to connections with players in the business of e-TAS, such as OASYS, this project will contribute to the development of secure e-TAS.

10.3.2 PEPR

• PEPR CyberSecurity - SVP Verification of Security Protocols. duration: July 2022 – July 2028, local coordinator: Véronique Cortier, other partners: SPICY - Irisa (coordinator), Prosecco - Inria Paris, INSPIRE - LMF/ Université Paris-Saclay, STAMP - Inria Sophia

  The SVP project aims at enabling the analysis of protocols (either already deployed or in the design phase) at the level of abstract specifications as well as implementations. The goal is to develop techniques and tools allowing the implementation of solutions whose security will not be questioned in a cyclic way. To achieve this challenge, building on the work already done in the community of formal methods for security protocol verification, we notably plan to take the following steps : (i) developing new functionalities in existing tools to allow the analysis of more and more complex protocols ; (ii) building bridges between the different existing proof techniques and associated tools in order to take advantage of the strengths of each of them ; (iii) validate the techniques and tools developed within this project on widely deployed protocols and on more recent, fast-growing applications, such as Internet voting.

• PEPR PQ-TLS - Formal Methods Chair duration: November 2024 – December 2028, leader: Charlie Jacomme

  The famous « padlock » appearing in browsers when one visits websites whose address is preceded by « https » relies on cryptographic primitives that would not withstand a quantum computer. This integrated project aims to develop in 5 years post-quantum primitives in a prototype of « post-quantum lock » that will be implemented in an open source browser. The evolution of cryptographic standards has already started, the choice of new primitives will be made quickly, and the transition will be made in the next few years. The objective is to play a driving role in this evolution and to make sure that the French actors of post-quantum cryptography, already strongly involved, are able to influence the cryptographic standards of the decades to come. For this particular chair, the goal is to focus on formal verification in the post-quantum settings, developing tools and providing analysis sound against quantum attackers.

11.1.1 Scientific events: organisation

11.1.2 Scientific events: selection

11.1.3 Journal

11.1.4 Invited talks

• Véronique Cortier.

  IRIF Distinguished Talk, February 2024, Paris, France.

  Invited Speaker for Lectures on Cybersecurity, March 2024, Luxembourg.

• Alexandre Debant.

  Invited talk at CPDP.ai 2024 ("Computers, Privacy and Data Protection") to receive the CNIL-Inria 2023 Data Protection Award

• Charlie Jacomme.

  Invited Speaker for the PEPR Cybersécurité Winter School, January 2024, France.

  Invited Speaker for the PEPR PQ-TLS Summer School, June 2024, France.

• Lucca Hirschi.

  Invited Speaker for INDOCRYPT, December 2024, Chennai, India.

  Invited Speaker for the "Journées Scientifiques Inria", August 2024, Grenoble, France.

• Steve Kremer.

  Keynote talk at the 2024 Annual Meeting of the WG "Formal Methods in Security" of the "GDR Sécurité".

• Christophe Ringeissen.

  Invited speaker at XVI Summer Workshop in Mathematics, February 2024, Brasília, Brazil (virtual).

11.1.5 Leadership within the scientific community

• Véronique Cortier: vice-chair of ACM Special Interest Group on Logic and Computation (SigLog)
• Véronique Cortier: member of IFIP WG-1.7 Foundations of Security Analysis
• Véronique Cortier: member of the research council of ANSSI
• Véronique Cortier: member of the research council of ESIEE
• Jannik Dreier: Co-chair of the working group on formal methods for security (GT MFS) of the GdR Sécurité Informatique
• Steve Kremer: member of IFIP WG-1.7 Foundations of Security Analysis
• Steve Kremer: member of the scientific directorate of the International Computer Science Meeting Center Schloss Dagstuhl
• Steve Kremer: member of the Board of Directors of LIST (Luxembourg Institute of Science and Technology)
• Michaël Rusinowitch: member of the IFIP WG-11.14 Secure Engineering

11.1.6 Scientific expertise

• Véronique Cortier: member of the expert panel on Computer Science of the Research Foundation – Flanders (FWO)
• Véronique Cortier: committee member of the Lovelace-Babbage Académie des Sciences award
• Véronique Cortier: ACM SIGSAC Outstanding Early-Career Researcher Award
• Véronique Cortier: CSF'24 Test-of-Time Awards
• Lucca Hirschi: committee member of the Gilles Kahn PhD award
• Steve Kremer: Scientific expert for SERICS initiative (Italy)

11.1.7 Research administration

• Jannik Dreier: head of the formal methods department of LORIA (since April 2024)

11.2.1 Teaching

• Licence:

  J. Dreier, Introduction to Logic, 50 hours (ETD), TELECOM Nancy

  J. Dreier, Formal Language Theory, 34 hours (ETD), TELECOM Nancy

  J. Dreier, Awareness for Cybersecurity, 7.5 hours (ETD), TELECOM Nancy

  L. Hirschi, Introduction to Theoretical Computer Science (Logic, Languages, Automata), 32 hours (ETD), TELECOM Nancy

  V. Laporte, Introduction to Theoretical Computer Science (Logic, Languages, Automata), 2024, 40 hours (ETD), TELECOM Nancy

• Master:

  J. Dreier, Cryptography and Authentication, 30 hours (ETD), M1 Computer Science, TELECOM Nancy

  J. Dreier, Introduction to Cryptography, 37 hours (ETD), M1 Computer Science, TELECOM Nancy

  J. Dreier, Protocol Security and Verification, 45 hours (ETD), M2 Computer Science, TELECOM Nancy

  J. Dreier, Advanced Cryptography, 32 hours (ETD), M2 Computer Science, TELECOM Nancy

  A. Imine, Security for XML Documents, 12 hours (ETD), M1, Univ Lorraine

  L. Hirschi, Protocol Security Theory, 24 hours (ETD), M2 Computer science, Univ Lorraine

  V. Laporte, Computer Architecture, 10.5 hours (ETD), M1 Computer Science, Mines Nancy

  V. Laporte, Programming in Assembly, 6 hours (ETD), Post Master’s in Cybersecurity, Mines Nancy

• Other Courses:

  A. Debant, L. Hirschi and S. Kremer taught a 12h advanced lecture on Formal Methods for Security Protocols for industrials (in the context of Inria Academy).

  V. Laporte taught a 2h introductory lecture on Logics for Security, at Mines Nancy, for math and computer science teachers (in higher school preparatory classes).

• Juries

  A. Debant served as examiner for the "theoretical computer science" oral exam in the entrance examinations for ENS Paris, Paris-Saclay, Lyon, and Rennes.

11.2.2 Supervision

• PhD defended in 2024:

  Maïwenn Racouchot, Formal Analysis of Security Protocols: Real-world Case-studies and Automated Proof Strategies, December 10th, 2024, Univ. Lorraine (J. Dreier and S. Kremer) 42

• PhD in progress:

  Vincent Diemunsch, Formal Analysis of Industrial Protocols, started in June 2022. (L. Hirschi and S. Kremer)

  Tom Gouville, Fuzzing of Cryptographic Protocols, started in November 2023. (L. Hirschi and S. Kremer)

  Elise Klein, Automatic Synthesis of Cryptographic Protocols, started in October 2021. (J. Dreier and S. Kremer)

  Ala Eddine Laouir, Privacy-Preserving Big Data Management and Analytics in Distributed Environments, started in 2021. (A. Imine)

  Léo Louistisserand, Remote Voting Protocols, started in September 2023. (V. Cortier and P. Gaudry (project-team Caramba))

  Dhekra Mahmoud, Security of Electronic Exams, started in 2022. (P. Lafourcade (LIMOS, Univ Clermont Auvergne) and J. Dreier)

  Florian Moser, Provably Secure Internet Voting, started in July 2023. (A. Debant and V. Cortier)

  Wafik Zahwa, Building Self-Driven Network Functions, started in October 2022. (A. Lahmadi (project-team Resist) and M. Rusinowitch)

  Wail Zellagui, Taxonomy of Frauds on Crypto-Assets, started in November 2023. (A. Imine and Y. Tadjeddine (BETA, Univ Lorraine))

11.2.3 Juries

• Reviewer for the thesis of Julian Liedtke, University of Stuttgart (V. Cortier)
• Chair of the thesis committee of Haetham Al Aswad, University of Lorraine (S. Kremer)
• Reviewer for the thesis of Martin Macak, Masaryk University, Brno, Czech Republic (S. Kremer)
• Reviewer for the thesis of Alba Martinez Anton, University of Aix-Marseille (A. Imine)

• Member of the Appointment Committee for a research director at MPII-SP/CT (V. Cortier)
• Member of the Appointment Committee for the Science Director at the Luxembourg Institute of Science and Technology (S. Kremer)
• Member of the hiring committee for an assistant professor position, FST, University of Lorraine (V. Cortier)
• Member of the hiring committee for a professor position, IRIF, University Paris Cité (V. Cortier)
• Member of two hiring committees for “professeur agrégé” positions at TELECOM Nancy (J. Dreier)
• Member of the hiring committee for researchers with disabilities (CRTH), Inria (S. Kremer)

11.3.1 Productions (articles, videos, podcasts, serious games, ...)

• Introductory article on security protocols in a special edition ”Informatique Débranchée” of Tangente Education number 68-68, August 2024. (V. Cortier)
• NoLimitSecu podcast on electronique voting (A. Debant and L. Hirschi)

11.3.2 Participation in Live events

• Profile of V. Cortier written by the CNIL: “Portraits d'informaticiennes, ingénieures, chercheuses ou enseignantes”, Journée internationale des droits des femmes 2024

11.3.3 Others science outreach relevant activities

• Interview by Democracy technologies (Austria, online media), French Overseas Voters Set New Online Voting Record, July 4th, 2024 (V. Cortier)
• Interview by France Info on electronic voting, broadcast + online paper, June 2024 (V. Cortier)
• Interview by France Info Junior “Le vrai ou faux", online video, April 2024 (V. Cortier)
• Interview for the Belgium magazin Athéna, July 2024 (V. Cortier)

International journals

• 8 articleN.Nouri Alnahawi, J.Johannes Müller, J.Jan Oupický and A.Alexander Wiesmaier. A Comprehensive Survey on Post-Quantum TLS.IACR Communications in CryptologyJuly 2024HALDOI
• 9 articleS.Santiago Arranz Olmos, G.Gilles Barthe, R.Ruben Gonzalez, B.Benjamin Grégoire, V.Vincent Laporte, J.-C.Jean-Christophe Léchenet, T.Tiago Oliveira and P.Peter Schwabe. High-assurance zeroization.IACR Transactions on Cryptographic Hardware and Embedded Systems202412024, 375-397HALDOIback to text
• 10 articleD.David Baelde, S.Stéphanie Delaune, C.Charlie Jacomme, A.Adrien Koutsos and J.Joseph Lallemand. The Squirrel Prover and its Logic.ACM SIGLOG News112April 2024HALDOIback to text
• 11 articleV.Vincent Cheval, S.Steve Kremer and I.Itsaka Rakotonirina. DeepSec: Deciding Equivalence Properties for Security Protocols -- Improved theory and practice.TheoretiCSVolume3March 2024HALDOIback to textback to text
• 12 articleV.Véronique Cortier, A.Alexandre Debant, P.Pierrick Gaudry and L.Léo Louistisserand. Vote&Check: Secure Postal Voting with Reduced Trust Assumptions.Proceedings on Privacy Enhancing Technologies2025HALback to text
• 13 articleJ.Johannes Müller and J.Jan Oupický. Post-quantum XML and SAML Single Sign-On.Proceedings on Privacy Enhancing Technologies20244October 2024, 525-543HALDOI
• 14 articleL.Ludovic Paillat, C.-L.Claudia-Lavinia Ignat, D.Davide Frey, M.Mathieu Turuani and A.Amine Ismail. Discreet: distributed delivery service with context-aware cooperation.Annals of Telecommunications - annales des télécommunicationsJuly 2024, 1-23HALDOI
• 15 article W.Wail Zellagui, A.Abdessamad Imine and Y.Yamina Tadjeddine. Cryptocurrency Frauds for Dummies: How ChatGPT introduces us to fraud? Digital Government: Research and Practice July 2024 HAL DOI back to text

International peer-reviewed conferences

• 16 inproceedingsJ. B.José Bacelar Almeida, S. A.Santiago Arranz Olmos, M.Manuel Barbosa, G.Gilles Barthe, F.François Dupressoir, B.Benjamin Grégoire, V.Vincent Laporte, J.-C.Jean-Christophe Léchenet, C.Cameron Low, T.Tiago Oliveira, H.Hugo Pacheco, M.Miguel Quaresma, P.Peter Schwabe and P.-Y.Pierre-Yves Strub. Formally verifying Kyber: Episode V: Machine-checked IND-CCA security and correctness of ML-KEM in EasyCrypt.Advances in Cryptology – CRYPTO 2024Crypto 202414921Santa Barbara (CA), United StatesAugust 2024HALDOIback to text
• 17 inproceedingsM.Max Ammann, L.Lucca Hirschi and S.Steve Kremer. DY Fuzzing: Formal Dolev-Yao Models Meet Cryptographic Protocol Fuzz Testing.45th IEEE Symposium on Security and Privacy45th IEEE Symposium on Security and PrivacySan Francisco (CA, USA), United States2024HALback to text
• 18 inproceedingsK.Karthikeyan Bhargavan, C.Charlie Jacomme, F.Franziskus Kiefer and R.Rolfe Schmidt. Formal verification of the PQXDH Post-Quantum key agreement protocol for end-to-end secure messaging.33rd USENIX Security SymposiumPhiladelphia (PA), United StatesAugust 2024HALback to textback to text
• 19 inproceedingsB.Bruno Blanchet and C.Charlie Jacomme. Post-quantum sound CryptoVerif and verification of hybrid TLS and SSH key-exchanges.CSF'24 - 37th IEEE Computer Security Foundations SymposiumEnschede, NetherlandsJuly 2024, 543-556HALDOIback to text
• 20 inproceedingsV.Véronique Cortier, A.Alexandre Debant, A.Anselme Goetschmann and L.Lucca Hirschi. Election Eligibility with OpenID: Turning Authentication into Transferable Proof of Eligibility.USENIX Security SymposiumUSENIX Security SymposiumPhiladelphie (USA), United StatesAugust 2024HALback to text
• 21 inproceedingsV.Véronique Cortier, A.Alexandre Debant and F.Florian Moser. Code voting: when simplicity meets security.ESORICS 2024ESORICS 2024 29th European Symposium on Research in Computer SecurityBydgoszcz, PolandSeptember 2024HALback to text
• 22 inproceedingsV.Véronique Cortier, P.Pierrick Gaudry, A.Anselme Goetschmann and S.Sophie Lemonnier. Belenios with cast-as-intended: towards a usable interface.SpringerEVote-ID 2024 - 9th International Joint Conference on Electronic VotingTerragona, SpainSpringerOctober 2024HALback to text
• 23 inproceedings V.Véronique Cortier, P.Pierrick Gaudry and Q.Quentin Yang. Is the JCJ voting system really coercion-resistant? 37th IEEE Computer Security Foundations Symposium (CSF) CSF 2024 Enschede, Netherlands IEEE 2024 HAL back to text
• 24 inproceedings H.Henri Devillez, O.Olivier Pereira, T.Thomas Peters and Q.Quentin Yang. Can we cast a ballot as intended and be receipt free? IEEE Symposium on Security and Privacy 2024 San Francisco, United States May 2024 HAL back to text
• 25 inproceedingsV.Vincent Diemunsch, L.Lucca Hirschi and S.Steve Kremer. A Comprehensive Formal Security Analysis of OPC UA.Usenix Security 2025Seattle (USA), Washington, United States2025HALback to text
• 26 inproceedingsJ.Jannik Dreier, P.Pascal Lafourcade and D.Dhekra Mahmoud. Shaken, not Stirred -Automated Discovery of Subtle Attacks on Protocols using Mix-Nets.Proceedings of the 33rd USENIX Conference on Security SymposiumUsenix Security SymposiumPhiladelphia, United StatesAugust 2024HALback to text
• 27 inproceedingsS.Serdar Erbatur, A. M.Andrew M. Marshall, P.Paliath Narendran and C.Christophe Ringeissen. Deciding Knowledge Problems Modulo Classes of Permutative Theories.Lecture Notes in Computer ScienceLogic-Based Program Synthesis and Transformation - 34th International Symposium, LOPSTR 202414919Lecture Notes in Computer ScienceMilan, ItalySpringer Nature SwitzerlandSeptember 2024, 47-63HALDOIback to textback to text
• 28 inproceedingsT.Thomas Haines, R.Rafieh Mosaheb, J.Johannes Müller and R.Reetika Reetika. Zero-Knowledge Proofs from Learning Parity with Noise: Optimization, Verification, and Application.IEEE Computer Security Foundations (CSF) Symposium 2025Santa Cruz, United StatesJune 2025HAL
• 29 inproceedingsP.Pascal Lafourcade, D.Dhekra Mahmoud, G.Gael Marcadet and C.Charles Olivier-Anclin. Transferable, Auditable and Anonymous Ticketing Protocol.2024 Asia Conference on Information, Computer and Communications SecuritySingapore, SingaporeJuly 2024HAL
• 30 inproceedingsP.Pascal Lafourcade, D.Dhekra Mahmoud and S.Sylvain Ruhault. A Unified Symbolic Analysis of WireGuard.Usenix Network and Distributed System Security SymposiumSan Diego (CA), United StatesFebruary 2024HALDOIback to text
• 31 inproceedingsA. E.Ala Eddine Laouir and A.Abdessamad Imine. DiApprox: Differential Privacy-based Online Range Queries Approximation for Multidimensional Data.Proceedings of the 39th ACM/SIGAPP Symposium on Applied ComputingSAC '24: 39th ACM/SIGAPP Symposium on Applied ComputingAvila, SpainACMApril 2024, 337-344HALDOIback to text
• 32 inproceedingsA. E.Ala Eddine Laouir and A.Abdessamad Imine. SLIM-View: Sampling and Private Publishing of Multidimensional Databases.Proceedings of the Fourteenth ACM Conference on Data and Application Security and PrivacyCODASPY '24: Fourteenth ACM Conference on Data and Application Security and PrivacyPorto (Portugal), PortugalACMJune 2024, 391-402HALDOIback to text
• 33 inproceedingsF.Florian Moser, R.Rüdiger Grimm, T.Tobias Hilt, M.Michael Kirsten, C.Christoph Niederbudde and M.Melanie Volkamer. Recommendations for Implementing Independent Individual Verifiability in Internet Voting.GI-Edition: Lecture Notes in InformaticsE-Vote-ID 2024 - 9th International Joint Conference on Electronic VotingP-359Track 1: Security, Usability and Technical IssuesTarragona, SpainGesellschaft für InformatikOctober 2024, 35–53HALDOI
• 34 inproceedingsF.Florian Moser, M.Michael Kirsten and F.Felix Dörre. SoK: Mechanisms Used in Practice for Verifiable Internet Voting.GI-Edition: Lecture Notes in InformaticsE-Vote-ID 2024 - 9th International Joint Conference on Electronic VotingP-359Track 3: Election and Practical ExperiencesTarragona, SpainGesellschaft für InformatikOctober 2024, 141–162HALDOIback to text
• 35 inproceedingsM.Mounira Msahli, P.Pascal Lafourcade and D.Dhekra Mahmoud. Formal Analysis of C-ITS PKI protocols.SECRYPT 2024 : International Conference on Information Security and CryptographyDijon, FranceJuly 2024HAL
• 36 inproceedingsA. A.Amal Abdel Razzac, T.Tijani Chahed, Z.Zahi Shamseddine and W.Wafik Zahwa. Advanced sleep modes in 5G multiple base stations using non-cooperative multi-agent reinforcement learning.GLOBECOM 2023 - 2023 IEEE Global Communications ConferenceIEEE Global Communications Conference (GLOBECOM)Kuala Lumpur, MalaysiaIEEEFebruary 2024, 7025-7030HALDOI
• 37 inproceedingsC.Christophe Ringeissen and L.Laurent Vigneron. Combined Abstract Congruence Closure for Theories with Associativity or Commutativity.Lecture Notes in Computer ScienceLogic-Based Program Synthesis and Transformation - 34th International Symposium, LOPSTR 202414919Lecture Notes in Computer ScienceMilan, ItalySpringer Nature SwitzerlandSeptember 2024, 82-98HALDOIback to text
• 38 inproceedingsW.Wafik Zahwa, A.Abdelkader Lahmadi, M.Michael Rusinowitch and M.Mondher Ayadi. In-Network ACL Rules Placement using Deep Reinforcement Learning.2024 IEEE International Mediterranean Conference on Communications and Networking (MeditCom)Madrid, SpainIEEEJuly 2024, 341-346HALDOIback to text

National peer-reviewed Conferences

• 39 inproceedingsA.Angèle Bossuat, E.Eloïse Brocas, V.Véronique Cortier, P.Pierrick Gaudry, S.Stéphane Glondu and N.Nicolas Kovacs. Belenios: the Certification Campaign.SSTIC 2024 - Symposium sur la sécurité des technologies de l'information et des communicationsRennes, FranceJune 2024HAL

Conferences without proceedings

• 40 inproceedingsS.Serdar Erbatur, A. M.Andrew M. Marshall, P.Paliath Narendran and C.Christophe Ringeissen. Undecidability of Static Equivalence in Leaf Permutative Theories.38th International Workshop on UnificationNancy, FranceJuly 2024HALback to text
• 41 inproceedingsC.Christophe Ringeissen and L.Laurent Vigneron. Combined Abstract Congruence Closure for Associative or Commutative Theories.38th International Workshop on UnificationNancy, FranceJuly 2024HALback to text

Doctoral dissertations and habilitation theses

• 42 thesisM.Maïwenn Racouchot. Formal analysis of security protocols:real-world case-studies and automated proof strategies.Université de LorraineDecember 2024HALback to textback to text

Reports & preprints

• 43 miscV.Véronique Cortier, A.Alexandre Debant and P.Pierrick Gaudry. Breaking verifiability and vote privacy in CHVote.2025HAL
• 44 miscS. A.Santiago Arranz Olmos, G.Gilles Barthe, C.Chitchanok Chuengsatiansup, B.Benjamin Grégoire, V.Vincent Laporte, T.Tiago Oliveira, P.Peter Schwabe, Y.Yuval Yarom and Z.Zhiyuan Zhang. Protecting cryptographic code against Spectre-RSB (and, in fact, all known Spectre variants).July 2024HAL

Other scientific publications

• 45 miscV.Véronique Cortier, A.Alexandre Debant, J.Jannik Dreier, P.Pierrick Gaudry, L.Lucca Hirschi and S.Steve Kremer. Réponse au projet de mise à jour de la recommandation de la CNIL sur le vote électronique.Inria2025HAL