2025Activity report​​Project-TeamPESTO

3.2.1 Generic​​ proof techniques

Most automated​​​‌ tools for verifying security‌ properties rely on techniques‌​‌ stemming from automated deduction.​​ Often existing techniques do​​​‌ however not apply directly,‌ or do not scale‌​‌ up due to state​​ explosion problems. For instance,​​​‌ the use of Horn‌ clause resolution techniques requires‌​‌ dedicated resolution methods 41​​, 43. Another​​​‌ example is unification modulo‌ equational theory, which is‌​‌ a key technique in​​ several tools, e.g. 52​​​‌. Security protocols however‌ require to consider particular‌​‌ equational theories that are​​ not naturally studied in​​​‌ classical automated reasoning. Sometimes,‌ even new concepts have‌​‌ been introduced. One example​​ is the finite variant​​​‌ property 45, which‌ is used in several‌​‌ tools, e.g., Akiss  43​​, Maude-NPA 52 and​​​‌ TAMARIN  56. Another‌ example is the notion‌​‌ of asymmetric unification 51​​ which is a variant​​​‌ of unification used in‌ Maude-NPA to perform important‌​‌ syntactic pruning techniques of​​ the search space, even​​​‌ when reasoning modulo an‌ equational theory. For each‌​‌ of these topics we​​ need to design efficient​​​‌ decision procedures for a‌ variety of equational theories.‌​‌

3.2.2 Dedicated procedures and​​ tools

We design dedicated​​​‌ techniques for automated protocol‌ verification. While existing techniques‌​‌ for security protocol verification​​ are efficient and have​​​‌ reached maturity for verification‌ of confidentiality and authentication‌​‌ properties (or more generally​​ safety properties), our goal​​​‌ is to go beyond‌ these properties and the‌​‌ standard attacker models, verifying​​ the properties and attacker​​​‌ models identified in Section‌ 3.1. This includes‌​‌ techniques that:

• can analyse​​ indistinguishability properties, including for​​​‌ instance anonymity and unlinkability‌ properties, but also properties‌​‌ stated in simulation-based (also​​ known as universally composable)​​​‌ frameworks, which express the‌ security of a protocol‌​‌ as an ideal (correct​​ by design) system;
• take​​​‌ into account protocols that‌ rely on a notion‌​‌ of mutable global state​​ which does not arise​​​‌ in traditional protocols, but‌ is essential when verifying‌​‌ tamper-resistant hardware devices, e.g.,​​ the RSA PKCS#11 standard,​​​‌ IBM's CCA and the‌ trusted platform module (TPM);‌​‌
• consider attacker models for​​ protocols relying on weak​​​‌ secrets that need to‌ be copied or remembered‌​‌ by a human, such​​​‌ as multi-factor authentication.

These​ goals are beyond the​‌ scope of most current​​ analysis tools and require​​​‌ both theoretical advances in​ the area of verification,​‌ as well as the​​ design of new efficient​​​‌ verification tools.

3.3.1 General​‌ design techniques

Design techniques​​ include composition results that​​​‌ allow one to design​ protocols in a modular​‌ way 46, 44​​. Composition results come​​​‌ in many flavours: they​ may allow one to​‌ compose protocols with different​​ objectives, e.g. compose a​​​‌ key exchange protocol with​ a protocol that requires​‌ a shared key or​​ rely on a protocol​​​‌ for secure channel establishment,​ compose different protocols in​‌ parallel that may re-use​​ some key material, or​​​‌ compose different sessions of​ the same protocol.

Another​‌ area where composition is​​ of particular importance is​​​‌ Service Oriented Computing, where​ an “orchestrator” must combine​‌ some available component services,​​ while guaranteeing some security​​​‌ properties. In this context,​ we work on the​‌ automated synthesis of the​​ orchestrator or monitors for​​​‌ enforcing the security goals.​ These problems require the​‌ study of new classes​​ of automata that communicate​​​‌ with structured messages.

3.3.2​ New protocol design

We​‌ also design new protocols.​​ Application areas that seem​​​‌ of particular importance are:​

• External hardware devices such​‌ as security APIs that​​ allow for flexible key​​​‌ management, including key revocation,​ and their integration in​‌ security protocols. The security​​ fiasco of the PKCS#11​​​‌ standard 42, 48​ witnesses the need for​‌ new protocols in this​​ area.
• Election systems that​​​‌ provide strong security guarantees.​ We have been working​‌ (in collaboration with the​​ Caramba team) on a​​​‌ prototype implementation of an​ e-voting system, Belenios.​‌
• Mechanisms for publishing personal​​ information (e.g. on social​​​‌ networks) in a controlled​ way.

7.1.1​​ Belenios

• Name:
  Belenios -​​​‌ Verifiable online voting system‌
• Keyword:
  E-voting
• Functional Description:‌​‌

  Belenios is an open-source​​ online voting system that​​​‌ provides vote confidentiality and‌ verifiability. End-to-end verifiability relies‌​‌ on the fact that​​ the ballot box is​​​‌ public (voters can check‌ that their ballots have‌​‌ been received) and on​​ the fact that the​​​‌ tally is publicly verifiable‌ (anyone can recount the‌​‌ votes). Vote confidentiality relies​​ on the encryption of​​​‌ the votes and the‌ distribution of the decryption‌​‌ key (no one knows​​ the full secret key).​​​‌

  Belenios supports various kind‌ of elections. In the‌​‌ standard mode, Belenios supports​​​‌ simple elections where voters​ simply select one or​‌ more candidates. It also​​ supports arbitrary counting functions​​​‌ at the cost of​ a slightly more complex​‌ tally procedure for the​​ authorities. For example, Belenios​​​‌ supports Condorcet, STV, and​ Majority Judgement, where voters​‌ rank candidates and grade​​ them.

  Belenios is available​​​‌ in several languages for​ the voters as well​‌ as the administrators of​​ an election.

• Release Contributions:​​​‌

  Belenios 3.1 mostly includes​ important fixes after the​‌ deployment of our new​​ administrator interface.

  It also​​​‌ includes some security enhancements.​ Some of them (missing​‌ checks from the auditors)​​ follow remarks from Thomas​​​‌ Haines and Jarrod Rose.​ Others include use of​‌ authenticated encryption AES-GCM instead​​ of AES-CCM and reduced​​​‌ usage of the cryptographic​ library SJCL.

• News of​‌ the Year:

  In 2025,​​ our platform was used​​​‌ to run about 1500​ elections, with about 200,000​‌ registered voters and 60,000​​ ballots counted.

  Belenios 3.1​​​‌ mostly includes important fixes​ after the deployment of​‌ our new administrator interface.​​ It also includes some​​​‌ security enhancements. Some of​ them follow remarks from​‌ Thomas Haines and Jarrod​​ Rose. Others (eg use​​​‌ of AES-GCM instead of​ AES-CCM, reduced usage of​‌ SJCL) have been suggested​​ after the CSPN evaluation,​​​‌ unfortunately not successful for​ Belenios.

• URL:
  https://­www.­belenios.­org/
• Contact:​‌
  Stéphane Glondu
• Participants:
  Pierrick​​ Gaudry, Stéphane Glondu, Véronique​​​‌ Cortier
• Partners:
  CNRS, Inria​

7.1.2 Tamarin

• Name:
  Tamarin​‌ prover
• Keywords:
  Verification, Cryptographic​​ protocol
• Functional Description:
  The​​​‌ Tamarin prover is a​ security protocol verification tool​‌ that supports both falsification​​ and unbounded verification of​​​‌ security protocols specified as​ multiset rewriting systems with​‌ respect to (temporal) first-order​​ properties and a message​​​‌ theory that models Diffie-Hellman​ exponentiation, bilinear pairing, multisets,​‌ and exclusive-or (XOR), combined​​ with a user-defined convergent​​​‌ rewriting theory. Its main​ advantages are its ability​‌ to handle stateful protocols​​ and its interactive proof​​​‌ mode. Moreover, it has​ been extended to verify​‌ equivalence properties. The tool​​ is developed jointly by​​​‌ the PESTO team, the​ Institute of Information Security​‌ at ETH Zurich, and​​ CISPA.
• Release Contributions:
  The​​​‌ latest version brings mostly​ technical and usability improvements.​‌ This includes a Tree-sitter​​ grammar for spthy files,​​​‌ added warnings for non-subterm​ convergent theories, and improved​‌ graphs using clusters to​​ represent roles and sessions.​​​‌ Moreover, public, fresh, and​ nat names can now​‌ be arbitrary single quoted​​ strings (but may not​​​‌ include additional single quotes​ and newlines inside). There​‌ is a new interactive​​ prover that stops when​​​‌ oracle returns nothing, and​ an option to output​‌ traces in batch mode.​​ Moreover, the version includes​​​‌ numerous bug fixes, some​ refactoring and code cleanup.​‌ Finally, many examples from​​ different published papers were​​​‌ added.
• News of the​ Year:

  In 2025, several​‌ interns worked on Tamarin​​ and implemented multiple improvements​​​‌ concerning in particular additional​ features and the testing​‌ pipeline.

  The main authors​​ of Tamarin also published​​​‌ a book on the​ tool and it's usage​‌

• URL:
  http://­tamarin-prover.­github.­io/
• Publications:
  hal-05093938​​, hal-03767104, hal-02903620​​​‌, hal-02358878, hal-03693843​, hal-03795715
• Contact:
  Jannik​‌ Dreier
• Participants:
  Jannik Dreier,​​ Elise Klein, Maiwenn Racouchot,​​ Véronique Cortier, Steve Kremer,​​​‌ Charlie Jacomme

7.1.3 Jasmin‌

• Name:
  Jasmin compiler and‌​‌ analyser
• Keywords:
  Cryptography, Static​​ analysis, Compilers
• Scientific Description:​​​‌

  Jasmin is a workbench‌ for high-assurance and high-speed‌​‌ cryptography. Jasmin implementations aim​​ at being efficient, safe,​​​‌ correct, and secure.

  Jasmin‌ is both a language‌​‌ and a compiler from​​ this language to assembly.​​​‌ The compiler is written‌ and formally verified for‌​‌ correctness in the Rocq​​ Prover. This justifies that​​​‌ many properties can be‌ proved on a source‌​‌ program and still apply​​ to the corresponding assembly​​​‌ program: safety, termination, functional‌ correctness…

  Jasmin comes with‌​‌ a set of tools​​ to reason on Jasmin​​​‌ programs (a safety checker,‌ a type-checker for Constant‌​‌ Time, a type-checker for​​ Speculative Constant Time and​​​‌ an extraction to EasyCrypt‌ to prove properties about‌​‌ the extracted Jasmin program,​​ e.g. functional correctness).

• Functional​​​‌ Description:

  The Jasmin programming‌ language smoothly combines high-level‌​‌ and low-level constructs, so​​ as to support “assembly​​​‌ in the head” programming.‌ Programmers can control many‌​‌ low-level details that are​​ performance-critical: instruction selection and​​​‌ scheduling, what registers to‌ spill and when, etc.‌​‌ The language also features​​ high-level abstractions (variables, functions,​​​‌ arrays, loops, etc.) to‌ structure the source code‌​‌ and make it more​​ amenable to formal verification.​​​‌ The Jasmin compiler produces‌ predictable assembly and ensures‌​‌ that the use of​​ high-level abstractions incurs no​​​‌ run-time penalty.

  The semantics‌ is formally defined to‌​‌ allow rigorous reasoning about​​ program behaviors. The compiler​​​‌ is formally verified for‌ correctness (the proof is‌​‌ machine-checked by the Rocq​​ Prover). This ensures that​​​‌ many properties can be‌ proved on a source‌​‌ program and still apply​​ to the corresponding assembly​​​‌ program: safety, termination, functional‌ correctness…

  Jasmin programs can‌​‌ be automatically checked for​​ safety and termination (using​​​‌ a trusted static analyzer).‌ The Jasmin workbench leverages‌​‌ the EasyCrypt toolset for​​ formal verification. Jasmin programs​​​‌ can be extracted to‌ corresponding EasyCrypt programs to‌​‌ prove functional correctness, cryptographic​​ security, or security against​​​‌ side-channel attacks (constant-time).

• Release‌ Contributions:

  Two major versions‌​‌ and four minor ones​​ were published during the​​​‌ year 2025. The two‌ major versions are detailed‌​‌ below.

  - Jasmin 2025.02.0​​ : RISC-V 32IM was​​​‌ added as a target‌ architecture. Extraction to EasyCrypt‌​‌ was completely rewritten, and​​ is now available as​​​‌ a separate binary "jasmin2ec".‌

  - Jasmin 2025.06.0 :‌​‌ Two new features were​​ added to the Jasmin​​​‌ language. The first one‌ is the support of‌​‌ sub-arrays with non-constant indices,​​ which make the use​​​‌ of sub-arrays more flexible.‌ The second one is‌​‌ the introduction of new​​ types, types of bounded​​​‌ integers. A variable of‌ one of these types‌​‌ is compiled as a​​ word variable, but in​​​‌ the program proofs it‌ appears as an integer‌​‌ variable, making reasoning on​​ the program simpler. Besides,​​​‌ a linter was added.‌ It reports potential errors‌​‌ to the user so​​ that they can fix​​​‌ their program if needed.‌ Finally, the documentation of‌​‌ the software has been​​ overhauled, vastly enriched and​​​‌ reorganized to simplify its‌ maintenance and ensure it‌​‌ stays up-to-date.

  In all​​​‌ versions, major and minor,​ there is a sustained​‌ work to fix issues​​ when they are identified​​​‌ and bring improvements to​ the various tools: the​‌ compiler, safety analyzer, constant-time​​ security analyzer, and extraction​​​‌ to EasyCrypt. These various​ components are also better​‌ tested.

• News of the​​ Year:

  Two major versions​​​‌ and four minor ones​ were published during the​‌ year 2025.

  New features​​ have been implemented in​​​‌ the programming language and​ its compiler, notably support​‌ for the RISC-V architecture,​​ new data-types to simplify​​​‌ safety proofs, and more​ flexibility for “sub-arrays”, allowing​‌ to write more efficient​​ programs.

• URL:
  https://­github.­com/­jasmin-lang/­jasmin
• Publications:​​​‌
  hal-05466117, hal-05249675,​ hal-04632106, hal-04595591,​‌ hal-04691165, hal-04106448,​​ hal-04218417, hal-03844366,​​​‌ hal-03430789, hal-03352062,​ hal-02974993, hal-02404581,​‌ hal-01649140
• Contact:
  Jean-Christophe Léchenet​​
• Participants:
  Alexandre Bourbeillon, Gaëtan​​​‌ Cassiers, Gilles Barthe, Benjamin​ Grégoire, Adrien Koutsos, Vincent​‌ Laporte, Jean-Christophe Léchenet, Swarn​​ Priya, Santiago Arranz Olmos​​​‌
• Partners:
  The IMDEA Software​ Institute, Ecole Polytechnique, Universidade​‌ do Minho, Universidade do​​ Porto, Max Planck Institute​​​‌ for Security and Privacy​

7.1.4 tlspuffin

• Name:
  TLS​‌ Protocol Under FuzzINg
• Keywords:​​
  Fuzzing, Formal methods, Cryptographic​​​‌ protocol
• Scientific Description:

  The​ puffin fuzzer is the​‌ reference implementation for the​​ Dolev-Yao fuzzing approach. It​​​‌ aims at fuzzing cryptographic​ protocol implementations. For now,​‌ it is shipped with​​ harnesses for several TLS​​​‌ implementations (OpenSSL, BoringSSL, LibreSSL,​ and wolfSSL) and preliminary​‌ versions of a harness​​ for OpenSSH. We built​​​‌ puffin so that new​ protocols and protocol implementations​‌ can be added. Internally,​​ puffin uses the library​​​‌ LibAFL to drive the​ fuzzing loop.

  We sometimes​‌ use tlspuffin instead of​​ puffin to name the​​​‌ fuzzer and this project.​ This is because the​‌ first protocol we implemented​​ was TLS. However, puffin​​​‌ and DY fuzzing in​ general are not limited​‌ to the TLS protocol.​​

• Functional Description:
  tlspuffin is​​​‌ a full-fledged and modular​ DY fuzzer implementation in​‌ Rust. DY Fuzzing is​​ a novel approach to​​​‌ fuzzing cryptographic protocols. It​ is based on the​‌ idea of using formal​​ Dolev-Yao (DY) models as​​​‌ domain-specific knowledge to guide​ the fuzzer and give​‌ it the ability to​​ detect logical attacks in​​​‌ protocol implementations. tlspuffin revolves​ around three main layers​‌ and modules that are​​ of independent interest. First,​​​‌ the protocol- and Program​ Under Test-agnostic DY fuzzer​‌ that we implemented in​​ a standalone module puffin​​​‌ uses the main fuzzing​ loop of the modular,​‌ state-of-the art fuzzer LibAFL.​​ It implements custom test​​​‌ cases using DY traces,​ mutations, and objective oracle.​‌ On top of puffin,​​ we built protocol-dependent fuzzers.​​​‌ We currently support tlspuffin​ for TLS and the​‌ preliminary sshpuffin for SSH.​​ Third, we connect PUTs​​​‌ such as OpenSSL, LibreSSL,​ BoringSSL, and wolfSSL to​‌ the fuzzers.
• News of​​ the Year:

  In 2025,​​​‌ we worked on: -​ (i) adding bit-level mutations​‌ on top of DY​​ mutations (https://github.com/tlspuffin/tlspuffin/pull/348), - (ii)​​​‌ developing and evaluating a​ DY differential fuzzer dpuffin​‌ (https://github.com/tlspuffin/tlspuffin/tree/differential-fuzzing-experiments), - (iii) developing​​ a new puffin instance​​​‌ opcuapuffin (https://github.com/tlspuffin/tlspuffin/pull/433) for fuzzing​ OPC UA protocol implementations​‌ and a harness for​​ the open62541 implementation, and​​ - (iv) developing a​​​‌ performance testbench for the‌ puffin fuzzer (puffin-bench) for‌​‌ easing evaluations of features​​ and future WIP but​​​‌ also for regression testing‌ (https://github.com/tlspuffin/puffin-bench/tree/version2025).

  We prepared and‌​‌ wrote a paper presenting​​ (ii) in 2025, which​​​‌ is under submission. This‌ approach and dpuffin notably‌​‌ found 11 RFC violations​​ in the TLS implementations​​​‌ openssl and wolfssl.

  We‌ plan to submit a‌​‌ paper presenting (i) in​​ 2026. We also plan​​​‌ to release a major‌ version with these two‌​‌ large additions. We plan​​ to pursue the development​​​‌ of opcuapuffin in 2026.‌ The development of puffin-bench‌​‌ is almost done, we​​ already use it internally​​​‌ and we plan to‌ make a first release‌​‌ in early 2026.

• URL:​​
  https://­tlspuffin.­github.­io/
• Publication:
  hal-04318710
• Contact:​​​‌
  Lucca Hirschi
• Participants:
  Vincent‌ Diemunsch, Tom Gouville, Lucca‌​‌ Hirschi, Steve Kremer, Olivier​​ Demengeon, an anonymous participant​​​‌

7.1.5 Squirrel

• Name:
  Squirrel‌ Prover
• Keywords:
  Proof assistant,‌​‌ Cryptographic protocol
• Functional Description:​​

  Squirrel is an interactive​​​‌ proof assistant dedicated to‌ the formal verification of‌​‌ cryptographic protocols in the​​ computational model. It is​​​‌ based on a higher-order‌ probabilistic logic which supports‌​‌ generic mathematical reasoning as​​ well as cryptographic-specific reasoning.​​​‌

  Concretely, Squirrel allows to‌ specify security protocols in‌​‌ a variant of the​​ applied pi-calculus, and properties​​​‌ of those protocols using‌ its probabilistic logic. Then,‌​‌ these properties are to​​ be proved by the​​​‌ users through tactics. Squirrel‌ supports protocols with unbounded‌​‌ replication and persistent state,​​ and can express both​​​‌ correspondence (e.g. authentication) and‌ indistinguishability properties (e.g. strong‌​‌ secrecy, unlinkability).

• News of​​ the Year:

  We added​​​‌ support for user-defined functions‌ which can use probabilistic‌​‌ constructs, mutual recursion, system-dependency​​ and pattern matching. (Teams​​​‌ implied: Pesto, Prosecco.)

  We‌ improved the simulator synthesis‌​‌ procedure behind the `crypto`​​ tactic in Squirrel, by​​​‌ adding support for synthesizing‌ memoizing simulators, and by‌​‌ allowing to infer time-sensitive​​ memory invariant. (Team implied:​​​‌ Prosecco.)

  We completely re-designed‌ and re-implemented the post-quantum‌​‌ variant of Squirrel, making​​ it more powerful and​​​‌ more maintainable. (Teams implied:‌ Pesto, Prosecco.)

• URL:
  https://­squirrel-prover.­github.­io/‌​‌
• Publications:
  hal-04884758, hal-04577828​​, hal-04511718, hal-04579038​​​‌, hal-03981949, hal-03620358‌, hal-03172119, hal-03264227‌​‌
• Contact:
  Adrien Koutsos
• Participants:​​
  Joseph Lallemand, David Baelde,​​​‌ Stephanie Delaune, Clément Herouard,‌ Charlie Jacomme, Adrien Koutsos,‌​‌ Solene Moreau, Thomas Rubiano,​​ Justine Sauvage, Theo Vignon​​​‌
• Partners:
  IRISA, ENS Rennes‌

7.1.6 CryptoVerif

• Name:
  Cryptographic‌​‌ protocol verifier in the​​ computational model
• Keywords:
  Security,​​​‌ Verification, Cryptographic protocol
• Functional‌ Description:
  CryptoVerif is an‌​‌ automatic protocol prover sound​​ in the computational model.​​​‌ In this model, messages‌ are bitstrings and the‌​‌ adversary is a polynomial-time​​ probabilistic Turing machine. CryptoVerif​​​‌ can prove secrecy and‌ correspondences, which include in‌​‌ particular authentication. It provides​​ a generic mechanism for​​​‌ specifying the security assumptions‌ on cryptographic primitives, which‌​‌ can handle in particular​​ symmetric encryption, message authentication​​​‌ codes, public-key encryption, signatures,‌ hash functions, and Diffie-Hellman‌​‌ key agreements. It also​​ provides an explicit formula​​​‌ that gives the probability‌ of breaking the protocol‌​‌ as a function of​​ the probability of breaking​​​‌ each primitives, this is‌ the exact security framework.‌​‌
• News of the Year:​​​‌

  The main new feature​ of the year is:​‌

  1) We allow proving​​ that, if some events​​​‌ happened, then other events​ did not happen, in​‌ addition to proving that​​ if some events happened,​​​‌ then other events happened.​ (Teams involved: Pesto, Prosecco.)​‌

  2) We allow proving​​ security properties on a​​​‌ subset of the traces​ of the analyzed protocol.​‌ The considered subset of​​ traces is defined by​​​‌ so-called restrictions, which specify​ that certain events must​‌ happen or not happen.​​ Restrictions are useful in​​​‌ particular to model complex​ compromise scenarios. (Teams involved:​‌ Pesto, Prosecco.)

  These changes​​ are included in CryptoVerif​​​‌ version 2.12 available at​ https://­cryptoverif.­inria.­fr.

• URL:
  http://­cryptoverif.­inria.­fr/​‌
• Publications:
  hal-03113251, hal-03471218​​, hal-04246199, hal-04253820​​​‌, hal-01947959, hal-01764527​, hal-02396640, hal-02100345​‌, hal-04321656, hal-04271666​​, hal-04577912, tel-01112630​​​‌, hal-01102382, hal-01528752​, hal-01575920, hal-01575861​‌, hal-01575923
• Contact:
  Bruno​​ Blanchet
• Participants:
  Bruno Blanchet,​​​‌ Pierre Boutry, David Cade,​ Christian Doczkal, Aymeric Fromherz,​‌ Charlie Jacomme, Benjamin Lipp,​​ Pierre-Yves Strub

7.1.7 CombCC​​​‌

• Name:
  CombCC
• Keywords:
  Decision​ procedure, Congruence closure, Commutativity,​‌ Associativity, Union of theories​​
• Scientific Description:
  Implementation of​​​‌ the combination of congruence​ closure procedures for essential​‌ equational theories (C, A,​​ AC).
• Functional Description:
  From​​​‌ a set of ground​ equalities et inequalities in​‌ which function symbols can​​ have specific properties (commutativity,​​​‌ associativity, associativity-commutativity), CombCC builds​ a terminating and confluent​‌ term rewriting system by​​ combining congruence closure procedures​​​‌ for each considered theory.​ If the initial system​‌ is unsatisfiable, a contradiction​​ is generated.
• News of​​​‌ the Year:
  From a​ version where only the​‌ empty theory could be​​ considered, implementation of all​​​‌ the inference rules of​ the orchestrator and of​‌ each equational theory (C,​​ A, AC). Implementation of​​​‌ several options about the​ ordering of new constants,​‌ the flattening of the​​ initial (dis-)equations and the​​​‌ ordering for selecting the​ initial equations.
• Publications:
  hal-04778178​‌, hal-04778271
• Contact:
  Laurent​​ Vigneron
• Participant:
  Laurent Vigneron​​​‌

8.1.1 Foundations​‌ of Automated Verification: Semantics,​​ Decidability and Complexity

Participants:​​​‌ Véronique Cortier, Steve​ Kremer, Charlie Jacomme​‌, Christophe Ringeissen,​​ Laurent Vigneron.

Ideal​​​‌ functionalities are used to​ study increasingly complex protocols​‌ within the Universal Composability​​ framework. However, such functionalities​​​‌ are often complex themselves,​ making it difficult to​‌ assess whether they truly​​ fulfill their promises. In​​​‌ collaboration with Myrto Arapinis​ (University of Edinburgh), Cortier,​‌ Jacomme, and Kremer unveil​​ 12 four attacks on​​​‌ functionalities from various applications​ (e-voting, SMPC, anonymous lotteries,​‌ and smart metering), demonstrating​​ that they do not​​​‌ capture the intuitively expected​ properties. They also propose​‌ a methodology that combines​​ game-based proofs and computer-aided​​​‌ verification: ideal functionalities can​ in fact be treated​‌ as protocols, and one​​ can use traditional game-based​​​‌ proofs to study them,​ where any game-based security​‌ property proven on the​​ functionality does transfer to​​​‌ any protocol that realizes​ it. Using SQUIRREL, we​‌ formally prove that the​​ fixed functionalities verify the​​​‌ specified game-based security properties.​

In collaboration with Erbatur​‌ (UT Dallas, USA), Marshall​​ (Univ Mary Washington, USA),​​ and Narendran (Univ Albany,​​​‌ SUNY, USA), Ringeissen studies‌ decision procedures for verifying‌​‌ an intruder's knowledge, where​​ the capabilities of an​​​‌ intruder are specified by‌ an equational theory, possibly‌​‌ expressed by a term​​ rewrite system. Deduction is​​​‌ concerned with the ability‌ to derive a term‌​‌ from a set of​​ terms (or knowledge) obtained​​​‌ from the observation of‌ a protocol instance. Static‌​‌ equivalence, on the other​​ hand, is concerned with​​​‌ distinguishing between two runs‌ of a protocol based‌​‌ on two sets of​​ knowledge. These two knowledge​​​‌ problems at first inspection‌ appear to be very‌​‌ close to the older​​ automated reasoning problems of​​​‌ matching and unification. However,‌ this first impression is‌​‌ wrong, and there have​​ been a few results​​​‌ that have shown theories‌ where one problem, such‌​‌ as unification, is undecidable​​ but another problem, such​​​‌ as deduction, is decidable.‌ These existing dichotomy results‌​‌ were, however, incomplete, and​​ not all cases had​​​‌ been examined, thus leaving‌ the possibility of some‌​‌ connection between the problems​​ for those unexamined cases.​​​‌ In 22, we‌ consider the missing dichotomy‌​‌ cases. For each of​​ the remaining cases, we​​​‌ demonstrate a theory that‌ separates the two problems.‌​‌ In addition, once the​​ dichotomy results are completed,​​​‌ it leaves open the‌ question of the existence‌​‌ of non-trivial classes of​​ theories for which all​​​‌ four of the problems‌ are decidable. One example‌​‌ for which this is​​ true is the well-known​​​‌ class of subterm convergent‌ term rewrite systems. Another‌​‌ example is provided by​​ a restricted class of​​​‌ permutative theories.

Contracting convergent‌ rewrite systems corresponds to‌​‌ a class of theories​​ including subterm convergent ones​​​‌ where both deduction and‌ static equivalence remain decidable.‌​‌ In 20, 21​​, we explore the​​​‌ gap between the contracting‌ convergent rewrite systems, and‌​‌ a larger superclass called​​ graph-embedded rewrite systems for​​​‌ which the knowledge problems‌ are undecidable. This gap‌​‌ is of interest since​​ one would like to​​​‌ get closer to graph-embedded‌ and still maintain decidability‌​‌ of the knowledge problems.​​ We show that several​​​‌ ways of weakening the‌ restrictions of the contracting‌​‌ definition will not work,​​ as it leads to​​​‌ undecidability results for deduction‌ and static equivalence. We‌​‌ also show that a​​ subset of the graph​​​‌ embedded rules is still‌ sufficient to obtain undecidability.‌​‌ Moreover, we extend a​​ recent result that developed​​​‌ decision procedures for the‌ knowledge problems in any‌​‌ subterm rewrite system which​​ is convergent modulo a​​​‌ restricted form of permutative‌ theory. We show that‌​‌ the subterm rewrite system​​ can be replaced with​​​‌ a contracting one.

In‌ collaboration with Ayala-Rincón (Univ‌​‌ Brasilia, Brasil), David Cerna​​ (Czech Academy of Sciences,​​​‌ Czechia), and Temur Kutsia‌ (RISC, JKU Linz, Austria),‌​‌ Ringeissen has proposed a​​ new combination method for​​​‌ the generalization problem modulo‌ a disjoint union of‌​‌ equational theories 14.​​ This problem consists in​​​‌ finding a common term‌ that generalizes a given‌​‌ pair of terms.

In​​ collaboration with Raya (EPFL,​​​‌ Switzerland), Ringeissen has developed‌ new interpolation and combination‌​‌ methods for parametric array​​​‌ theories, where the classical​ array theory used in​‌ Satisfiability Modulo Theories (SMT)​​ is extended with extensional​​​‌ axioms 29, 28​.

8.1.2 Improving Verification​‌ Tools

Participants: Alexandre Debant​​, Jannik Dreier,​​​‌ Lucca Hirschi, Charlie​ Jacomme, Elise Klein​‌, Steve Kremer.​​

8.1.3 Analysis of‌ Deployed Protocols and their‌​‌ Designs

Participants: Jannik Dreier​​, Lucca Hirschi,​​​‌ Charlie Jacomme, Elise‌ Klein, Steve Kremer‌​‌, Dhekra Mahmoud,​​ Mathieu Turuani.

8.1.4 DDYF: Differential Dolev-Yao​‌ Fuzzing of Cryptographic Protocols​​

Participants: Lucca Hirschi,​​​‌ Steve Kremer, Tom​ Gouville.

Symbolic formal​‌ verification of cryptographic protocols​​ based on the Dolev-Yao​​​‌ (DY) attacker model is​ well-established for finding design-level​‌ logical flaws in cryptographic​​ protocols. Building on this,​​​‌ DY fuzzing enriches fuzzing​ with this attacker model​‌ to uncover logical bugs​​ at the implementation level.​​​‌ In contrast to bit-level​ fuzzers (e.g. AFL), DY​‌ fuzzing leverages a formal​​ model of messages and​​​‌ cryptography to generate structured,​ adversarial executions, such as​‌ replaying and re-signing a​​ modified payload.

However, a​​​‌ significant limitation of DY​ fuzzing is the requirement​‌ to precisely model properties​​ to check at runtime​​​‌ (e.g., session parameter agreement).​ Defining these properties is​‌ labor-intensive and inherently non-exhaustive,​​ often necessitating complex instrumentation​​​‌ of the Programs Under​ Test (PUTs). Consequently, typically​‌ only a subset of​​ logical attacks is detected.​​​‌

Gouville, Hirschi and Kremer​ address this limitation by​‌ introducing Differential DY Fuzzing​​ (DDYF) based on a​​​‌ differential oracle to compare​ executions across different protocol​‌ implementations. By interpreting discrepancies​​ through the DY model,​​​‌ it identifies semantic differences​ indicative of bugs or​‌ vulnerabilities, effectively minimizing false​​ positives.

They propose a​​​‌ generic design for DDYF,​ implement it within the​‌ puffin DY fuzzer, and​​ evaluate it on two​​ major TLS implementations. Their​​​‌ results demonstrate that DDYF‌ can detect vulnerabilities that‌​‌ evade state-of-the-art fuzzers, specifically​​ those requiring DY attacker​​​‌ capabilities (missed by bit-level‌ differential fuzzers) or complex‌​‌ objective oracles (missed by​​ DY fuzzing). DDYF also​​​‌ uncovered 11 new RFC‌ violations in OpenSSL and‌​‌ wolfSSL, which are​​ by-design hardly detectable with​​​‌ non-differential oracle. Furthermore, they‌ show that DDYF exposes‌​‌ fine-grained behavioral discrepancies, enabling​​ more precise fingerprinting of​​​‌ protocol implementations.

8.1.5 Security‌ of Cryptographic Implementations

Participant:‌​‌ Vincent Laporte.

8.2.1 Properties of E-Voting​​​‌ Protocols

Participants: Véronique Cortier​, Charlie Jacomme,​‌ Steve Kremer.

In​​ collaboration with Arapinis (Univ.​​​‌ Edinburgh), Cortier, Jacomme, and​ Kremer revisit one more​‌ time the notion of​​ vote privacy. This property​​​‌ is a key property​ in e-voting and many​‌ definitions have already been​​ proposed. Two main definitions​​​‌ are often considered. The​ seminal one from Benaloh​‌ works well for systems​​ where the multiset of​​​‌ the original votes is​ published. The BPRIV definition​‌ 3 has then been​​ elaborated to study protocols​​ that implement more complex​​​‌ counting functions such as‌ STV, Condorcet or the‌​‌ majority function. They show​​ that BPRIV is actually​​​‌ too strong for realistic‌ protocols that chain the‌​‌ ballots. Simple extensions of​​ the Benaloh definition are​​​‌ too weak. They therefore‌ devise a novel definition‌​‌ that can be applied​​ to any counting function,​​​‌ still retaining the simplicity‌ of the Benaloh definition.‌​‌

8.2.2 Design of E-Voting​​ Protocols

Participants: Véronique Cortier​​​‌, Alexandre Debant,‌ Léo Louistisserand.

8.2.3 Security analyses‌ of E-Voting Protocols

Participants:‌​‌ Véronique Cortier, Alexandre​​ Debant, Florian Moser​​​‌.

8.3.1​​​‌ Studying Fraud in Crypto-assets​

Participants: Abdessamad Imine,​‌ Wail Zellagui.

The​​ cryptocurrency ecosystem is paving​​​‌ the way for a​ financial transaction system that​‌ allows everyone to participate​​ anonymously, thus facilitating low-cost​​​‌ payments independent of any​ central entity. However, this​‌ decentralized, unregulated, and pseudonymous​​ system attracts fraudulent activities,​​​‌ such as money laundering.​ We are currently developing​‌ a blacklist protocol to​​ identify potential fraudsters transacting​​​‌ with known fraudsters listed​ on public blacklists. We​‌ are investigating criteria for​​ identifying fraudulent users without​​​‌ blaming honest users, and​ we are exploring how​‌ to incentivize multiple cryptocurrency​​ exchange platforms (such as​​​‌ Binance and Bitfinex) to​ collaborate privatively in order​‌ to produce a global​​ blacklist, while protecting the​​​‌ identities of their customers.​

8.3.2 Privacy-Preserving Big Data​‌ Management

Participants: Abdessamad Imine​​, Ala Eddine Laouir​​​‌.

In many real-world​ scenarios, multiple data providers​‌ need to collaboratively perform​​ analysis of their private​​​‌ data. The challenges of​ these applications, especially at​‌ the big data scale,​​ are time and resource​​​‌ efficiency as well as​ end-to-end privacy with minimal​‌ loss of accuracy. The​​ contribution 26 addresses the​​​‌ problem of combining Approximate​ Query Processing (AQP) and​‌ Differential Privacy (DP) in​​ a private federated environment​​​‌ answering range queries on​ horizontally partitioned multidimensional data.​‌ The proposed solution considers​​ a data distribution-aware online​​​‌ sampling technique to accelerate​ the execution of range​‌ queries and ensure end-to-end​​ data privacy during and​​​‌ after analysis with minimal​ loss in accuracy.

While​‌ the problem of answering​​ simple queries and functions​​​‌ under DP guarantees has​ been thoroughly addressed in​‌ recent years, the problem​​ of releasing multidimensional data​​​‌ under DP remains challenging.​ The contribution 27 focuses​‌ on this problem, in​​ particular on how to​​​‌ construct privacy-preserving views using​ a domain decomposition approach.​‌ Our solution is based​​ on RIPOST, a multidimensional​​​‌ data decomposition algorithm that​ bypasses the constraint of​‌ predefined depth and applies​​ a data-aware splitting strategy​​ to optimize the quality​​​‌ of the decomposition.

All‌ these contributions and others‌​‌ are detailed in Ala​​ Eddine Laouir's thesis manuscript​​​‌ 35.

8.3.3 Efficient‌ Management of Filtering Rules‌​‌ in Software-defined Networking

Participants:​​ Michaël Rusinowitch, Wafik​​​‌ Zahwa.

In a‌ joint project with the‌​‌ Resist project-team and the​​ Numeryx company, Lahmadi (Resist)​​​‌ and Rusinowitch have developed‌ algorithms to automatically distribute‌​‌ and compress filtering rules​​ on a set of​​​‌ switches of limited capacity.‌ They have proposed with‌​‌ Zahwa a novel approach​​ that combines graph neural​​​‌ networks with deep Q-learning‌ to optimize access control‌​‌ lists distribution across network​​ switches, while integrating operational​​​‌ constraints 30.

10.1.1 Visits‌ of international scientists

10.2.1 ANR

• ANR JCJC‌ ProtoFuzz Cryptographic Protocol Logic‌​‌ Fuzz Testing, duration:​​ January 2023 – December​​​‌ 2026, leader: Lucca Hirschi.‌

  State-of-the-art formal methods for‌​‌ the verification of cryptographic​​ protocols provide no guarantee​​​‌ on implementations, which are‌ the end products that‌​‌ must be secure. Testing,​​ especially fuzzing, is usable​​​‌ by practitioners, operates on‌ implementations and has been‌​‌ very successful at finding​​ low-level flaws but is​​​‌ unable to capture logical‌ flaws. Therefore, effective techniques‌​‌ to preclude logical flaws​​ from protocol implementations are​​​‌ desperately lacking.

  To fill‌ this gap, we will‌​‌ develop the foundations, the​​ design, and the implementation​​​‌ of an innovative hybrid,‌ synergetic framework combining symbolic‌​‌ verification and fuzzing. In​​ particular, we will (i)​​​‌ devise a simple protocol‌ language and model extractor‌​‌ that enable extracting formal​​​‌ models from lightly annotated​ implementations and then refining​‌ those models based on​​ functional correctness counter-examples and​​​‌ (ii) develop a novel​ testing methodology, symbolic-model-guided fuzzing,​‌ that, assisted by symbolic​​ verifiers, efficiently captures logical​​​‌ attacks. The former will​ leverage a novel hybrid​‌ framework where symbolic formal​​ models and implementations are​​​‌ tied together and can​ animate each other via​‌ dual executions.

  This​​ project's ambitions are to​​​‌ significantly advance fuzzing and​ to establish hybrid frameworks​‌ combining fuzzing and symbolic​​ verification as a new​​​‌ research topic, as well​ as to attack and​‌ improve the security of​​ real-world, high-profile cryptographic protocols.​​​‌

• ANR Chaire IA ASAP​ Tools for automated, symbolic​‌ analysis of real-world cryptographic​​ protocols, duration: September​​​‌ 2020 – December 2025,​ leader: Steve Kremer.

  The​‌ goal of this project​​ is the development of​​​‌ efficient algorithms and tools​ for automated verification of​‌ cryptographic protocols, that are​​ able to comprehensively analyse​​​‌ detailed models of real-world​ protocols building on techniques​‌ from automated reasoning. Automated​​ reasoning is the subfield​​​‌ of AI whose goal​ is the design of​‌ algorithms that enable computers​​ to reason automatically, and​​​‌ these techniques underlie almost​ all modern verification tools.​‌ Current analysis tools for​​ cryptographic protocols do however​​​‌ not scale well, or​ require to (over)simplify models,​‌ when applied on real-world,​​ deployed cryptographic protocols. We​​​‌ aim at overcoming these​ limitations: we therefore design​‌ new, dedicated algorithms, include​​ these algorithms in verification​​​‌ tools, and use the​ resulting tools for the​‌ security analyses of real-world​​ cryptographic protocols.

• ANR SEVERITAS​​​‌ Secure and Verifiable Test​ and Assessment System,​‌ duration: Mai 2021 –​​ April 2026, local coordinator:​​​‌ Jannik Dreier, other partners:​ LIG/University Grenoble Alpes (coordinator​‌ France), SnT/University of Luxembourg​​ (coordinator Luxembourg), LIMOS/Université Clermont​​​‌ Auvergne.

  SEVERITAS advances information​ socio-technical security for Electronic​‌ Test and Assessment Systems​​ (e-TAS). These systems measure​​​‌ skills and performances in​ education and training. They​‌ improve management, reduce time-to-assessment,​​ reach larger audiences, but​​​‌ they do not always​ provide security by design.​‌ This project recognizes that​​ the security aspects for​​​‌ e-TAS are still mostly​ unexplored. We fill these​‌ gaps by studying current​​ and other to-be-defined security​​​‌ properties. We develop automated​ tools to advance the​‌ formal verification of security​​ and show how to​​​‌ validate e-TAS security rigorously.​ We develop new secure,​‌ transparent, verifiable and lawful​​ e-TAS procedures and protocols.​​​‌ We also deploy novel​ run-time monitoring strategies to​‌ reduce frauds and study​​ the user experience about​​​‌ processes to foster e-TAS​ usable security. Thanks to​‌ connections with players in​​ the business of e-TAS,​​​‌ such as OASYS, this​ project will contribute to​‌ the development of secure​​ e-TAS.

10.2.2 PEPR

• PEPR​​​‌ CyberSecurity - SVP Verification​ of Security Protocols.​‌ duration: July 2022 –​​ July 2028, local coordinator:​​​‌ Véronique Cortier, other partners:​ SPICY - Irisa (coordinator),​‌ Prosecco - Inria Paris,​​ INSPIRE - LMF/ Université​​​‌ Paris-Saclay, STAMP - Inria​ Sophia

  The SVP project​‌ aims at enabling the​​ analysis of protocols (either​​​‌ already deployed or in​ the design phase) at​‌ the level of abstract​​ specifications as well as​​ implementations. The goal is​​​‌ to develop techniques and‌ tools allowing the implementation‌​‌ of solutions whose security​​ will not be questioned​​​‌ in a cyclic way.‌ To achieve this challenge,‌​‌ building on the work​​ already done in the​​​‌ community of formal methods‌ for security protocol verification,‌​‌ we notably plan to​​ take the following steps​​​‌ : (i) developing new‌ functionalities in existing tools‌​‌ to allow the analysis​​ of more and more​​​‌ complex protocols ; (ii)‌ building bridges between the‌​‌ different existing proof techniques​​ and associated tools in​​​‌ order to take advantage‌ of the strengths of‌​‌ each of them ;​​ (iii) validate the techniques​​​‌ and tools developed within‌ this project on widely‌​‌ deployed protocols and on​​ more recent, fast-growing applications,​​​‌ such as Internet voting.‌

• PEPR PQ-TLS - Formal‌​‌ Methods Chair duration: November​​ 2024 – December 2028,​​​‌ leader: Charlie Jacomme

  The‌ famous « padlock »‌​‌ appearing in browsers when​​ one visits websites whose​​​‌ address is preceded by‌ « https » relies‌​‌ on cryptographic primitives that​​ would not withstand a​​​‌ quantum computer. This integrated‌ project aims to develop‌​‌ in 5 years post-quantum​​ primitives in a prototype​​​‌ of « post-quantum lock‌ » that will be‌​‌ implemented in an open​​ source browser. The evolution​​​‌ of cryptographic standards has‌ already started, the choice‌​‌ of new primitives will​​ be made quickly, and​​​‌ the transition will be‌ made in the next‌​‌ few years. The objective​​ is to play a​​​‌ driving role in this‌ evolution and to make‌​‌ sure that the French​​ actors of post-quantum cryptography,​​​‌ already strongly involved, are‌ able to influence the‌​‌ cryptographic standards of the​​ decades to come. For​​​‌ this particular chair, the‌ goal is to focus‌​‌ on formal verification in​​ the post-quantum settings, developing​​​‌ tools and providing analysis‌ sound against quantum attackers.‌​‌

11.1.1 Scientific‌​‌ events: organisation

11.1.2 Scientific events:‌​‌ selection

11.1.3 Journal

11.1.4 Invited talks

• Véronique​​ Cortier:

  Journées Francophones des​​​‌ Langages Applicatifs 2026, Vosges,​ France, January 2026

  Conference​‌ at Grenoble university, Parlons​​ sciences, Grenoble, November 25,​​​‌ 2025

  Colloquium d’Informatique de​ Sorbonne Université, Paris, November​‌ 26, 2025

  GTMFS 2025,​​ Annual Meeting of the​​​‌ WG « Formal Methods​ in Security », Auvergne,​‌ March 18, 2025

  Journée​​ Filles, Maths et Informatique,​​​‌ Paris, April 4, 2025​

• Alexandre Debant:

  Annual Meeting​‌ of the GDR -​​ Sécurité Informatique, Caen, June​​​‌ 25th, 2025

  Prosecco team​ seminar, Inria Paris, May​‌ 26th, 2025

  ANSSI Crypto​​ lab seminar, Paris, January​​​‌ 23rd, 2025 (with L.​ Hirschi)

11.1.5 Leadership within​‌ the scientific community

• Véronique​​ Cortier: vice-chair of ACM​​​‌ Special Interest Group on​ Logic and Computation (SigLog)​‌
• Véronique Cortier: member of​​ IFIP WG-1.7 Foundations of​​​‌ Security Analysis
• Véronique Cortier:​ member of the research​‌ council of ANSSI
• Véronique​​ Cortier: member of the​​​‌ research council of ESIEE​
• Véronique Cortier: member of​‌ the research council of​​ GdR-SI
• Véronique Cortier: member​​​‌ of the research council​ of SIF
• Jannik Dreier:​‌ Co-chair of the working​​ group on formal methods​​​‌ for security (GT MFS)​ of the GdR Sécurité​‌ Informatique
• Steve Kremer: member​​ of IFIP WG-1.7 Foundations​​​‌ of Security Analysis
• Steve​ Kremer: member of the​‌ scientific directorate of the​​ International Computer Science Meeting​​​‌ Center Schloss Dagstuhl
• Steve​ Kremer: member of the​‌ Board of Directors of​​ LIST (Luxembourg Institute of​​​‌ Science and Technology)
• Christophe​ Ringeissen: IJCAR steering committee​‌ member
• Christophe Ringeissen: LSFA​​ steering committee member
• Michaël​​​‌ Rusinowitch: member of the​ IFIP WG-11.14 Secure Engineering​‌

11.1.6 Scientific expertise

• Véronique​​ Cortier: committee member of​​​‌ the Lovelace-Babbage Académie des​ Sciences award
• Lucca Hirschi:​‌ committee member of the​​ Gilles Kahn PhD award​​​‌
• Lucca Hirschi: president of​ the jury of the​‌ best PhD artifact award​​ of the GDR Sécurité​​​‌
• Lucca Hirschi: scientific expert​ for the Flanders Innovation​‌ & Entrepreneurship VLAIO (for​​ the Flemish Government)
• Steve​​​‌ Kremer: scientific expert for​ SERICS initiative (Italy)

11.1.7​‌ Research administration

• Véronique Cortier:​​ member of the council​​​‌ AM2I (since 2022)
• Véronique​ Cortier: member of the​‌ lab council of Loria​​ (since 2024)
• Alexandre Debant:​​​‌ local member of the​ Inria building users' committee​‌ (CUB)
• Alexandre Debant: main​​ organizer of the Loria​​​‌ Security Seminar
• Jannik Dreier:​ head of the formal​‌ methods department of LORIA​​ (since April 2024)
• Lucca​​​‌ Hirschi: local member of​ the Inria Legal and​‌ Ethical Risk Assessment Committee​​ (COERLE)
• Steve Kremer: member​​​‌ of the "Bureau du​ CP"
• Steve Kremer: co-chair​‌ (until March 2025, still​​ member) of Inria's Committee​​​‌ on Gender Equality and​ Equal Opportunities
• Laurent Vigneron:​‌ member of the lab​​ council of Loria (since​​​‌ 2011)

11.2.1 Teaching

• Licence:

  J.​​​‌ Dreier, Formal Language Theory,​ 30 hours (ETD), TELECOM​‌ Nancy

  J. Dreier, Awareness​​ for Cybersecurity, 20 hours​​ (ETD), TELECOM Nancy

  V.​​​‌ Laporte, Introduction to Logic,‌ Fall 2025, 16 hours‌​‌ (ETD), TELECOM Nancy

  L.​​ Vigneron, Algorithmic and programming,​​​‌ 39 hours (ETD), L1‌ MIASHS, IDMC

• Master:

  J.‌​‌ Dreier, Cryptography and Authentication,​​ 30 hours (ETD), M1​​​‌ Computer Science, TELECOM Nancy‌

  J. Dreier, Introduction to‌​‌ Cryptography, 30 hours (ETD),​​ M1 Computer Science, TELECOM​​​‌ Nancy

  J. Dreier, Protocol‌ Security and Verification, 45‌​‌ hours (ETD), M2 Computer​​ Science, TELECOM Nancy

  J.​​​‌ Dreier, Advanced Cryptography, 32‌ hours (ETD), M2 Computer‌​‌ Science, TELECOM Nancy

  A.​​ Imine, Security for XML​​​‌ Documents, 12 hours (ETD),‌ M1, Univ Lorraine

  L.‌​‌ Hirschi, Protocol Security Theory,​​ 24 hours (ETD), M2​​​‌ Computer science, Univ Lorraine‌

  V. Laporte, Computer Architecture,‌​‌ 20 hours (ETD), M1​​ Computer Science, Mines Nancy​​​‌

  L. Vigneron, Conception of‌ Information Systems, 30 hours‌​‌ (ETD), M1 MIAGE, IDMC​​

  L. Vigneron, Business Intelligence,​​​‌ 18 hours (ETD), M2‌ MIAGE, IDMC

• Other Lectures:‌​‌

  A. Debant, L. Hirschi​​ and S. Kremer taught​​​‌ a 12h advanced lecture‌ on Formal Methods for‌​‌ Security Protocols for industrials​​ (in the context of​​​‌ Inria Academy).

  A. Debant‌ and L. Hirschi taught‌​‌ a 2h masterclass about​​ e-voting for the French​​​‌ INSP (in the context‌ of Inria Academy).

11.2.2‌​‌ Supervision

• PhD defended in​​ 2025:

  Elise Klein, Formal​​​‌ Verification in Practice: Real-World‌ Case Study and Enhanced‌​‌ Support for AC Operators​​ in Tamarin, December 11,​​​‌ 2025, Univ. Lorraine (J.‌ Dreier and S. Kremer)‌​‌ 34

  Ala Eddine Laouir,​​ Privacy-Preserving Multidimensional Data Analysis:​​​‌ Query Answering and Data‌ Publication under Differential Privacy,‌​‌ November 26, 2025, Univ.​​ Lorraine (A. Imine) 35​​​‌

  Dhekra Mahmoud, Security Protocol‌ Design and Symbolic Analysis:‌​‌ Hybrid Protocols, Derived Adversary​​ Models,and Refined Equational Theories,​​​‌ June 11, 2025, Univ.‌ Clermont Auvergne (P. Lafourcade‌​‌ and J. Dreier) 36​​

• PhD in progress:

  Vincent​​​‌ Diemunsch, Formal Analysis of‌ Industrial Protocols, started in‌​‌ June 2022. (L. Hirschi​​ and S. Kremer)

  Tom​​​‌ Gouville, Fuzzing of Cryptographic‌ Protocols, started in November‌​‌ 2023. (L. Hirschi and​​ S. Kremer)

  Telma Lopes​​​‌ Marques, Certified Compilation of‌ Low-Level Programming Languages, started‌​‌ in October 2025. (V.​​ Laporte and S. Kremer)​​​‌

  Léo Louistisserand, Remote Voting‌ Protocols, started in September‌​‌ 2023. (V. Cortier and​​ P. Gaudry (project-team Caramba))​​​‌

  Florian Moser, Provably Secure‌ Internet Voting, started in‌​‌ July 2023. (A. Debant​​ and V. Cortier)

  Wafik​​​‌ Zahwa, Building Self-Driven Network‌ Functions, started in October‌​‌ 2022. (A. Lahmadi (project-team​​ Resist) and M. Rusinowitch)​​​‌

  Wail Zellagui, Taxonomy of‌ Frauds on Crypto-Assets, started‌​‌ in November 2023. (A.​​ Imine and Y. Tadjeddine​​​‌ (BETA, Univ Lorraine))

11.2.3‌ Juries

• Member of the‌​‌ hiring committee for a​​ professor position (Maths lab),​​​‌ University French Polynesia (V.‌ Cortier)
• Chair of the‌​‌ hiring committee for a​​ professor position (LMF), ENS​​​‌ Paris-Saclay (S. Kremer)
• Member‌ of the hiring committee‌​‌ for researchers with disabilities​​ (CRTH), Inria (S. Kremer)​​​‌
• Jury president for the‌ thesis of Kinnari Dave,‌​‌ University of Lorraine (V.​​ Cortier)
• Reviewer for the​​​‌ thesis of Rafieh Mosaheb,‌ University of Luxembourg (V.‌​‌ Cortier)
• Jury president for​​ the thesis of Théophile​​​‌ Wallez, University Paris PSL‌ (V. Cortier)
• Reviewer for‌​‌ the thesis of Alexander​​​‌ Dax, Saarland University (J.​ Dreier)
• Member of the​‌ hiring committee for an​​ associate professor position (LORIA),​​​‌ University of Lorraine (J.​ Dreier)
• Member of the​‌ hiring committee for a​​ teaching professor position (“Professeur​​​‌ agrégé”), TELECOM Nancy, University​ of Lorraine (J. Dreier)​‌
• Examiner for the “theoretical​​ computer science” oral exam​​​‌ in the entrance examinations​ for ENS Paris, Paris-Saclay,​‌ Lyon, and Rennes (A.​​ Debant)
• Jury member for​​​‌ the thesis of Arthur​ Tran Van, Télécom SudParis,​‌ Institut Polytechnique de Paris​​ (L. Hirschi)
• Jury member​​​‌ for the “Informatique A”​ written exam in the​‌ entrance examinations for ENS​​ Paris, Paris-Saclay, Lyon, and​​​‌ Rennes (L. Hirschi)
• Reviewer​ for the habilitation of​‌ Vincent Barichard, University of​​ Angers (C. Ringeissen)
• Examiner​​​‌ for the thesis of​ Wei Du, SUNY at​‌ Albany (M. Rusinowitch)
• Jury​​ president for the thesis​​​‌ of Thomas Bagrel, University​ of Lorraine (L. Vigneron)​‌

11.2.4 Educational and pedagogical​​ outreach

• Jannik Dreier is​​​‌ part of the pedagogical​ team of the Cyber​‌ Humanum Est cyber security​​ wargame.

11.3.1​​​‌ Specific official responsibilities in​ science outreach structures

• Véronique​‌ Cortier is member of​​ the strategic council of​​​‌ the Blaise Pascal Foundation​ since 2025.

11.3.2 Productions​‌ (articles, videos, podcasts, serious​​ games, ...)

11.3.3​​​‌ Participation in Live events​

• Gave expert evidence to​‌ the French National Assembly,​​ in the context of​​​‌ an investigation commission on​ elections (V. Cortier)
• Talk​‌ EDDY Network (V. Cortier)​​
• Talk Journée Filles Mathématiques​​​‌ et Informatique 2025 Sorbonne​ Université (V. Cortier)

11.3.4​‌ Others science outreach relevant​​ activities

• Interview by Vérif​​​‌ TF1 on the security​ of the French National​‌ Assembly petition platform, July​​ 2025 (A. Debant)
• Interview​​​‌ by JT 20H TF1​ on the security of​‌ online petitions, September 2025​​ (A. Debant)

International journals​​​‌

• 8 articleS.Santiago‌ Arranz Olmos, G.‌​‌Gilles Barthe, L.​​Lionel Blatter, B.​​​‌Benjamin Grégoire and V.‌Vincent Laporte. Preservation‌​‌ of Speculative Constant-time by​​ Compilation.Proceedings of​​​‌ the ACM on Programming‌ Languages9POPLJanuary‌​‌ 2025, 1293 -​​ 1325HALDOIback​​​‌ to text
• 9 article‌S.Santiago Arranz-Olmos,‌​‌ G.Gilles Barthe,​​ B.Benjamin Grégoire,​​​‌ J.Jan Jancar,‌ V.Vincent Laporte,‌​‌ T.Tiago Oliveira and​​ P.Peter Schwabe.​​​‌ Let’s DOIT: Using Intel’s‌ Extended HW/SW Contract for‌​‌ Secure Compilation of Crypto​​ Code.IACR Transactions​​​‌ on Cryptographic Hardware and‌ Embedded Systems20253‌​‌June 2025, 644-667​​HALDOIback to​​​‌ text
• 10 articleV.‌Véronique Cortier, A.‌​‌Alexandre Debant, P.​​Pierrick Gaudry and L.​​​‌Léo Louistisserand. Vote&Check:‌ Secure Postal Voting with‌​‌ Reduced Trust Assumptions.​​Proceedings on Privacy Enhancing​​​‌ Technologies202532025‌, 333-348HALDOI‌​‌back to text
• 11​​​‌ articleL.Ludovic Paillat​, C.-L.Claudia-Lavinia Ignat​‌, D.Davide Frey​​, M.Mathieu Turuani​​​‌ and A.Amine Ismail​. Discreet: distributed delivery​‌ service with context-aware cooperation​​.Annals of Telecommunications​​​‌ - annales des télécommunications​803-4April 2025​‌, 357-374HALDOI​​back to text

International​​​‌ peer-reviewed conferences

• 12 inproceedings​ M.Myrto Arapinis,​‌ V.Véronique Cortier,​​ H.Hubert de Groote​​​‌, C.Charlie Jacomme​ and S.Steve Kremer​‌. Are ideal functionalities​​ really ideal? CSF 2026​​​‌ – 39th IEEE Computer​ Security Foundations Symposium Lisbonne,​‌ Portugal July 2026 HAL​​ back to text
• 13​​​‌ inproceedingsS.Santiago Arranz​ Olmos, G.Gilles​‌ Barthe, C.Chitchanok​​ Chuengsatiansup, B.Benjamin​​​‌ Grégoire, V.Vincent​ Laporte, T.Tiago​‌ Oliveira, P.Peter​​ Schwabe, Y.Yuval​​​‌ Yarom and Z.Zhiyuan​ Zhang. Protecting cryptographic​‌ code against Spectre-RSB (and,​​ in fact, all known​​​‌ Spectre variants).ASPLOS​ '25: 30th ACM International​‌ Conference on Architectural Support​​ for Programming Languages and​​​‌ Operating Systems2Rotterdam,​ NetherlandsACMMarch 2025​‌, 933-948HALDOI​​back to text
• 14​​​‌ inproceedingsM.Mauricio Ayala-Rincón​, D. M.David​‌ M Cerna, T.​​Temur Kutsia and C.​​​‌Christophe Ringeissen. Combining​ Generalization Algorithms in Regular​‌ Collapse-Free Theories.10th​​ International Conference on Formal​​​‌ Structures for Computation and​ Deduction (FSCD 2025). Leibniz​‌ International Proceedings in Informatics​​ (LIPIcs)FSCD 2025 -​​​‌ 10th International Conference on​ Formal Structures for Computation​‌ and Deduction337Birmingham,​​ United KingdomSchloss Dagstuhl​​​‌ – Leibniz-Zentrum für Informatik​2025, 7:1-7:18HAL​‌DOIback to text​​
• 15 inproceedingsV.Véronique​​​‌ Cortier, A.Alexandre​ Debant and P.Pierrick​‌ Gaudry. Breaking verifiability​​ and vote privacy in​​​‌ CHVote.30th European​ Symposium on Research in​‌ Computer Security - ESORICS​​ 2025Toulouse, FranceSpringer​​​‌2025HALback to​ textback to text​‌
• 16 inproceedingsV.Veronique​​ Cortier, A.Alexandre​​​‌ Debant, R.Ralf​ Küsters, F.Florian​‌ Moser, J.Johannes​​ Müller and M.Melanie​​​‌ Volkamer. On a​ Study of Mechanisms for​‌ End-to-End Verifiable Online Voting​​ (StuVe).E-Vote-IDVote-ID​​​‌ 2025 - 10th International​ Joint Conference on Electronic​‌ VotingNancy, FranceOctober​​ 2025HALback to​​​‌ text
• 17 inproceedingsC.​Cas Cremers, G.​‌Gal Horowitz, C.​​Charlie Jacomme and E.​​​‌Eyal Ronen. TokenWeaver:​ Privacy Preserving and Post-Compromise​‌ Secure Attestation.2025​​ IEEE Symposium on Security​​​‌ and Privacy (SP 2025)​2025 IEEE Symposium on​‌ Security and Privacy (SP)​​San Francisco, CA, United​​​‌ StatesIEEEMay 2025​, 4173-4191HALDOI​‌back to text
• 18​​ inproceedingsV.Vincent Diemunsch​​​‌, L.Lucca Hirschi​ and S.Steve Kremer​‌. A Comprehensive Formal​​ Security Analysis of OPC​​​‌ UA.Usenix Security​ 2025Seattle (USA), Washington,​‌ United States2025HAL​​back to text
• 19​​​‌ inproceedingsK.Kévin Duverger​, P.-A.Pierre-Alain Fouque​‌, C.Charlie Jacomme​​, G.Guilhem Niot​​​‌ and C.Cristina Onete​. Subversion-resilient Key-exchange in​‌ the Post-quantum World.​​CCS 2025 - 32nd​​ ACM Conference on Computer​​​‌ and Communications SecurityTaipei,‌ TaiwanSeptember 2025,‌​‌ 1-49HALback to​​ text
• 20 inproceedingsS.​​​‌Serdar Erbatur, A.‌ M.Andrew M. Marshall‌​‌, P.Paliath Narendran​​ and C.Christophe Ringeissen​​​‌. Exploring the Knowledge‌ Problems for Graph Embedded‌​‌ Rewrite Systems.UNIF​​ 2025 - Informal Proceedings​​​‌ of the 39th International‌ Workshop on UnificationUNIF‌​‌ 2025 - 39th International​​ Workshop on UnificationBirmingham,​​​‌ United KingdomJuly 2025‌HALback to text‌​‌
• 21 inproceedingsS.Serdar​​ Erbatur, A.Andrew​​​‌ Marshall, P.Paliath‌ Narendran and C.Christophe‌​‌ Ringeissen. Graph-Embedded Rewrite​​ Systems: Combination and Undecidability​​​‌ Results.Lecture Notes‌ in Computer ScienceFrontiers‌​‌ of Combining Systems -​​ 15th International Symposium, FroCoS​​​‌ 202515979Lecture Notes‌ in Computer ScienceReykjavik,‌​‌ IcelandSpringer Nature Switzerland​​September 2026, 209-227​​​‌HALDOIback to‌ text
• 22 inproceedingsS.‌​‌Serdar Erbatur, A.​​ M.Andrew M Marshall​​​‌, P.Paliath Narendran‌ and C.Christophe Ringeissen‌​‌. Knowledge Problems vs​​ Unification and Matching: Dichotomy​​​‌ Results.10th International‌ Conference on Formal Structures‌​‌ for Computation and Deduction​​ (FSCD 2025). Leibniz International​​​‌ Proceedings in Informatics (LIPIcs)‌FSCD 2025 - 10th‌​‌ International Conference on Formal​​ Structures for Computation and​​​‌ Deduction337Birmingham, United‌ KingdomSchloss Dagstuhl –‌​‌ Leibniz-Zentrum für InformatikJuly​​ 2025, 18:1-18:17HAL​​​‌DOIback to text‌
• 23 inproceedingsT.Thomas‌​‌ Haines, R.Rafieh​​ Mosaheb, J.Johannes​​​‌ Müller and R.Reetika‌ Reetika. Zero-Knowledge Proofs‌​‌ from Learning Parity with​​ Noise: Optimization, Verification, and​​​‌ Application.IEEE Computer‌ Security Foundations (CSF) Symposium‌​‌ 2025Santa Cruz, United​​ StatesJune 2025HAL​​​‌
• 24 inproceedingsT.Tobias‌ Hilt, F.Florian‌​‌ Moser, P.Philipp​​ Matheis and M.Melanie​​​‌ Volkamer. Development and‌ Expert Evaluation of an‌​‌ Informative Video concerning Verifiable​​ Internet Voting.Vote-ID​​​‌ 2025 - 10th International‌ Joint Conference on Electronic‌​‌ VotingNancy, FranceOctober​​ 2025HALback to​​​‌ textback to text‌
• 25 inproceedingsP.Pascal‌​‌ Lafourcade, D.Dhekra​​ Mahmoud, S.Sylvain​​​‌ Ruhault and A. R.‌Abdul Rahman Taleb.‌​‌ A Tale of Two​​ Worlds, a Formal Story​​​‌ of WireGuard Hybridization.‌34th Usenix Security Symposium‌​‌ ProceedingsUsenix Security 2025​​Seattle, United StatesAugust​​​‌ 2025, 4937-4956HAL‌back to text
• 26‌​‌ inproceedingsA. E.Ala​​ Eddine Laouir and A.​​​‌Abdessamad Imine. Private‌ Approximate Query over Horizontal‌​‌ Data Federation.Proceedings​​ 28th International Conference on​​​‌ Extending Database Technology (‌ EDBT 2025 ) :‌​‌ Barcelona, Spain, March 25​​ - March 28International​​​‌ Conference on Extending Database‌ Technology28Advances in‌​‌ Database Technology1Barcelona​​ (ES), SpainOpenProceedings.org2025​​​‌, 2367-2005HALDOI‌back to text
• 27‌​‌ inproceedingsA. E.Ala​​ Eddine Laouir and A.​​​‌Abdessamad Imine. RIPOST:‌ Two-Phase Private Decomposition for‌​‌ Multidimensional Data.Computer​​ Security – ESORICS 2025.​​​‌ 30th European Symposium on‌ Research in Computer Security,‌​‌ Toulouse, France, September 22–24,​​ 2025, Proceedings, Part IV​​​‌European Symposium on Research‌ in Computer Security16056‌​‌Lecture Notes in Computer​​​‌ ScienceToulouse, FranceSpringer​ Nature SwitzerlandOctober 2026​‌, 274-293HALDOI​​back to text
• 28​​​‌ inproceedingsR.Rodrigo Raya​ and C.Christophe Ringeissen​‌. Interpolating Parametric Array​​ Theories.Logics in​​​‌ Artificial Intelligence19th European​ Conference on Logics in​‌ Artificial Intelligence, JELIA 2025​​16094Lecture Notes in​​​‌ Computer ScienceKutaisi, Georgia​Springer Nature SwitzerlandAugust​‌ 2026, 182-189HAL​​DOIback to text​​​‌
• 29 inproceedingsR.Rodrigo​ Raya and C.Christophe​‌ Ringeissen. Polite Combination​​ in Parametric Array Theories​​​‌.Lecture Notes in​ Computer ScienceFrontiers of​‌ Combining Systems - 15th​​ International Symposium, FroCoS 2025​​​‌15979Lecture Notes in​ Computer ScienceReykjavik, Iceland​‌Springer Nature SwitzerlandSeptember​​ 2025, 153-168HAL​​​‌DOIback to text​
• 30 inproceedingsW.Wafik​‌ Zahwa, A.Abdelkader​​ Lahmadi, M.Michaël​​​‌ Rusinowitch and M.Mondher​ Ayadi. Deep Reinforcement​‌ Learning for In-Network Placement​​ of ACL Rules Under​​​‌ Constraints.IEEE Explore​CNSM 2025 - 21st​‌ International Conference on Network​​ and Service ManagementBologne,​​​‌ ItalyOctober 2025HAL​back to text

Scientific​‌ books

• 31 bookD.​​David Basin, C.​​​‌Cas Cremers, J.​Jannik Dreier and R.​‌Ralf Sasse. Modeling​​ and Analyzing Security Protocols​​​‌ with Tamarin: A Comprehensive​ Guide.Information Security​‌ and CryptographySpringer; Springer​​ Nature SwitzerlandJuly 2025​​​‌HALDOIback to​ textback to text​‌

Edition (books, proceedings, special​​ issue of a journal)​​​‌

• 32 proceedingsH.Haniel​ Barbosa and C.Christophe​‌ Ringeissen, eds. Proceedings​​ Twentieth International Symposium on​​​‌ Logical and Semantic Frameworks​ with Applications.Logical​‌ and Semantic Frameworks with​​ Applications, LSFA 2025430​​​‌Brasilia, BrazilEPTCS2025​HALDOIback to​‌ text
• 33 proceedingsL.​​Laurent Vigneron and A.​​​‌Ashley Suchy, eds.​ UNIF 2025.Proceedings​‌ of the 39th International​​ Workshop on UnificationBirmingham,​​​‌ United KingdomJuly 2025​HALback to text​‌

Doctoral dissertations and habilitation​​ theses

• 34 thesisE.​​​‌Elise Klein. Formal​ Verification in Practice: Real-World​‌ Case Study and Enhanced​​ Support for AC Operators​​​‌ in Tamarin.Université​ de lorraineDecember 2025​‌HALback to text​​back to text
• 35​​​‌ thesisA. E.Ala​ Eddine Laouir. Privacy-Preserving​‌ Multidimensional Data Analysis :​​ Query Answering and Data​​​‌ Publication under Differential Privacy​.Universite de lorraine​‌November 2025HALback​​ to textback to​​​‌ text
• 36 thesisD.​Dhekra Mahmoud. Security​‌ Protocol Design and Symbolic​​ Analysis : Hybrid Protocols,​​​‌ Derived Adversary Models, and​ Refined Equational Theories.​‌Université Clermont AuvergneJune​​ 2025HALback to​​​‌ textback to text​

Reports & preprints

• 37​‌ miscV.Véronique Cortier​​, A.Alexandre Debant​​​‌, O.Olivier Esseiva​, P.Pierrick Gaudry​‌, A.Audhild Hoegaasen​​ and C.Chiara Spadafora​​​‌. A Practical and​ Fully Distributed E-Voting Protocol​‌ for the Swiss Context​​.December 2025HAL​​​‌back to textback​ to text
• 38 misc​‌J.Jannik Dreier,​​ E.Elise Klein and​​​‌ S.Steve Kremer.​ Tamarin Unchained: Handling User-Defined​‌ AC Operators.August​​ 2025HALback to​​ text

Other scientific publications​​​‌

• 39 miscV.Véronique‌ Cortier, A.Alexandre‌​‌ Debant, J.Jannik​​ Dreier, P.Pierrick​​​‌ Gaudry, L.Lucca‌ Hirschi and S.Steve‌​‌ Kremer. Réponse au​​ projet de mise à​​​‌ jour de la recommandation‌ de la CNIL sur‌​‌ le vote électronique.​​Inria2025HALback​​​‌ to text