2025Activity​​​‌ reportProject-TeamSPLITS

6.1.1 Easycrypt‌​‌

• Keywords:
  Proof assistant, Cryptography​​
• Functional Description:
  EasyCrypt is​​​‌ a toolset for reasoning‌ about relational properties of‌​‌ probabilistic computations with adversarial​​ code. Its main application​​​‌ is the construction and‌ verification of game-based cryptographic‌​‌ proofs. EasyCrypt can also​​ be used for reasoning​​​‌ about differential privacy.
• URL:‌
  https://­github.­com/­EasyCrypt/­easycrypt
• Publications:
  hal-03352062,‌​‌ hal-03469015
• Contact:
  Gilles Barthe​​
• Participants:
  Benjamin Grégoire, Gilles​​​‌ Barthe, Pierre-Yves Strub, Adrien‌ Koutsos

6.1.2 Jasmin

• Name:‌​‌
  Jasmin compiler and analyser​​
• Keywords:
  Cryptography, Static analysis,​​​‌ Compilers
• Scientific Description:

  Jasmin‌ is a workbench for‌​‌ high-assurance and high-speed cryptography.​​ Jasmin implementations aim at​​​‌ being efficient, safe, correct,‌ and secure.

  Jasmin is‌​‌ both a language and​​ a compiler from this​​​‌ language to assembly. The‌ compiler is written and‌​‌ formally verified for correctness​​ in the Rocq Prover.​​​‌ This justifies that many‌ properties can be proved‌​‌ on a source program​​ and still apply to​​​‌ the corresponding assembly program:‌ safety, termination, functional correctness…‌​‌

  Jasmin comes with a​​ set of tools to​​​‌ reason on Jasmin programs‌ (a safety checker, a‌​‌ type-checker for Constant Time,​​ a type-checker for Speculative​​​‌ Constant Time and an‌ extraction to EasyCrypt to‌​‌ prove properties about the​​ extracted Jasmin program, e.g.​​​‌ functional correctness).

• Functional Description:‌

  The Jasmin programming language‌​‌ smoothly combines high-level and​​ low-level constructs, so as​​​‌ to support “assembly in‌ the head” programming. Programmers‌​‌ can control many low-level​​ details that are performance-critical:​​​‌ instruction selection and scheduling,‌ what registers to spill‌​‌ and when, etc. The​​ language also features high-level​​​‌ abstractions (variables, functions, arrays,‌ loops, etc.) to structure‌​‌ the source code and​​ make it more amenable​​​‌ to formal verification. The‌ Jasmin compiler produces predictable‌​‌ assembly and ensures that​​ the use of high-level​​​‌ abstractions incurs no run-time‌ penalty.

  The semantics is‌​‌ formally defined to allow​​ rigorous reasoning about program​​​‌ behaviors. The compiler is‌ formally verified for correctness‌​‌ (the proof is machine-checked​​ by the Rocq Prover).​​​‌ This ensures that many‌ properties can be proved‌​‌ on a source program​​ and still apply to​​​‌ the corresponding assembly program:‌ safety, termination, functional correctness…‌​‌

  Jasmin programs can be​​​‌ automatically checked for safety​ and termination (using a​‌ trusted static analyzer). The​​ Jasmin workbench leverages the​​​‌ EasyCrypt toolset for formal​ verification. Jasmin programs can​‌ be extracted to corresponding​​ EasyCrypt programs to prove​​​‌ functional correctness, cryptographic security,​ or security against side-channel​‌ attacks (constant-time).

• Release Contributions:​​

  Two major versions and​​​‌ four minor ones were​ published during the year​‌ 2025.

  New features have​​ been implemented in the​​​‌ programming language and its​ compiler, notably support for​‌ the RISC-V architecture, new​​ data-types to simplify safety​​​‌ proofs, and more flexibility​ for “sub-arrays”, allowing to​‌ write more efficient programs.​​

  The documentation of the​​​‌ software has been overhauled,​ vastly enriched and reorganized​‌ to simplify its maintenance​​ and ensure it stays​​​‌ up-to-date.

  Moreover there is​ a sustained work to​‌ fix issues when they​​ are identified and bring​​​‌ improvements to the various​ tools: the compiler, safety​‌ analyzer, constant-time security analyzer,​​ and extraction to EasyCrypt.​​​‌ These various components are​ also better tested.

• News​‌ of the Year:

  Two​​ major versions and four​​​‌ minor ones were published​ during the year 2025.​‌

  New features have been​​ implemented in the programming​​​‌ language and its compiler,​ notably support for the​‌ RISC-V architecture, new data-types​​ to simplify safety proofs,​​​‌ and more flexibility for​ “sub-arrays”, allowing to write​‌ more efficient programs.

• URL:​​
  https://­github.­com/­jasmin-lang/­jasmin
• Publications:
  hal-05466117,​​​‌ hal-05249675, hal-04632106,​ hal-04595591, hal-04691165,​‌ hal-04106448, hal-04218417,​​ hal-03844366, hal-03430789,​​​‌ hal-03352062, hal-02974993,​ hal-02404581, hal-01649140
• Contact:​‌
  Jean-Christophe Léchenet
• Participants:
  Alexandre​​ Bourbeillon, Gaëtan Cassiers, Gilles​​​‌ Barthe, Benjamin Grégoire, Adrien​ Koutsos, Vincent Laporte, Jean-Christophe​‌ Léchenet, Swarn Priya, Santiago​​ Arranz Olmos
• Partners:
  The​​​‌ IMDEA Software Institute, Ecole​ Polytechnique, Universidade do Minho,​‌ Universidade do Porto, Max​​ Planck Institute for Security​​​‌ and Privacy

6.1.3 Bigloo​

• Keyword:
  Compilers
• Functional Description:​‌
  Bigloo is a Scheme​​ implementation devoted to one​​​‌ goal: enabling Scheme based​ programming style where C(++)​‌ is usually required. Bigloo​​ attempts to make Scheme​​​‌ practical by offering features​ usually presented by traditional​‌ programming languages but not​​ offered by Scheme and​​​‌ functional programming. Bigloo compiles​ Scheme modules. It delivers​‌ small and fast stand​​ alone binary executables. Bigloo​​​‌ enables full connections between​ Scheme and C programs​‌ and between Scheme and​​ Java programs.
• Release Contributions:​​​‌
  modification of the object​ system (language design and​‌ implementation), new APIs (alsa,​​ flac, mpg123, avahi, csv​​​‌ parsing), new library functions​ (UDP support), new regular​‌ expressions support, new garbage​​ collector (Boehm's collection 7.3alpha1).​​​‌
• URL:
  http://­www-sop.­inria.­fr/­teams/­indes/­fp/­Bigloo/
• Contact:
  Manuel​ Serrano
• Participant:
  Manuel Serrano​‌

6.1.4 Hiphop.js

• Name:
  Hiphop.js​​
• Keywords:
  Web 2.0, Synchronous​​​‌ Language, Programming language
• Functional​ Description:
  HipHop.js is an​‌ Hop.js DLS for orchestrating​​ web applications. HipHop.js helps​​​‌ programming and maintaining Web​ applications where the orchestration​‌ of asynchronous tasks is​​ complex.
• URL:
  http://­hop.­inria.­fr/­hiphop
• Contact:​​​‌
  Manuel Serrano
• Participant:
  Manuel​ Serrano

6.1.5 Hop

• Keyword:​‌
  Programming language
• Scientific Description:​​

  The Hop programming environment​​​‌ consists in a web​ broker that intuitively combines​‌ in a single architecture​​ a web server and​​​‌ a web proxy. The​ broker embeds a Hop​‌ interpreter for executing server-side​​ code and a Hop​​ client-side compiler for generating​​​‌ the code that will‌ get executed by the‌​‌ client.

  An important effort​​ is devoted to providing​​​‌ Hop with a realistic‌ and efficient implementation. The‌​‌ Hop implementation is validated​​ against web applications that​​​‌ are used on a‌ daily-basis. In particular, we‌​‌ have developed Hop applications​​ for authoring and projecting​​​‌ slides, editing calendars, reading‌ RSS streams, or managing‌​‌ blogs.

• Functional Description:
  Multitier​​ web programming language and​​​‌ runtime environment.
• URL:
  http://­hop.­inria.­fr‌
• Contact:
  Manuel Serrano
• Participant:‌​‌
  Manuel Serrano

7.1.1 Compiling to WebAssembly‌​‌

WebAssembly (Wasm) has been​​ extended to support features​​​‌ such as garbage collection,‌ references, exceptions, and tail‌​‌ calls that facilitate compilation​​ of managed languages. We​​​‌ capture a snapshot of‌ the performance of languages‌​‌ that use these new​​ capabilities from two perspectives.​​​‌ First, we present a‌ language-by-language performance comparison of‌​‌ six managed language implementations​​ on Wasm to the​​​‌ performance of their native‌ implementations. Second, we focus‌​‌ on the implementation of​​ the Bigloo Scheme compiler​​​‌ and explore the impact‌ of different choices for‌​‌ compiling specific aspects of​​ the language. Our findings​​​‌ suggest that Wasm has‌ become a promising compilation‌​‌ target for most managed​​ languages, but that its​​​‌ performance still falls short‌ of that achieved by‌​‌ native code. Our results​​ also show that the​​​‌ quality of the Wasm‌ implementations vary, with the‌​‌ best ones being, on​​ average, about 1.4$\times ‌$ slower than the native‌ backend and the worst‌​‌ ones seeing average slowdowns​​ of more than 8​​​‌$\times$, with some‌ tests even failing to‌​‌ execute correctly.

This work​​ has been presented during​​​‌ the MPLR'25 conference. See‌ 10 for more information.‌​‌

7.1.2 Float Self Tagging​​

Dynamic and polymorphic languages​​​‌ attach information, such as‌ types, to run time‌​‌ objects, and therefore adapt​​ the memory layout of​​​‌ values to include space‌ for this information. This‌​‌ makes it difficult to​​ efficiently implement IEEE754 floating-point​​​‌ numbers as this format‌ does not leave an‌​‌ easily accessible space to​​ store type information. The​​​‌ three main floating-point number‌ encodings in use today,‌​‌ tagged pointers, NaN-boxing, and​​ NuN-boxing, have drawbacks. Tagged​​​‌ pointers entail a heap‌ allocation of all float‌​‌ objects, and NaN/NuN-boxing puts​​ additional runtime costs on​​​‌ type checks and the‌ handling of other objects.‌​‌

This paper introduces self-tagging,​​ a new approach to​​​‌ object tagging that uses‌ an invertible bitwise transformation‌​‌ to map floating-point numbers​​​‌ to tagged values that​ contain the correct type​‌ information at the correct​​ position in their bit​​​‌ pattern, superimposing both their​ value and type information​‌ in a single machine​​ word. Such a transformation​​​‌ can only map a​ subset of all floats​‌ to correctly typed tagged​​ values, hence self-tagging takes​​​‌ advantage of the non-uniform​ distribution of floating point​‌ numbers used in practice​​ to avoid heap allocation​​​‌ of the most frequently​ encountered floats.

Variants of​‌ self-tagging were implemented in​​ two distinct Scheme compilers​​​‌ and evaluated on four​ microarchitectures to assess their​‌ performance and compare them​​ to tagged pointers, NaN-boxing,​​​‌ and NuN-boxing. Experiments demonstrate​ that, in practice, the​‌ approach eliminates heap allocation​​ of nearly all floating-point​​​‌ numbers and provides good​ execution speed of float-intensive​‌ benchmarks in Scheme with​​ a negligible performance impact​​​‌ on other benchmarks, making​ it an attractive alternative​‌ to tagged pointers, alongside​​ NaN-boxing and NuN-boxing.

This​​​‌ work has been presented​ during the OOPSLA'25 conference.​‌ See 9 for more​​ information.

7.1.3 High level​​​‌ languages down to micro-architecture​

Just-in-Time (JIT) compilers are​‌ able to specialize the​​ code they generate according​​​‌ to a continuous profiling​ of the running programs.​‌ This gives them an​​ advantage when compared to​​​‌ Ahead-of-Time (AoT) compilers that​ must choose the code​‌ to generate once for​​ all. Is it possible​​​‌ to improve the performance​ of AoT compilers by​‌ adding Dynamic Binary Modification​​ (DBM) to the executions?​​​‌

We added to the​ Hopc AoT JavaScript compiler​‌ a new optimization based​​ on DBM to the​​​‌ inline cache (IC), a​ classical optimization that dynamic​‌ languages use to implement​​ object property accesses efficiently.​​​‌ Reducing the number of​ memory accesses, as done​‌ by the new optimization,​​ does not reduce execution​​​‌ time on contemporary architectures.​

The DBM optimization we​‌ have implemented is fully​​ operational on x86_64 architectures.​​​‌ We have conducted several​ experiments to evaluate its​‌ impact on performance and​​ to study the reasons​​​‌ of the lack of​ acceleration.

The (negative) result​‌ we presented sheds new​​ light on the best​​​‌ strategy to be used​ to implement dynamic languages.​‌ It tells that the​​ old days, where removing​​​‌ instructions or removing memory​ reads always yielded to​‌ speed up, are over.​​ Nowadays, implementing sophisticated compiler​​​‌ optimizations is only worth​ the effort if the​‌ processor is not able​​ by itself to accelerate​​​‌ the code. This result​ applies to AoT compilers​‌ as well as JIT​​ compilers.

This work has​​​‌ been presented during the​ PROGRAMMING'25 conference 4.​‌

7.3.1​​ Software

Participants: Davide Davoli​​​‌, Tamara Rezk.‌

Operating systems are stratified‌​‌ software ecosystems that manage​​ the interaction between the​​​‌ user application and the‌ hardware resources. The most‌​‌ important component is the​​ kernel that has complete​​​‌ control over the hardware‌ and every application that‌​‌ is running, making it​​ a popular target for​​​‌ attacks. In the current‌ state-of-the-art of security, often‌​‌ referred to as the​​ Spectre era, speculative​​​‌ execution and side-channels are‌ well known to be‌​‌ effective vectors for compromising​​ kernel security.

We show​​​‌ that kernel safety cannot‌ be restored for attackers‌​‌ capable of using side-channels​​ and speculative execution, and​​​‌ introduce enforcement mechanisms that‌ can guarantee speculative kernel‌​‌ safety for safe system​​ calls in the Spectre​​​‌ era. We implement three‌ suitable mechanisms and we‌​‌ evaluate their performance overhead​​ on the Linux kernel.​​​‌

This work has been‌ done with Martin Avanzini‌​‌ from the OLAS team,​​ who co-supervised Davide Davoli​​​‌ together with Tamara Rezk,‌ and published in the‌​‌ ACM Transactions on Privacy​​ and Security journal 3​​​‌.

7.3.2 Preservation of‌ speculative constant time

Participants:‌​‌ Benjamin Grégoire.

Compilers​​ often weaken or even​​​‌ discard software-based countermeasures commonly‌ used to protect programs‌​‌ against side-channel attacks; worse,​​ they may also introduce​​​‌ vulnerabilities that attackers can‌ exploit. The solution to‌​‌ this problem is to​​ develop compilers that preserve​​​‌ such countermeasures. Prior work‌ establishes that (a mildly‌​‌ modified version of) the​​ CompCert and Jasmin formally​​​‌ verified compilers preserve constant-time,‌ an information flow policy‌​‌ that ensures that programs​​ are protected against timing​​​‌ side-channel attacks. However, nothing‌ is known about preservation‌​‌ of speculative constant-time, a​​ strengthening of the constant-time​​​‌ policy that ensures that‌ programs are protected against‌​‌ Spectre-v1 attacks. We first​​ show that preservation of​​​‌ speculative constant-time fails in‌ practice by providing examples‌​‌ of secure programs whose​​ compilation is not speculative​​​‌ constant-time using GCC (GCC‌ -O0 and GCC -O1)‌​‌ and Jasmin. Then, we​​ have defined a proof-of-concept​​​‌ compiler that distills some‌ of the critical passes‌​‌ of the Jasmin compiler​​ and use the Rock​​​‌ proof assistant to prove‌ that it preserves speculative‌​‌ constant-time. Finally, we patch​​​‌ the Jasmin speculative constant-time​ type checker and demonstrate​‌ that all cryptographic implementations​​ written in Jasmin can​​​‌ be fixed with minimal​ impact. This work 1​‌ has been published in​​ ACM SIGPLAN Symposium on​​​‌ Principles of Programming Languages​ (POPL 2025).

7.3.3 Protection​‌ against Spectre RSB

Participants:​​ Benjamin Grégoire.

Recent​​​‌ work shows that language​ support suffices to protect​‌ cryptographic code with minimal​​ overhead against one class​​​‌ of Spectre attacks, Spectre-PHT,​ but leaves an open​‌ question of whether this​​ result can be extended​​​‌ to also cover other​ classes of Spectre attacks.​‌ In this work, we​​ answer this question in​​​‌ the affirmative: We design,​ validate, implement, and verify​‌ an approach to protect​​ cryptographic implementations against all​​​‌ known classes of Spectre​ attacks—the main challenge in​‌ this endeavor is attacks​​ exploiting the return stack​​​‌ buffer, which are known​ as Spectre-RSB. Our approach​‌ combines a new value-dependent​​ information-flow type system that​​​‌ enforces speculative constant-time in​ an idealized model of​‌ transient execution and a​​ compiler transformation that realizes​​​‌ this idealized model on​ the generated low-level code.​‌ Using the Rocq proof​​ assistant, we prove that​​​‌ the type system is​ sound with respect to​‌ the idealized semantics and​​ that the compiler transformation​​​‌ preserves speculative constant-time. We​ implement our approach in​‌ the Jasmin framework for​​ high-assurance cryptography and demonstrate​​​‌ that the overhead incurred​ by full Spectre protections​‌ is below 2% for​​ most cryptographic primitives and​​​‌ reaches only about 5–7%​ for the more complex​‌ post-quantum key-encapsulation mechanism Kyber.​​ This work 6 has​​​‌ been published in the​ International Conference on Architectural​‌ Support for Programming Languages​​ and Operating Systems (ASPLOS​​​‌ 2025).

7.3.4 Using Intel's​ Extended HW/SW Contract for​‌ Secure Compilation of Crypto​​ Code

Participants: Benjamin Grégoire​​​‌.

It is a​ widely accepted standard practice​‌ to implement cryptographic software​​ so that secret inputs​​​‌ do not influence the​ cycle count. Software following​‌ this paradigm is often​​ referred to as “constant-time”​​​‌ software and typically involves​ following three rules: 1)​‌ never branch on a​​ secret-dependent condition, 2) never​​​‌ access memory at a​ secret-dependent location, and 3)​‌ avoid variable-time arithmetic operations​​ on secret data. The​​​‌ third rule requires knowledge​ about such variable-time arithmetic​‌ instructions, or vice versa,​​ which operations are safe​​​‌ to use on secret​ inputs. For a long​‌ time, this knowledge was​​ based on either documentation​​​‌ or microbenchmarks, but critically,​ there were never any​‌ guarantees for future microarchitectures.​​ This changed with the​​​‌ introduction of the data-operand-independent-timing​ (DOIT) mode on Intel​‌ CPUs and, to some​​ extent, the data-independent-timing (DIT)​​​‌ mode on Arm CPUs.​ Both Intel and Arm​‌ document a subset of​​ their respective instruction sets​​​‌ that are intended to​ leak no information about​‌ their inputs through timing,​​ even on future microarchitectures​​​‌ if the CPU is​ set to run in​‌ a dedicated DOIT (or​​ DIT) mode. We have​​​‌ presented a principled solution​ that leverages DOIT to​‌ enable cryptographic software that​​ is future-proof constant-time, in​​​‌ the sense that it​ ensures that only instructions​‌ from the DOIT subset​​ are used to operate​​ on secret data, even​​​‌ during speculative execution after‌ a mispredicted branch or‌​‌ function return location. For​​ this solution, we build​​​‌ on top of existing‌ security type systems in‌​‌ the Jasmin framework for​​ high-assurance cryptography. We then​​​‌ use our solution to‌ evaluate the extent to‌​‌ which existing cryptographic software​​ built to be “constant-time”​​​‌ is already secure in‌ this stricter paradigm implied‌​‌ by DOIT and what​​ is the performance impact​​​‌ to move from constant-time‌ to future-proof constant-time. This‌​‌ work 2 has been​​ published in the journal​​​‌ Transactions on Cryptographic Hardware‌ and Embedded Systems (TCHES‌​‌ 2025).

7.3.5 Hardware

Participants:​​ Davide Davoli, Lucile​​​‌ Magnier, Tamara Rezk‌, Benjamin Grégoire.‌​‌

In the past, we​​ proposed ProSpeCT 14,​​​‌ a generic formal processor‌ model providing provably secure‌​‌ speculation for the constant-time​​ policy. For constant-time programs​​​‌ under a non-speculative semantics,‌ ProSpeCT guarantees that speculative‌​‌ and out-of-order execution cause​​ no microarchitectural leaks. In​​​‌ addition to the formal‌ model, we provided a‌​‌ prototype hardware implementation of​​ ProSpeCT on a RISC-V​​​‌ processor. In order to‌ lower the impact on‌​‌ hardware cost and the​​ cost regarding the required​​​‌ software changes, we are‌ studying possible alternatives solutions‌​‌ to ProSpeCT, extending the​​ RISC-V architecture and associated​​​‌ compilers with specialized instructions‌ and evaluating the performance‌​‌ on different extended RISC-V​​ processors. Lucile Magnier from​​​‌ ENS Saclay was a‌ L3 intern during part‌​‌ of this work (which​​ is still in progress).​​​‌ This work is done‌ in collaborations with researchers‌​‌ from KU Leuven.

7.4.1 A Quantitative Probabilistic‌ Relational Hoare Logic

Participants:‌​‌ Benjamin Grégoire, Davide​​ Davoli.

We introduce​​​‌ eRHL, a program logic‌ for reasoning about relational‌​‌ expectation properties of pairs​​ of probabilistic programs. eRHL​​​‌ is quantitative, i.e., its‌ pre- and post-conditions take‌​‌ values in the extended​​ non-negative reals. Thanks to​​​‌ its quantitative assertions, eRHL‌ overcomes randomness alignment restrictions‌​‌ from prior logics, including​​ PRHL, a popular relational​​​‌ program logic used to‌ reason about security of‌​‌ cryptographic constructions, and apRHL,​​ a variant of PRHL​​​‌ for differential privacy. As‌ a result, eRHL is‌​‌ the first relational probabilistic​​ program logic to be​​​‌ supported by non-trivial soundness‌ and completeness results for‌​‌ all almost surely terminating​​ programs. We show that​​​‌ eRHL is sound and‌ complete with respect to‌​‌ program equivalence, statistical distance,​​ and differential privacy. We​​​‌ also show that every‌ PRHL judgment is valid‌​‌ if and only if​​ it is provable in​​​‌ eRHL. We showcase the‌ practical benefits of eRHL‌​‌ with examples that are​​ beyond reach of PRHL​​​‌ and apRHL. This work‌ 7 has been published‌​‌ in ACM SIGPLAN Symposium​​ on Principles of Programming​​​‌ Languages (POPL 2025).

7.4.2‌ Proofs automation

Participants: Benjamin‌​‌ Grégoire.

Jasmin is​​ a programming language for​​​‌ high-speed and high-assurance cryptography.‌ Correctness proofs of Jasmin‌​‌ programs are typically carried​​ out deductively in EasyCrypt.​​​‌ This allows generality, modularity‌ and composable reasoning, but‌​‌ does not scale well​​ for low-level architecture-specific routines.​​​‌ CryptoLine offers a semi-automatic‌ approach to formally verify‌​‌ algebraically-rich low-level cryptographic routines.​​​‌ CryptoLine proofs are self-contained:​ they are not integrated​‌ into higher-level formal verification​​ developments. We show how​​​‌ to soundly use CryptoLine​ to discharge subgoals in​‌ functional correctness proofs for​​ complex Jasmin programs. We​​​‌ extend Jasmin with annotations​ and provide an automatic​‌ translation into a CryptoLine​​ model, where most complex​​​‌ transformations are certified. We​ also formalize and implement​‌ the automatic extraction of​​ the semantics of a​​​‌ CryptoLine proof to EasyCrypt.​ Our motivating use-case is​‌ the X-Wing hybrid KEM,​​ for which we present​​​‌ the first formally verified​ implementation. This paper 5​‌ has been published to​​ the ACM Conference on​​​‌ Computer and Communications Security​ (CCS 2025), and has​‌ obtain a Distinguished Paper​​ Award.

8.1.1 Inria associate team‌​‌ not involved in an​​ IIL or an international​​​‌ program

Participants: Erven Rohou‌, Manuel Serrano,‌​‌ Marc Feeley.

• Title:​​​‌
  COLD
• Partner Institution(s):
  Inria​ Rennes (leader), University of​‌ Montreal (CANADA)

Cold is​​ an Inria/University of Montreal​​​‌ associated team studying compilation​ techniques for dynamic languages.​‌ It is co-funded by​​ Inria and the University​​​‌ of Montreal. Erven Rohou​ is the leader of​‌ the team.

Dynamic programming​​ languages offer flexibility and​​​‌ generally facilitate rapid software​ development. Programs written using​‌ dynamic languages are typically​​ slower, consume more memory,​​​‌ and are less energy​ efficient. This is especially​‌ concerning, considering that dynamic​​ languages such as Python​​​‌ and JavaScript are extensively​ used. JavaScript is the​‌ main language for implementing​​ web applications, while Python​​​‌ is the most used​ language for software development​‌ today and in particular​​ in the very active​​​‌ field of Machine Learning​ and Artificial Intelligence.

To​‌ solve this issue, our​​ team researches optimizing compilation​​​‌ techniques for dynamic languages.​ Such techniques generate optimized​‌ code when translating a​​ program from its source​​​‌ code to machine code.​ This provides better performance​‌ without having to sacrifice​​ the flexibility of dynamic​​​‌ languages. Furthermore, since novel​ optimizing techniques can be​‌ integrated into existing compilers,​​ they can improve current​​​‌ programs with no additional​ effort by the application​‌ programmers.

In the last​​ decades, the discovery of​​​‌ tracing just-in-time compilation and​ advances in partial evaluation​‌ have significantly improved the​​ performance of dynamic languages.​​​‌ However, work remains to​ be done to bridge​‌ the gap between dynamic​​ and static languages, a​​​‌ performant yet less flexible​ family of languages. Bridging​‌ this gap will enable​​ significant savings in execution​​​‌ time and energy efficiency​ globally.

8.1.2 Participation in​‌ other International Programs

8.2.1 Visits of​​ international scientists

• Gilles Barthe​​​‌
  • Affiliation:
    MPI, Bochum, Germany​
  • Subject:
    We worked on​‌ several topics related to​​ the Formosa cryptography project,​​​‌ in particular on Jasmin​ and EasyCrypt, as well​‌ as on the implementation​​ of the eRHL logic,​​​‌ in collaboration with Martin​ Avanzini (OLAS).
  • Date/Duration:
    May​‌ 19-30, August 25 to​​ Sep 16, Oct 27​​​‌ to Nov 5, Dec​ 8 to 19
• Marc​‌ Feeley
  • Affiliation:
    University of​​ Montreal, Quebec, Canada
  • Subject:​​
    During the visit of​​​‌ M. Feeley, we studied‌ new implementation techniques for‌​‌ dynamic languages
  • Date/Duration:
    July​​ 2025

8.2.2 Visits to​​​‌ international teams

8.3.1 Action Exploratoire:‌​‌ AoT.js – Optimizing Compilation​​ from Higher-Order Programming to​​​‌ Computer Architecture

Participants: Erven‌ Rohou, Manuel Serrano‌​‌.

This action exploratoire​​ is bi-localized in Rennes​​​‌ and Sophia-Antipolis.

JavaScript programs‌ are typically executed by‌​‌ a JIT compiler, able​​ to handle efficiently the​​​‌ dynamic aspects of the‌ language. However, JIT compilers‌​‌ are not always viable​​ or sensible (e.g.,​​​‌ on constrained IoT systems,‌ due to secured read-only‌​‌ memory (W$\oplus$X),​​ or because of the​​​‌ energy spent recompiling again‌ and again). We propose‌​‌ to rely on ahead-of-time​​ compilation, and achieve performance​​​‌ thanks to optimistic compilation,‌ and detailed analysis of‌​‌ the behavior of the​​ processor, thus requiring a​​​‌ wide range of expertise‌ from high-level dynamic languages‌​‌ to microarchitecture.

8.3.2 PEPR​​

Participant: Benjamin Grégoire,​​​‌ Jean-Christophe Léchenet, Paolo‌ Torrini.

• Title:
  SVP‌​‌ PEPR Cybersecurity. ]
• Partner​​ Institution(s):
  CNRS IRISA Rennes​​​‌ (coordinator Stéphanie Delaune), Inria,‌ University of Paris-Saclay, University‌​‌ of Lorraine, University Côte​​ d’Azur, ENS Rennes
• Date/Duration:​​​‌ 2022-2028

We participate in‌ a project concerned with‌​‌ the verification of security​​ protocols. The funds allocated​​​‌ to our team in‌ this collaboration are 333‌​‌ KEuros. The corresponding researcher​​ for this contract is​​​‌ Benjamin Grégoire.

8.3.3 HOPR‌

Participant: Benjamin Grégoire.‌​‌

HOPR (Higher-Order Probabilistic and​​ resource-aware Reasoning) aims at​​​‌ investigating logical and semantical‌ frameworks to reason on‌​‌ computation including higher-order, probabilistic​​ and resource-bounded aspects. It​​​‌ explores applications to cryptography‌ and to differential privacy.‌​‌ This project started in​​ January 2025, for a​​​‌ duration of 4 years.‌

8.3.4 Twinsec

Participant: Tamara‌​‌ Rezk.

• Title: Digital​​ Twin for Hardware Security​​​‌
• Partners: CEA, GRENOBLE INP-UGA,‌ CNRS, Mines Saint Etienne,‌​‌ CentraleSupelec
• Duration: From December​​ 16, 2024 to February​​​‌ 15, 2028
• Abstract: The‌ TwinSec project, entitled “Digital‌​‌ Twin for Hardware Security,”​​ is conducted under the​​​‌ CEA High-Risk Research Program,‌ as defined in the‌​‌ grant agreement “ANR-24-RRII-0004” between​​ the French National Research​​​‌ Agency (ANR) and the‌ CEA. Within this project,‌​‌ SPLiTS contributes to the​​ work package focused on​​​‌ software–hardware contracts for binary‌ analysis.

8.4.1 Actions de Développement​​ Technologique

Participant: Benjamin Grégoire​​​‌, Côme Le Breton‌, Jean-Christophe Léchenet.‌​‌

We carried out an​​ Action de Développement Technologique​​​‌ initiative with SED engineers‌ from the AMDT team.‌​‌ The goal was to​​ improve an important component​​​‌ of the Jasmin framework,‌ the safety checker. While‌​‌ the Jasmin compiler had​​ been updated in 2022​​​‌ to support multiple target‌ architectures, the same move‌​‌ had not been performed​​ yet for the safety​​​‌ checker, still available only‌ on x86. This project‌​‌ made the safety checker​​ also available on ARM​​​‌ and RISC-V.

9.1.1 Scientific events: organization​​​‌

Tamara Rezk organized together​ with Martin Avanzini and​‌ Davide Sangiorgi from OLAS,​​ a workshop entitled "TSuNAMI​​​‌ — Trusted and Secure​ systems: Novel Approaches in​‌ Methods and Inference" at​​ Inria, June 10, 2025.​​​‌

9.1.2 Scientific events: selection​

9.1.3 Journal

9.1.4​​ Invited talks

• Tamara Rezk​​​‌ was:
  • Invited speaker at​ the 10th AMSEC Workshop​‌ on system security,​​ "On Kernel’s Safety in​​​‌ the Spectre Era", Amsterdam,​ March 18, 2025.
  • Keynote​‌ speaker at the Chalmers​​ ICT Security Workshop, "Micro-architectural​​​‌ attacks, a crucial intersection​ of software and hardware​‌ security", Gothenburg, March 20,​​ 2025,
  • Speaker at the​​​‌ Stevens Institute of Technology,​ "On Kernel’s Safety in​‌ the Spectre Era", New​​ York, July 11, 2025.​​​‌

9.1.5 Scientific expertise

• Tamara​ Rezk participated in the​‌ committee of iCore 2025​​ to rank security conferences.​​​‌
• Tamara Rezk participated in​ the committee of WWTF​‌ 2025 to select project​​ proposals for funding.
• Tamara​​​‌ Rezk was a member​ of the Committee Meeting​‌ for promotion to MdC​​ level 1 at Eurecom​​​‌ in June 2025.
• Tamara​ Rezk was a member​‌ of the Expert Panel​​ of Mathematics, Computer Science,​​​‌ and Informatics of the​ Estonian Research Council in​‌ May 2025.

9.1.6 Research​​ administration

• Ilaria Castellani is​​​‌ a member of the​ INRIA Gender Equality and​‌ Equal Opportunities Committee.
• Tamara​​ Rezk is a member​​​‌ of the Bureau de​ CP.
• Benjamin Grégoire is​‌ a member of the​​ Comité de Suivi Doctoral.​​​‌

9.2.1​​ Teaching

Tamara Rezk taught​​​‌ courses in Université Côte​ d'Azur, Chalmers, and École​‌ Polytechnique.

9.2.2 Supervision

• PhD​​ defended in November 2025​​​‌ 13: Davide Davoli​ , co-supervised by Martin​‌ Avanzini and Tamara Rezk​​ .
• PhD discontinued: Aurore​​​‌ Poirier, co-supervised by Erven​ Rohou and Manuel Serrano​‌ .
• PhD in progress:​​ Olivier Melancon , co-supervised​​​‌ by Marc Feeley and​ Manuel Serrano .
• PhD​‌ in progress: Lucas Tabari-Maujean​​ , co-supervised by Thomas​​​‌ Roches and Benjamin Grégoire​ .
• PhD in progress:​‌ Guilhem Mizrahi , co-supervised​​ by Pierre-Yves Strub, Adrian​​​‌ Thillard, and Benjamin Grégoire​ .
• PhD in progress:​‌ Mehdi Golpayegani (officially in​​ the OLAS team), co-supervised​​​‌ by Martin Avanzini (OLAS)​ and Benjamin Grégoire .​‌
• Master in progress: Maria​​ Emilia Caldara (University of​​ Córdoba, Argentina) is working​​​‌ on a master dissertation‌ under the supervision of‌​‌ Tamara Rezk .

9.2.3​​ Juries

• Tamara Rezk was​​​‌ a member of the‌ PhD jury of Afiqah‌​‌ AZAHARI (supervisor: Davide Balzarotti),​​ Eurecom, December 2025.
• Tamara​​​‌ Rezk was a member‌ of the PhD jury‌​‌ of Enrico Barberis (supervisor:​​ Herbert Bos), VU Amsterdam,​​​‌ March 2025.
• Tamara Rezk‌ was a member of‌​‌ the HDR jury of​​ Ronan Lashermes, May 2025.​​​‌
• Benjamin Grégoire was a‌ reviewer for the PhD‌​‌ of Pierrick PHILIPPE (supervisors:​​ Pierre-Alain Fouque and Mohamed​​​‌ Sabt).
• Ilaria Castellani was‌ a reviewer for the‌​‌ PhD thesis of Andrea​​ Esposito (supervisor: Marco Bernardo),​​​‌ Università di Urbino Carlo‌ Bo, Italy, May 2025.‌​‌
• Manuel Serrano was a​​ reviewer for the PhD​​​‌ thesis of Cameron Moy‌ (supervisor: Matthias Felleisen), University‌​‌ of Northeastern, USA, December​​ 2025.

International journals

• 1‌​‌ articleS.Santiago Arranz​​ Olmos, G.Gilles​​​‌ Barthe, L.Lionel‌ Blatter, B.Benjamin‌​‌ Grégoire and V.Vincent​​ Laporte. Preservation of​​​‌ Speculative Constant-time by Compilation‌.Proceedings of the‌​‌ ACM on Programming Languages​​9POPLJanuary 2025​​​‌, 1293 - 1325‌HALDOIback to‌​‌ text
• 2 articleS.​​Santiago Arranz-Olmos, G.​​​‌Gilles Barthe, B.‌Benjamin Grégoire, J.‌​‌Jan Jancar, V.​​Vincent Laporte, T.​​​‌Tiago Oliveira and P.‌Peter Schwabe. Let’s‌​‌ DOIT: Using Intel’s Extended​​ HW/SW Contract for Secure​​​‌ Compilation of Crypto Code‌.IACR Transactions on‌​‌ Cryptographic Hardware and Embedded​​ Systems20253June​​​‌ 2025, 644-667HAL‌DOIback to text‌​‌
• 3 articleD.Davide​​ Davoli, M.Martin​​​‌ Avanzini and T.Tamara‌ Rezk. Comprehensive Kernel‌​‌ Safety in the Spectre​​ Era: Mitigations and Performance​​​‌ Evaluation.ACM Transactions‌ on Privacy and Security‌​‌June 2025HALDOI​​back to text
• 4​​​‌ articleA.Aurore Poirier‌, E.Erven Rohou‌​‌ and M.Manuel Serrano​​. An Attempt to​​​‌ Catch Up with JIT‌ Compilers: The False Lead‌​‌ of Optimizing Inline Caches​​.The Art, Science,​​​‌ and Engineering of Programming‌106February 2025‌​‌HALDOIback to​​ text

International peer-reviewed conferences​​​‌

• 5 inproceedingsJ. B.‌José Bacelar Almeida,‌​‌ M.Manuel Barbosa,​​ G.Gilles Barthe,​​​‌ L.Lionel Blatter,‌ G.Gustavo Delerue,‌​‌ J. D.João Diogo​​ Duarte, B.Benjamin​​​‌ Grégoire, T.Tiago‌ Oliveira, M.Miguel‌​‌ Quaresma, P.-Y.Pierre-Yves​​ Strub, M.-H.Ming-Hsien​​​‌ Tsai, B.-Y.Bow-Yaw‌ Wang and B.-Y.Bo-Yin‌​‌ Yang. Jazzline: Composable​​ CryptoLine Functional Correctness Proofs​​​‌ for Jasmin Programs.‌Proceedings of the 2025‌​‌ ACM SIGSAC Conference on​​ Computer and Communications Security,​​​‌ {CCS} 2025, Taipei, Taiwan,‌ October 13-17, 2025CCS‌​‌ 2025 - 2025 ACM​​ SIGSAC Conference on Computer​​​‌ and Communications SecurityTaipei,‌ TaiwanNovember 2025,‌​‌ 1409 - 1423HAL​​DOIback to text​​​‌back to text
• 6‌ inproceedingsS.Santiago Arranz‌​‌ Olmos, G.Gilles​​ Barthe, C.Chitchanok​​​‌ Chuengsatiansup, B.Benjamin‌ Grégoire, V.Vincent‌​‌ Laporte, T.Tiago​​​‌ Oliveira, P.Peter​ Schwabe, Y.Yuval​‌ Yarom and Z.Zhiyuan​​ Zhang. Protecting cryptographic​​​‌ code against Spectre-RSB (and,​ in fact, all known​‌ Spectre variants).ASPLOS​​ '25: 30th ACM International​​​‌ Conference on Architectural Support​ for Programming Languages and​‌ Operating Systems2Rotterdam,​​ NetherlandsACMMarch 2025​​​‌, 933-948HALDOI​back to text
• 7​‌ inproceedingsM.Martin Avanzini​​, G.Gilles Barthe​​​‌, D.Davide Davoli​ and B.Benjamin Grégoire​‌. A Quantitative Probabilistic​​ Relational Hoare Logic.​​​‌ACM Digital LibraryPOPL​ 2025 - 52nd ACM​‌ SIGPLAN Symposium on Principles​​ of Programming Languages9​​​‌Proceedings of the ACM​ on Programming LanguagesPOLP​‌ 2025Denver (Colorado), United​​ StatesJanuary 2025HAL​​​‌DOIback to text​
• 8 inproceedingsJ.-C.Jean-Christophe​‌ Léchenet. Mechanized Dominator​​ Tree Certification.Proceedings​​​‌ of the 15th ACM​ SIGPLAN International Conference on​‌ Certified Programs and Proofs​​ (CPP ’26)CPP 2026​​​‌ - 15th ACM SIGPLAN​ International Conference on Certified​‌ Programs and ProofsRennes,​​ FranceACMJanuary 2026​​​‌HALDOI
• 9 inproceedings​O.Olivier Melançon,​‌ M.Manuel Serrano and​​ M.Marc Feeley.​​​‌ Float Self-Tagging.OOPSLA​ 20259OOPSLA2Singapour,​‌ SingaporeOctober 2025,​​ 1620-1646HALDOIback​​​‌ to text
• 10 inproceedings​M.Manuel Serrano and​‌ R. B.Robert Bruce​​ Findler. A Snapshot​​​‌ of the Performance of​ Wasm Backends for Managed​‌ Languages.MPLR '25:​​ 22nd ACM SIGPLAN International​​​‌ Conference on Managed Programming​ Languages and RuntimesSingapore​‌ Singapore, SingaporeACMOctober​​ 2025, 93-106HAL​​​‌DOIback to text​
• 11 inproceedingsP.Paolo​‌ Torrini and B.Benjamin​​ Gregoire. Interaction Trees​​​‌ and Verified Compilation (Extended​ Abstract).https://coq-workshop.gitlab.io/2025Rocqshop'25​‌Reykjavik, IcelandSeptember 2025​​, 3HALback​​​‌ to text

Conferences without​ proceedings

• 12 inproceedingsG.​‌Giovanni Bernardi, I.​​Ilaria Castellani, P.​​​‌Paul Laforgue and L.​Léo Stefanesco. Constructive​‌ characterisations of the must-preorder​​ for asynchrony.ESOP​​​‌15694Lecture Notes in​ Computer ScienceHamilton, Ontario,​‌ Canada, CanadaSpringer Nature​​ SwitzerlandMay 2025,​​​‌ 88-116HALDOIback​ to text

Doctoral dissertations​‌ and habilitation theses

• 13​​ thesisD.Davide Davoli​​​‌. Provable security for​ kernels and cryptography in​‌ the presence of speculative​​ execution.Université Côte​​​‌ d'AzurOctober 2025HAL​back to text