2025
Authors
Almeida, JB; Alves, GXDM; Barbosa, M; Barthe, G; Esquível, L; Hwang, V; Oliveira, T; Pacheco, H; Schwabe, P; Strub, PY;
Publication
2025 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, SP
Abstract
We propose a hybrid formal verification approach that combines high-level deductive reasoning and circuit-based reasoning and apply it to highly optimized cryptographic assembly code. Our approach permits scaling up formal verification in two complementary directions: 1) it reduces the proof effort required for low-level functions where the computation logics are obfuscated by the intricate use of architecture-specific instructions and 2) it permits amortizing the effort of proving one implementation by using equivalence checking to propagate the guarantees to other implementations of the same computation using different optimizations or targeting different architectures. We demonstrate our approach via an extension to the EasyCrypt proof assistant and by revisiting formally verified implementations of ML-KEM in Jasmin. As a result, we obtain the first formally verified implementation of ML-KEM that offers performance comparable to the fastest non-verified implementation in x86-64 architectures.
2024
Authors
Almeida, JB; Olmos, SA; Barbosa, M; Barthe, G; Dupressoir, F; Grégoire, B; Laporte, V; Lechenet, JC; Low, C; Oliveira, T; Pacheco, H; Quaresma, M; Schwabe, P; Strub, PY;
Publication
ADVANCES IN CRYPTOLOGY - CRYPTO 2024, PT II
Abstract
We present a formally verified proof of the correctness and IND-CCA security of ML-KEM, the Kyber-based Key Encapsulation Mechanism (KEM) undergoing standardization by NIST. The proof is machine-checked in EasyCrypt and it includes: 1) A formalization of the correctness (decryption failure probability) and IND-CPA security of the Kyber base public-key encryption scheme, following Bos et al. at Euro S&P 2018; 2) A formalization of the relevant variant of the Fujisaki-Okamoto transform in the Random Oracle Model (ROM), which follows closely (but not exactly) Hofheinz, Hovelmanns and Kiltz at TCC 2017; 3) A proof that the IND-CCA security of the ML-KEM specification and its correctness as a KEM follows from the previous results; 4) Two formally verified implementations of ML-KEM written in Jasmin that are provably constant-time, functionally equivalent to the ML-KEM specification and, for this reason, inherit the provable security guarantees established in the previous points. The top-level theorems give self-contained concrete bounds for the correctness and security of ML-KEM down to (a variant of) Module-LWE. We discuss how they are built modularly by leveraging various EasyCrypt features.
2025
Authors
Almeida, JB; Firsov, D; Oliveira, T; Unruh, D;
Publication
PROCEEDINGS OF THE 14TH ACM SIGPLAN INTERNATIONAL CONFERENCE ON CERTIFIED PROGRAMS AND PROOFS, CPP 2025
Abstract
This paper presents a semantic characterization of leakage-freeness through timing side-channels for Jasmin programs. Our characterization covers probabilistic Jasmin programs that are not constant-time. In addition, we provide a characterization in terms of probabilistic relational Hoare logic and prove the equivalence between both definitions. We also prove that our new characterizations are compositional and relate our new definitions to existing ones from prior work, which could only be applied to deterministic programs. To provide practical evidence, we use the Jasmin framework to develop a rejection sampling algorithm and provide an EasyCrypt proof that ensures the algorithm's implementation is leakage-free while not being constant-time.
2010
Authors
Almeida, JB; Bangerter, E; Barbosa, M; Krenn, S; Sadeghi, AR; Schneider, T;
Publication
IACR Cryptology ePrint Archive
Abstract
2012
Authors
Almeida, JB; Barbosa, M; Bangerter, E; Barthe, G; Krenn, S; Béguelin, SZ;
Publication
IACR Cryptology ePrint Archive
Abstract
2010
Authors
Almeida, JB; Bangerter, E; Barbosa, M; Krenn, S; Sadeghi, AR; Schneider, T;
Publication
COMPUTER SECURITY-ESORICS 2010
Abstract
Zero-knowledge proofs of knowledge (ZK-PoK) are important building blocks for numerous cryptographic applications. Although ZK-PoK have a high potential impact, their real world deployment is typically hindered by their significant complexity compared to other (non-interactive) crypto primitives. Moreover, their design and implementation are time-consuming and error-prone. We contribute to overcoming these challenges as follows: We present a comprehensive specification language and a compiler for ZK-PoK protocols based on Sigma-protocols. The compiler allows the fully automatic translation of an abstract description of a proof goal into an executable implementation. Moreover, the compiler overcomes various restrictions of previous approaches, e.g., it supports the important class of exponentiation homomorphisms with hidden-order co-domain, needed for privacy-preserving applications such as DAA. Finally, our compiler is certifying, in the sense that it automatically produces a formal proof of the soundness of the compiled protocol for a large class of protocols using the Isabelle/HOL theorem prover.
The access to the final selection minute is only available to applicants.
Please check the confirmation e-mail of your application to obtain the access code.