The Joint EasyCrypt-F*-CryptoVerif School 2014

From prosecco

Abstract

The school takes place 24-28 November in Paris and is aimed at teaching participants how to use three state-of-the-art security verification tools: EasyCrypt, F*, and CryptoVerif, as well as give participants a glimpse of the formal foundations behind these tools.

EasyCrypt is a toolset for reasoning about relational properties of probabilistic computations with adversarial code. Its main application is the construction and verification of game-based cryptographic proofs. EasyCrypt was used to prove the security of complex cryptographic constructions, including the Cramer-Shoup encryption scheme, the Merkle-Damgaard iterative hash function design, and the ZAEP encryption scheme. More recently, it has been used for proving the security of protocols based on garbled circuits, and for the proof of security for authenticated key-exchange protocols and derived proofs under weaker assumptions.

F* is a new ML-like functional programming language designed with program verification in mind. It has a powerful refinement type-checker that discharges verification conditions using the Z3 SMT solver. F* has been successfully used to verify nearly 50,000 lines of code, ranging from cryptographic protocol implementations to web browser extensions, and from cloud-hosted web applications to key parts of the F* compiler itself. The newest version on F* erases to both F# and OCaml, on which it is based. It also compiles securely to JavaScript, enabling safe interoperability with arbitrary, untrusted JavaScript libraries.

CryptoVerif is an automatic protocol prover sound in the computational model. It can prove secrecy and correspondences (e.g. authentication). The generated proofs are by sequences of games, as used by cryptographers. CryptoVerif was successfully used for security proofs of FDH signatures, Kerberos, OEKE, and the SSH transport layer protocol.

The presented tools have been developed at

CNRS        ENS        IMDEA      INRIA    Microsoft Research      Microsoft Research Inria Joint Centre

Report

A report on the school appeared in the SIGLOG Newsletter, Volume 2, Number 1 from January 2015.

Lecturers and tutorial aides

Participants will attend lectures and hands-on tutorials, under the guidance of members from the tools' developer teams:

Invited speakers

While the school is targeted mostly at explaining the three tools, we're also planning two sessions of invited talks, a longer one Wednesday morning and a short one Friday morning.

Organization

Anna Bednarik, Karthikeyan Bhargavan, Cătălin Hriţcu (contact), Pierre-Yves Strub

Student volunteers: Evmorfia-Iro Bartzia, Benjamin Beurdouche, Antoine Delignat-Lavaud, and Jean Karim Zinzindohoué

Materials

Registration

  • The school has filled up completely, we have no space for additional participants.

Locations

We have two locations:

Schedule

Monday, November 24th 2014

Time Maison Internationale, Cite Universitaire Room
09.15 - 10.15 EasyCrypt lecture - Introduction (Gilles) Salon David Weill
10.15 - 10.30 break
10.30 - 11.30 EasyCrypt lecture - An introduction to EasyCrypt (Benjamin)
11.30 - 11.45 break
11.45 - 12.45 EasyCrypt lecture - Proving in EasyCrypt and pRHL in practice (Pierre-Yves)
12.45 - 14.15 lunch Restaurant Universitaire
14.15 - 15.45 EasyCrypt tutorial - Exercices Salon David Weill
+ Salle Orange at INRIA
   (25 minutes walk)
15.45 - 16.15 break
16.00 - 17.30 EasyCrypt tutorial

Tuesday, November 25th 2014

Time Maison Internationale, Cite Universitaire Room
09.15 - 10.15 EasyCrypt lecture - Theories, Cloning and Modules (François) Salon David Weill
10.15 - 10.30 break
10.30 - 11.30 EasyCrypt lecture - High-level Proof Principles (Benedikt)
11.30 - 11.45 break
11.45 - 12.45 EasyCrypt lecture - Overview and perspectives (Gilles)
12.45 - 14.15 lunch Restaurant Universitaire
14.15 - 15.45 EasyCrypt tutorial - Exercices Salon David Weill
+ Salle Orange at INRIA
   (25 minutes walk)
15.45 - 16.15 break
16.00 - 17.30 EasyCrypt tutorial
18.00 - 20:00 Cryptosense Reception Le Vin Qui Danse, Gobelins
(25 minutes walk from CiteU)

Wednesday, November 26th 2014

Time UPMC - Campus des Cordeliers Room
09:00 - 10:00 F* lecture: High-level introduction (Nikhil) Amphitheatre Gustave Roussy
10:00 - 10:15 short break
10:15 - 10:45 Véronique Cortier: Type-Based Verification
of Electronic Voting Protocols
(Invited Talk)
10:45 - 11:15 Matteo Maffei: Logical Foundations of Secure Resource
Management in Protocol Implementations
(Invited Talk)
11:15 - 11:30 short break
11:30 - 12:00 Hubert Comon: Unconditional Soundness (Invited Talk)
12:00 - 12:30 CryptoVerif lecture: sneak preview (Bruno)
12:30 - 14:30 lunch break
14.30 - 19:00 F* tutorial: Basic F* Amphitheatre Gustave Roussy
+ Room Déjerine (35 people)
19:00 - 21:00 Social dinner Bouillon Racine (2 minutes walk)

Thursday, November 27th 2014

Time UPMC - Campus des Cordeliers Room
9:00 - 9:30 F* lecture: Advanced F* (Nikhil) Amphitheatre Gustave Roussy
9:30 - 10:00 F* lecture: miTLS (Antoine)
10:00 - 10:15 short break
10:15 - 11:15 F* lecture: Types for Modular Cryptography (Cedric)
11:15 - 11:30 short break
11:30 - 12:30 F* lecture: Types for Modular Cryptography (Cedric)
12:30 - 14:30 lunch break
14:30 - 16:30 F* tutorial: Verifying Simple Cryptography (Cedric, Markulf, Nikhil) Rooms Déjerine and Leroux
(35 people each)
16:30 - 17:00 break
17.00 - 18:00 F* tutorial: Simply Typed Lambda Calculus (Catalin, Chantal)

Friday, November 28th 2014

Time Maison Internationale, Cite Universitaire Room
09:00 - 10:30 CryptoVerif lecture (Bruno) Salon Salon David Weill
10:30 - 11:00 break
11:00 - 12:30 CryptoVerif lecture (Bruno)
13:00 - 14:30 lunch break Restaurant Universitaire
14:30 - 16:00 CryptoVerif tutorial Salon Salon David Weill
16:00 - 16:30 break
16.30 - 18:00 CryptoVerif tutorial

Photos

Download

Hardware and software

Roughly half of the time of the school is devoted to hands-on exercise sessions and tutorials. Participants are expected to bring their own laptop with EasyCrypt, F*, and CryptoVerif installed. More details e.g. about precise versions and setup will be communicated on the participants' mailing list.

Social dinner

Cryptosense reception

Travel, food, and accommodation

Participants are expected to make their own travel, food, and accommodation arrangements. Paris offers many great alternatives. The only exceptions are for invited speakers, for the shared hotel rooms (financial support), and for the social dinner (see above).

Sponsors

This school is financially supported by the Prosecco team at INRIA Paris-Rocquencourt with funds from the ERC Starting Grant CRYSP. The EPSRC CryptoForma network on formal methods and cryptography sponsors a number of grants for UK attendees. The MSR-Inria Joint Centre sponsors the social dinner. Cryptosense organizes and sponsors the reception.

CNRS    INRIA    ERC    CryptoForma      Microsoft Research Inria Joint Centre      Cryptosense