Custom Cryptographic Solutions with Formal Security Guarantees

With the advent of blockchains, the imminence of quantum computers, and widespread concerns about privacy, enterprises are turning to sophisticated cryptographic solutions customized for their specific needs. Unfortunately, cryptographic design and implementation is notoriously error-prone with a long history of design flaws, implementation bugs, and high-profile attacks. The results of ERC Circus offer a way forward by using formal verification to build cryptographic software with machine-checked proofs of security and correctness. The EU-funded Cryspen project proposes to establish a company that will transition the research software developed in ERC Circus towards production-quality ready-to-use verified cryptographic solutions in C, Rust, and JavaScript. The project seeks to fund the technical transfer of research results and the business development of the new company.

We incorporated a new company called Cryspen in December 2021. The company has three co-founders, including the PI.
During the course of this PoC project, Inria and Cryspen collaborated to achieve the following results:

- Formally Verified Cryptography:
We successfully achieved the transfer of the HACL* research project to a production-ready library, via the development and release of the HACL packages repository by Cryspen, which includes a continuous integration framework, and incorporates extensive testing and benchmarking on all popular platforms.
The code from this library are already used in the Tezos blockchain and Mozilla Firefox, and HACL Packages are available as open source projects on GitHub.
Cryspen also built upon HACL Packages to release libcrux, a formally verified cryptographic library tailored to Rust applications.

- Messaging Layer Security:
The PI and Cryspen have also been working on the design and implementation of the MLS protocol recently standardized at the IETF.
They contributed to the design and analysis of the MLS standard, and published a paper that won the Internet Defense Prize.
Cryspen contributes to the OpenMLS implementation, which is used by multiple companies, including Wire and Matrix.

- Transport Layer Security:
We successfully negotiated a tech transfer contract between Inria and Cryspen for the Bertie TLS 1.3 protocol implementation.
Bertie is now being developed by Cryspen with the goal of commercialization.
Cryspen and Inria also collaborated on the formal analysis of new extensions to the TLS protocol, publishing multiple papers.

- Rust Verification Toolchain:
Inria and Cryspen developed a new domain-specific language called hacspec which can be used to specify and implement cryptographic software in Rust.
They are also building a toolchain called hax that can verify Rust programs against specifications written in hacspec.
This toolchain is being used to formally verify Bertie and libcrux.

In summary, the PI, along with collaborators at Inria and Cryspen, has achieved and exceeded the goals set out for this PoC project.
We end the project with five software products at various levels of maturity, with two already being used in production environments (TRL 6).
We also have established a company that is self-sustaining and growing, based on the results of this PoC project.

All our projects straddle the boundary between research and advanced development, and our work often results in both publications and usable software.
The results we obtained in this project exceeded the state of the art in at least three ways:

- A Complete Formally Verified Crypto Library : While there are many cryptographic libraries, and some of them include formally verified code, our libraries (HACL*, HACL Packages, and libcrux) are the only ones to support a complete suite of verified algorithms, including encryption schemes, hash algorithms, elliptic curves, signature schemes, key exchange mechanisms, and post-quantum cryptography.

- Secure Group Messaging: Our research and implementation work on the MLS protocol is at the cutting-edge of both research and industrial applications. Our research has won awards, and our implementation is in high demand.

- Practical Rust Verification: Rust is a relatively modern language but is quickly gaining popularity, especially for security-sensitive usecases. Our hax verification toolchain is one of a few approaches that has been proposed in recent years, but is the first to be applied to cryptographic software.
Our other projects are also straddling h