Custom Cryptographic Solutions with Formal Security Guarantees

ERC (European Research Council)HORIZON-ERC-POCID: 101069446
EC Contribution
€1,500
Consortium Size
1 orgs
Start Year
2022
Summary

Modern web applications routinely rely on standardized cryptographic protocols and algorithms to protect sensitive user data. Furthermore, with the advent of blockchains, the imminence of quantum computers, and widespread concerns about privacy in an era of surveillance and machine learning algorithms, enterprises are increasingly turning to sophisticated non-standard cryptographic solutions customized for specific usage scenarios. Unfortunately, cryptographic design and implementation is notoriously error-prone with a long history of design flaws, implementation bugs, and high-profile attacks. This leaves software companies with a difficult choice: every time they deploy a new crypto standard or an innovative cryptographic application that improves the security and privacy of their users, they risk exposing embarrassing flaws in their design or code. The research results of ERC Circus offer a way out of this conundrum by advocating the use of formal verification to build cryptographic software with machine-checked proofs of security and correctness. A landmark output from this project is HACL*, a verified high-performance cryptographic library which is currently used by mainstream software like Mozilla Firefox, Linux Kernel, Tezos Blockchain, and ElectionGuard. We propose to establish a company (called Cryspen) that will transition the research software developed in ERC Circus towards a production-quality ready-to-use verified cryptographic software stack. In addition, Cryspen will offer a developer-friendly verification framework that can be used to build new custom cryptographic solutions in C, Rust, and JavaScript. The goal of this Proof-of-Concept proposal is to fund the initial technical transfer of research software to Cryspen and the business development of this company. Once this transfer is complete, Cryspen will be able to offer long-term service contracts to existing and new users of HACL*, and offer software contracts to enterprises interested in deploying verified cryptographic software.

Consortium (1)

Project Results (6)

Source: CORDIS, the EU research results database.

Publications (5)
Comparse: Provably Secure Formats for Cryptographic Protocols
Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS '23)· 2023DOI
Théophile Wallez, Jonathan Protzenko, and Karthikeyan Bhargavan
From Dragondoom to Dragonstar: Side-channel Attacks and Formally Verified Implementation of WPA3 Dragonfly Handshake
2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)· 2023DOI
Daniel De Almeida Braga; Natalia Kulatova; Mohamed Sabt; Pierre-Alain Fouque; Karthikeyan Bhargavan
TreeSync: Authenticated Group Management for Messaging Layer Security
roceedings of the 32nd USENIX Conference on Security Symposium (SEC '23)· 2023DOI
Théophile Wallez, Jonathan Protzenko, Benjamin Beurdouche, and Karthikeyan Bhargavan
A Symbolic Analysis of Privacy for TLS 1.3 with Encrypted Client Hello
Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS '22)· 2022DOI
Karthikeyan Bhargavan, Vincent Cheval and Christopher A. Wood
Noise*: A Library of Verified High-Performance Secure Channel Protocol Implementations
2022 IEEE Symposium on Security and Privacy (SP)· 2022DOI
S. Ho, J. Protzenko, A. Bichhawat and K. Bhargavan
Deliverables (1)
Data Management Plan