Cryspen

Software Verification in Lean

Wed, 22 Apr 2026 00:00:00 +0000

This week in Paris, Cryspen is delighted to be co-hosting Software Verification in Lean 2026, a workshop and associated hackathon organized by the Beneficial AI Foundation and the Lean FRO.

The strengths and limits of formal verification

Thu, 12 Feb 2026 00:00:00 +0000

I have learned that it is important to be precise when documenting the guarantees offered by formally verified code, and to resist the temptation of simplifying things too much in trying to reach a larger audience. In my talks, to my students, and to our users and customers, we always clearly describe our coding, testing, and verification methodologies, explain what we verify and against what specifications, elaborate our trust assumptions, and detail the limitations of our approach.

PSQ: Post-Quantum Shared Secrets Made Easy

Mon, 02 Feb 2026 00:00:00 +0000

We’re pleased to announce the PSQ protocol for establishing a hybrid post-quantum shared secret between two parties.

Cryptographic protocols, which exclusively rely on classical public key cryptography for establishing shared secrets, may be vulnerable to harvest-now-decrypt-later (HNDL) quantum attacks. However, many protocols in widespread use today allow injecting a previously established pre-shared key (PSK) into the computation of the shared secret. If we can establish this pre-shared key in a way that is secure against HNDL attackers, we can provide an easy way of protecting many applications without having to touch their internals.

Cryspen Welcomes Alex

Mon, 10 Nov 2025 00:00:00 +0000

This month, we welcome Alexander Bentkamp (Alex) as the newest member of our team.

Alex joins us with a strong background in automated and interactive theorem proving, where his passion for formal proofs has driven a series of influential contributions. He completed his PhD at the Vrije Universiteit Amsterdam under the supervision of Jasmin Blanchette, Uwe Waldmann, and Wan Fokkink, developing a novel proof automation method for higher-order logic. The prover he co-developed based on this method went on to win the annual CASC competition multiple times and is now integrated into the Isabelle/HOL proof assistant.

Formally Specifying and Testing the Rust Standard Library

Tue, 28 Oct 2025 00:00:00 +0000

Modern programming languages typically come with a large standard library that implements essential language features like machine arithmetic and I/O, offers efficient data structures, provides interfaces to system libraries, etc. Although it is often overlooked, this standard library should be considered as much part of the trusted computing base (TCB) as the language compiler. Indeed, any bug in the standard library is likely to break applications and could result in security vulnerabilities.

Helping Secure Signal's Post-Quantum Transition

Thu, 02 Oct 2025 00:00:00 +0000

Signal just announced the deployment of their new post-quantum ratcheting protocol, called the Sparse Post-Quantum Ratchet (SPQR), and Cryspen is proud to have contributed to the formal analysis of the design and implementation of this new Signal feature.

PQC Support for JZLint

Mon, 11 Aug 2025 00:00:00 +0000

We joined forces with MTG AG, a leader in public key infrastructures, to release JZLint 2.0 with support for analyzing post-quantum (PQC) certificates and their public keys.

Research @ Cryspen

Mon, 14 Jul 2025 00:00:00 +0000

Cryspen is deeply committed to cutting-edge research in formal verification tools and provably secure cryptographic solutions. We engage in long-term collaborations with universities and research institutes, and we seek to bridge the gap between academic research and their industrial application, allowing us to bring state-of-the-art research results directly into all our products and services.

Tooling for Automated Benchmarking and Visualization

Tue, 08 Jul 2025 00:00:00 +0000

Maintaining peak software performance is a critical aspect of our development process, and early regression detection is non-negotiable. At Cryspen, we’ve addressed this by implementing an automated, multi-platform benchmarking system. This post will detail the enhancements we’ve made to our workflows, allowing us to preemptively identify performance issues. Besides focusing on algorithm benchmarks, we utilize a tracing strategy for our protocol code. This method allows us to measure performance on live code. In addition, we will explore the tools and methods designed for creating comprehensive, informative visualizations of benchmark data, applicable to our wide range of projects and repositories.

Cryspen Welcomes Clement

Tue, 13 May 2025 00:00:00 +0000

The team here at Cryspen is thrilled to welcome to our newest member, Clement!

Clement joins us fresh from his impressive journey as a PhD student at Inria Paris, where he was part of the Cambium team. His doctoral work focused on the formalization of the powerful but intricate typing system of OCaml modules. Under the supervision of Didier Rémy and Gabriel Radanne, Clement delved deep into the theoretical underpinnings of this masterpiece of language design.

MLS Group State Forks: What, Why, How

Thu, 03 Apr 2025 00:00:00 +0000

Group state forks are faulty states that MLS groups can end up in. This article looks at what they are exactly, how that happens and how to resolve them. We also look at a new OpenMLS feature that makes fork resolutions a little easier.

Cryspen @ RWC 2025

Thu, 27 Mar 2025 00:00:00 +0000

Real World Crypto 2025 buzzed with energy as the cutting edge of cryptography was presented to and discussed among an audience of leading researchers and developers from academia and industry. Today, on the second day of the conference, Cryspen teamed up with Google to showcase practical, scalable, verified solutions for high-assurance software and post-quantum cryptography.

Control flow analysis with hax

Wed, 26 Mar 2025 00:00:00 +0000

A difficulty of formal verification is that specifying programs can be hard. Certain kinds of programs can end up having a specification that is as complex as the code itself. In this case it is better to focus on more interesting and understandable properties rather than an equivalence proof with a specification.

Cryspen Welcomes Clara

Mon, 10 Feb 2025 00:00:00 +0000

We’re thrilled to officially welcome Clara to the Cryspen team! Clara brings a fantastic blend of experiences and a passion for open-source that aligns perfectly with our mission. Let’s get to know her a little better.

X25519MLKEM768 TLS-Handshake in Bertie

Thu, 19 Dec 2024 00:00:00 +0000

Summer is over for some months on the northern hemisphere, and so is the draft phase of NISTs post-quantum cryptographic standards. Since August 13, 2024, FIPS has standardized Kyber as ML-KEM in FIPS 203 for PQ encryption, Dilithium as ML-DSA and and SPHINCS+ as SLH-DSA in FIPS 204 and FIPS 205, respectively, for PQ digital signatures. Read more on how we at Cryspen are building formally verified implementations of these standards, previously on this blog.

Cryspen @ VSTTE 2024

Mon, 14 Oct 2024 00:00:00 +0000

Verified Software: Theories, Tools, and Experiments is a conference that aims to advance the state of the art in software verification.

Cryspen @ Crypto 2024

Tue, 20 Aug 2024 00:00:00 +0000

Crypto is the top international conference on cryptography and is held every year (since 1981) in Santa Barbara, California. This year, Crypto invited Karthikeyan Bhargavan, our Chief Research Scientist, to give a talk on the use of formal methods in cryptography.

Formally Verified Post-Quantum Cryptography

Mon, 19 Aug 2024 00:00:00 +0000

The US National Institute of Standards and Technology (NIST) just released the first three standards for Post-Quantum KEMs (ML-KEM) and Signatures (ML-DSA, SLH-DSA). This first official publication of Post-Quantum Cryptography (PQC) standards represents a significant step forward in securing the Internet, and organizations across the globe, against the future threat of quantum computers.

Announcing the hax Playground

Wed, 14 Aug 2024 00:00:00 +0000

We’re proud to announce the hax playground! Inspired by the Rust Playground, the hax playground allows you to play with hax directly in your web browser!

Cryspen Welcomes Maxime

Tue, 06 Aug 2024 00:00:00 +0000

We’re thrilled to announce that Maxime Buyse has joined the Cryspen team as a Formal Verification Engineer! 🎉

Maxime is a whiz when it comes to formal methods, software verification, compilers, and functional programming. His expertise will be instrumental in supercharging our tools like hax and making them even easier to use.

High Assurance IoT PQC

Mon, 05 Aug 2024 00:00:00 +0000

Together with our sister-company CryptoEng, we extend our libcrux cryptographic library with support for resource constrained IoT devices. Read their announcement here. The libcrux-iot library contains high performance, high assurance implementations of post-quantum, as well as classical, cryptographic primitives.

Cryspen @ FMCP 2024

Sun, 28 Jul 2024 00:00:00 +0000

The US National Institute of Standards and Technology (NIST) publishes a number of important cryptographic standards (including upcoming ones for post-quantum cryptography), and runs the cryptographic algorithm and module validation programs that validate and issue certificates to cryptographic libraries.

Unlocking New Possibilities

Fri, 19 Jul 2024 00:00:00 +0000

We have been developing the hax toolchain over the last two years, in collaboration with research teams at Inria and the University of Aarhus. To showcase its capabilities we have successfully applied it to ML-KEM and Bertie. Others are using it to create new ground-breaking research results.

Post-Quantum TLS in Bertie

Wed, 03 Jul 2024 00:00:00 +0000

The prospect of quantum computers breaking most public key encryption in use today has created the need for new schemes that can resist classical and potential quantum attackers alike. Some of these schemes, such as ML-KEM and ML-DSA, are currently in the final stages of standardizations by NIST. Before fully transitioning to post-quantum secure cryptography, an important first step many organizations are taking is protecting against Harvest Now Decrypt Later (HNDL) attacks, where data is collected and stored today, and later decrypted once cryptanalysis improves. Signal recently introduced PQXDH, which protects against these attacks. Google’s Chrome browser is using the X25519Kyber768Draft00 hybrid KEM cipher suite in TLS, which combines a post-quantum secure KEM with the classical key exchange. Cloudflare, which is serving a big chunk of the internet, supports it as well.

Cryptographic protocol verification with hax

Wed, 05 Jun 2024 00:00:00 +0000

This blog post details an example of how to use our hax toolchain for verifying the security of cryptographic protocol implementations written in Rust.

Conference Talks

Tue, 23 Apr 2024 00:00:00 +0000

Cryspen attended a number of conference in April and March. Here is a list of all slides and videos.

We will update links when more resources become available.

Post-Quantum OpenMLS

Thu, 11 Apr 2024 00:00:00 +0000

OpenMLS now offers security against harvest-now-decrypt-later (HNDL) quantum adversaries.

In #1546 we merged support for the X-Wing KEM draft, which is an early draft for securely combining elliptic-curve-based Diffie-Hellman with ML-KEM. In particular, OpenMLS now supports the ciphersuite MLS_256_XWING_CHACHA20POLY1305_SHA256_Ed25519 with ciphersuite 0x004D. There is no IANA code-point for this ciphersuite yet, such that interoperability may not be guaranteed. We work with other implementers towards interoperability of this ciphersuite.

Post-Quantum Group Messaging

Wed, 10 Apr 2024 00:00:00 +0000

With multiple post-quantum cryptographic algorithms (ML-KEM, ML-DSA) nearing standardization, enterprises, research groups, and standards bodies have started investigating what post-quantum secure protocols should look like and what properties they should satisfy.

Verifying Libcrux's ML-KEM

Tue, 30 Jan 2024 00:00:00 +0000

In a recent blog post, we described Cryspen’s new Rust implementation of ML-KEM in Rust, and talked about how our high-assurance development methodology helped us find a new timing bug in various other Kyber implementations.

Verified ML-KEM (Kyber) in Rust

Tue, 16 Jan 2024 00:00:00 +0000

ML-KEM, previously known as Kyber, is the first post-quantum secure key-encapsulation mechanism (KEM) to get standardised by NIST in FIPS 203.

Cryspen has built a new high assurance Rust implementation of ML-KEM, using our verification framework hax and F*. Our implementation is among the fastest portable implementations that we know of (see Performance comparison), and helped uncover a timing bug (also called KyberSlash) in various Kyber implementations that would allow an attacker to recover the private key.

Welcome Jan & Lucas

Mon, 08 Jan 2024 00:00:00 +0000

📢 Exciting News! Cryspen is thrilled to announce the addition of two exceptional minds to our team: Dr. Lucas Franceschino and Jan Winkelmann.

An Analysis of Signal's PQXDH

Fri, 20 Oct 2023 00:00:00 +0000

Signal recently published a new, post-quantum secure, version of their X3DH protocol called PQXDH. As with any new cryptographic protocol, it is important to precisely analyse its security properties, especially for something as important as Signal.

Announcing Campus Cyber Circus Project

Wed, 20 Sep 2023 00:00:00 +0000

🎉 We’re excited to announce that Cryspen partnered with Inria on a transfer project to build a new integrated development and verification environment (IDVE). The project is part of the transfer program at Campus Cyber, which brings together France’s top cybersecurity experts.

Specifying Oblivious Pseudonymization

Mon, 18 Sep 2023 00:00:00 +0000

In this blog post we announce an executable specification in the hacspec specification language for the ScrambleDB pseudonymization system, developed by Cryspen as part of the BMBF ATLAS project.

Internet Defense Prize 2023

Mon, 14 Aug 2023 00:00:00 +0000

At the 32nd Usenix Security Symposium in Anaheim CA, a paper on the Messaging Layer Security Protocol, co-authored by our founders Jonathan Protzenko and Karthikeyan Bhargavan, was awarded both the Distinguished Paper Award and the prestigious Internet Defense Prize.

Prairie and Atlas

Wed, 09 Aug 2023 00:00:00 +0000

With the widespread adoption and deployment of machine learning across enterprises, ever-increasing amounts of data are being collected, stored, communicated, combined, and computed over by sophisticated algorithms. In parallel, new governmental regulations and rising concerns about privacy are giving impetus to new research on how to protect the confidentiality, integrity and privacy of all this data.

Three (thousand) may keep a secret

Mon, 31 Jul 2023 00:00:00 +0000

“Three may keep a secret, if two of them are dead.” - Benjamin Franklin (1735)

However skeptical we may be of our human ability to keep secrets, we still routinely participate in group conversations that we would like to keep away from prying eyes. We exchange confidential work emails through corporate mail servers, discuss project internals on private Slacks, and exchange deeply personal information with family and friends on WhatsApp groups. The loss of this private data to malicious outsiders can result in public embarrassment, financial loss, and for vulnerable persons like journalists or activists, even threats to life and liberty.

MLS - RFC 9420

Tue, 18 Jul 2023 00:00:00 +0000

✨ We are thrilled to announce the release of the MLS specification as RFC 9420.

RFC 9420 is a comprehensive description of the first standardised, efficient, asynchronous, key establishment protocol with forward secrecy and post-compromise security for groups in size ranging from two to thousands. While Cryspen didn’t exist back when the MLS working group was established, our co-founder Karthik played a pivotal role in designing MLS from the beginning by contributing to the original design of TreeKEM, the basis of MLS today.

Welcome Jonas

Mon, 10 Jul 2023 00:00:00 +0000

📢 Exciting News! 🚀 We are thrilled to welcome Dr. Jonas Schneider-Bensch, to the Cryspen family as our newest R&D Cryptography Engineer!

Cryspen @ RWC 2023

Mon, 12 Jun 2023 00:00:00 +0000

At Real World Crypto 2023 in Tokyo, we gave a talk on the hacspec language, the hax tool, and the libcrux crypto library.

About Cryspen

Sun, 01 Jan 2023 00:00:00 +0000

Cryspen was founded in December 2021 by Franziskus Kiefer, Karthikeyan Bhargavan, and Jonathan Protzenko, with the goal of adapting and extending cutting-edge formal verification tools developed at research labs like Inria and applying them to commercial software development. All three co-founders have a demonstrated track record of solving challenging problems in high-assurance high-performance cryptographic software development, both in research and industry.

Advanced Cryptographic Implementations

Sun, 01 Jan 2023 00:00:00 +0000

TBD

Diversity, Equity, and Inclusion

Sun, 01 Jan 2023 00:00:00 +0000

Cryspen is committed to creating a diverse, equitable, and inclusive workplace where all employees feel valued, respected, and empowered. This policy outlines our commitment to fostering a positive and productive work environment that celebrates differences and promotes equal opportunities for all.

HACL

Sun, 01 Jan 2023 00:00:00 +0000

HACL is a set of formally verified cryptographic libraries in C, JavaScript, OCaml, and Rust. The libraries are based on the HACL* research project, originally developed by Inria and Microsoft Research.

hacspec

Sun, 01 Jan 2023 00:00:00 +0000

hacspec is a language and framework for writing succinct, executable, formally verifiable specifications for cryptographic components.

Syntactically, hacspec is a purely functional subset of Rust that aims to be readable by developers, cryptographers, and verification experts. An application developer can use hacspec to specify and prototype cryptographic components in Rust, and then replace this specification with a verified implementation before deployment.

High Assurance Software Toolchain

Sun, 01 Jan 2023 00:00:00 +0000

Cryspen collaborates with the Prosecco team at Inria to develop a usable, robust, development environment and verification toolchain for security critical software.

High Assurance Software Toolchain

Sun, 01 Jan 2023 00:00:00 +0000

With hax, you can achieve a new level of confidence in the safety, security, and reliability of your software.

Try it online

Key benefits of Hax:

How we Work

Sun, 01 Jan 2023 00:00:00 +0000

Cryspen is a boutique development and consulting studio focused on bringing state-of-the-art privacy and cryptography solutions to customers, using cutting-edge formal methods. We closely collaborate with research groups at Inria and elsewhere to help them improve their research software analysis tools and apply them to industrial design and software development.

HPKE

Sun, 01 Jan 2023 00:00:00 +0000

HPKE is scheme provides a variant of public-key encryption of arbitrary-sized plaintexts for a recipient public key. It includes three authenticated variants, including one which authenticates possession of a pre-shared key, and two optional ones which authenticate possession of a KEM private key. HPKE works for any combination of an asymmetric key encapsulation mechanism (KEM), key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman key agreement, HKDF, and SHA2.

Impressum

Sun, 01 Jan 2023 00:00:00 +0000

Company Name: Cryspen Sarl

Registered Office: 149 Avenue du Maine, 75014 Paris, France

Email: info@cryspen.com

Managing Director: Franziskus Kiefer

Registration Number: 908 684 848 R.C.S. Paris

Jobs

Sun, 01 Jan 2023 00:00:00 +0000

libcrux

Sun, 01 Jan 2023 00:00:00 +0000

Libcrux is a cryptographic library written almost entirely in Rust, a modern programming language that is known for its safety and performance. It provides a wide range of cryptographic primitives, including symmetric encryption, asymmetric encryption, digital signatures, hash functions, post-quantum KEMs and post-quantum signatures.

OpenMLS

Sun, 01 Jan 2023 00:00:00 +0000

Messaging Layer Security (MLS) is a security layer for end-to-end encrypting communication in large dynamic groups. It has been specified by the IETF MLS working group and designed to be efficient, practical and secure.

Post Quantum Transition

Sun, 01 Jan 2023 00:00:00 +0000

As the threat of quantum computing grows, businesses and organizations need to start planning for the post quantum transition. This means migrating their processes and applications to use post quantum cryptography, which is resistant to attacks by quantum computers.

Secure Group Communication

Sun, 01 Jan 2023 00:00:00 +0000

With new regulations like the Digital Market Act, companies now have to embrace interoperability, especially when it comes to communications and messaging. The new standard that the industry is converging on is the IETF MLS protocol. We are experts in MLS and have contributed a formal security analysis, reference implementation, and improvements to the standard. We help maintain OpenMLS, a flagship Rust implementation of MLS.

Verify your Security

Sun, 01 Jan 2023 00:00:00 +0000

Security protocols and constructions are pervasive. Some are well-known, like TLS; but your organization may be using custom security mechanisms for identity management, key propagation, secure storage… Having complete confidence in such a design requires an in-depth security analysis that covers side-channels, cryptographic design, and software design. Only specialists can perform an analysis that covers all of these.

HACL Packages v0.6

Mon, 07 Nov 2022 00:00:00 +0000

Today, we announce the first release of the HACL Packages libraries. 🎉

This release of HACL packages includes the first release of the HACL C library and a new release of the hacl-star OCaml bindings.

OpenMLS

Wed, 19 Oct 2022 00:00:00 +0000

We have joined forces with our friends from Phoenix R&D to improve OpenMLS.

The MLS protocol draft is in the IETF working group’s last call and is thus on track to become an RFC soon. We want to make sure that OpenMLS is ready for wider adoption by the time the RFC is ready. To achieve this we start by catching up with all the changes to the protocol (up to the current draft-16), improving test coverage of the code, and working towards a more comprehensive test framework for interoperability.

HACL Packages

Tue, 07 Jun 2022 00:00:00 +0000

Earlier this year, Tezos and Nomadic Labs started to work with Cryspen to improve HACL* and ensure that it is a viable long-term solution for Tezos' cryptographic needs. HACL is a set of high assurance cryptographic primitives used by Tezos for most of its cryptography.

What is High Assurance Cryptography?

Mon, 02 May 2022 00:00:00 +0000

Cryspen builds high assurance cryptography. But what does this actually mean?

Before focusing on cryptography it is interesting to look at high assurance software in general. How is high assurance software different from other software?

An Executable HPKE Specification

Thu, 24 Feb 2022 00:00:00 +0000

HPKE, published as RFC 9180, describes a scheme for hybrid public key encryption.

📚 Read our TL;DR on HPKE if you need more background on HPKE.

TL;DR - Hybrid Public Key Encryption

Thu, 24 Feb 2022 00:00:00 +0000

HPKE, defined in RFC 9180, is a CFRG standard that describes a scheme for hybrid public key encryption. It is co-authored by my Cryspen co-founder Karthikeyan Bhargavan and one of his PhD students Benjamin Lipp as part of his research at Inria.

Cryspen ERC PoC Grant

Thu, 10 Feb 2022 00:00:00 +0000

Cryspen co-founder Karthik Bhargavan got awarded an ERC Proof of Concept grant for commercialising the know-how and landmark research results from his Inria research group PROSECCO through Cryspen.