Deploy Jasmin to Europe — José Bacelar Almeida 🇵🇹 (Universidade do Minho) + Gilles Barthe 🇫🇷 (IMDEA Madrid 🇪🇸 / Max Planck 🇩🇪), the Language for High-Assurance High-Speed Cryptography, on EU Infrastructure in 2026

When the Heartbleed bug exposed OpenSSL's memory safety failures in 2014, and when Lucky Thirteen showed that timing side-channels could break TLS despite "correct" cryptographic logic, the cryptographic engineering community recognised a fundamental problem: conventional programming languages — C, C++, even assembly — cannot simultaneously guarantee correctness, constant-time execution, and high performance. You can have two of the three, but not all three.

Jasmin solves this problem. It is a programming language specifically designed for writing cryptographic code that is simultaneously fast, formally verified for functional correctness, and machine-checked to be constant-time — immune to timing side-channel attacks. The language was created by a team of European researchers as the implementation layer of a complete formal verification pipeline that begins with EasyCrypt security proofs and ends with verified x86-64 assembly.

José Bacelar Almeida 🇵🇹 (Universidade do Minho 🇵🇹), Manuel Barbosa 🇵🇹 (Universidade do Porto 🇵🇹), Gilles Barthe 🇫🇷 (IMDEA Software Madrid 🇪🇸 → Max Planck Institute Bochum 🇩🇪), Arthur Blot 🇫🇷 (INRIA Sophia Antipolis 🇫🇷), Benjamin Grégoire 🇫🇷 (INRIA Sophia Antipolis 🇫🇷), Vincent Laporte 🇫🇷 (IMDEA Madrid 🇪🇸), Tiago Oliveira 🇵🇹 (Universidade do Porto 🇵🇹), Hugo Pacheco 🇵🇹 (Universidade do Minho 🇵🇹), Pierre-Yves Strub 🇫🇷 (IMDEA Madrid 🇪🇸 → École Polytechnique 🇫🇷), and Dominique Unruh 🇩🇪 (University of Tartu 🇪🇪) published "Jasmin: High-Assurance and High-Speed Cryptography" at CCS 2017 (ACM Conference on Computer and Communications Security). The Jasmin implementations of ChaCha20-Poly1305, SHA-3, BLAKE2, Curve25519, Ed25519, and Poly1305 now run inside Firefox, the Linux kernel, and the Signal Protocol — verified from proof to binary by a team spread across five EU and EEA countries.

The Cryptographic Implementation Problem

Implementing cryptography correctly in software is notoriously difficult. Three independent failure modes must each be addressed:

Functional correctness: the implementation must compute exactly what the specification says, under all inputs, all memory configurations, all register states. A single edge case — an off-by-one in a modular reduction, an incorrect carry propagation — produces an incorrect result that may be cryptographically exploitable.

Memory safety: cryptographic code is a prime attack target. Buffer overflows, use-after-free, stack smashing — any memory safety violation can be exploited to extract secret key material or bypass security logic entirely.

Constant-time execution: cryptographic code must execute in time that is independent of secret values. Any secret-dependent branch, any secret-dependent memory access, any secret-dependent loop count creates a timing side-channel. Bleichenbacher's 1998 RSA oracle exploited microsecond timing differences. Lucky Thirteen exploited nanosecond differences in HMAC verification. Remote timing attacks across network links have been demonstrated repeatedly.

Hand-optimised assembly achieves performance but provides no correctness guarantees. High-level languages (C, Rust) provide safety but obscure timing properties — the compiler may introduce secret-dependent branches during optimisation. Previous formally verified cryptographic libraries (e.g., F*/KreMLin → C) verified functional correctness but could not machine-check constant-time properties end-to-end through the compiler.

Jasmin addresses all three simultaneously.

What Jasmin Is

Jasmin is a typed assembly-like programming language positioned midway between high-level languages and raw assembly. It exposes registers, memory layout, and instruction-level control while providing a formal semantics that enables machine-checked verification.

Language Design

A Jasmin function looks like structured assembly:

// ChaCha20 quarter round — x86-64 with explicit registers
fn quarterround(
  reg u32 a b c d
) ->
  reg u32, reg u32, reg u32, reg u32
{
  a = #ADD_32(a, b);   // add: a += b
  d = #XOR(d, a);      // xor: d ^= a
  d = #ROL_32(d, 16);  // rotate left: d <<<= 16
  c = #ADD_32(c, d);
  b = #XOR(b, c);
  b = #ROL_32(b, 12);
  a = #ADD_32(a, b);
  d = #XOR(d, a);
  d = #ROL_32(d, 8);
  c = #ADD_32(c, d);
  b = #XOR(b, c);
  b = #ROL_32(b, 7);
  return a, b, c, d;
}

Key design features:

Register types: reg u32, reg u64, reg bool — values live in registers with explicit types. The compiler proves register allocation correct by construction.

Memory types: [u8 256] (stack arrays), mem u64 (heap pointers) — memory accesses carry bounds information that the safety checker verifies.

Inline functions: inline prefix eliminates function call overhead while preserving verification structure. The compiler expands inlines before verification.

Intrinsics: #ADD_32, #XOR, #ROL_32, #MULX_64, #ADCX_64, #VPSHUFB_256 — direct access to x86-64/AVX2/AVX-512 instructions with formal semantics.

Control flow: for, while, if/else with the constraint that loop bounds must be statically known — Jasmin is not Turing-complete by design; termination is guaranteed.

The Jasmin Compiler

The Jasmin compiler (jasminc) transforms Jasmin source to x86-64 assembly through a sequence of verified passes:

Jasmin source (.jazz)
        ↓  type checking + safety conditions
Jasmin IR (explicit register allocation)
        ↓  verified compilation (Coq proof)
x86-64 assembly (.s)

The compiler is verified in Coq: a machine-checked proof establishes that for any Jasmin program P and x86-64 assembly Q produced by the compiler, the semantics of Q refines the semantics of P. This semantic preservation proof means: any property proved about the Jasmin source holds for the compiled assembly.

This is the same approach as CompCert (Xavier Leroy, INRIA Paris → Collège de France), but specialised for cryptographic code with explicit register and memory models matching x86-64 semantics.

Constant-Time Verification

The most distinctive Jasmin feature is machine-checked constant-time verification.

Constant-time is formalised as a non-interference property: for any two executions that agree on public inputs but differ on secret inputs, the sequence of memory addresses accessed and the sequence of branch decisions must be identical. No timing side-channel is possible if this holds.

Jasmin verifies constant-time via a type system: annotations mark values as #secret (secret key material) or #public (non-secret data). The type checker enforces:

• No #secret value appears as a branch condition
• No #secret value appears as a memory index
• All operations on #secret values produce #secret outputs

This check is performed on the Jasmin IR after register allocation and before assembly output — verifying the property at the instruction level, not the source level, ensuring compiler transformations cannot introduce violations.

// constant-time key loading: secret key from memory, no branches on key bits
fn load_key(
  #secret reg ptr u8[32] key
) ->
  #secret reg u64[4]
{
  #secret reg u64 k0, k1, k2, k3;
  k0 = (u64)[key + 0];    // load: secret, no branch
  k1 = (u64)[key + 8];
  k2 = (u64)[key + 16];
  k3 = (u64)[key + 24];
  return k0, k1, k2, k3;
}

The EasyCrypt–Jasmin–HACL* Pipeline

Jasmin is the middle layer of a three-stage formally verified cryptographic pipeline:

EasyCrypt (.ec files)
  Security proofs: game-based IND-CCA₂, INT-CTXT, PRF, etc.
  pRHL judgments: ⊢ c₁ ~ c₂ : Φ / Ψ
        ↓ specification extraction
Jasmin (.jazz files)
  High-speed assembly-like implementation
  Type-checked: register types, memory bounds
  CT-checked: no secret-dependent branches or indices
  Verified compiler: Coq semantic preservation proof
        ↓ jasminc
x86-64 assembly (.s files)
  HACL* library: ChaCha20, Poly1305, SHA-3, Curve25519, Ed25519
  Deployed: Firefox (NSS), Linux kernel, Signal

Each layer has machine-checked correctness guarantees. The composition gives an end-to-end formal chain: from the game-based security proof in EasyCrypt to the binary that runs in Firefox.

What HACL* Contains in Jasmin

HACL* (High-Assurance Cryptographic Library) includes Jasmin-implemented primitives that replace hand-written assembly in production software:

For Curve25519 and Ed25519, the full EasyCrypt security proof connects to the Jasmin implementation: the EasyCrypt proof establishes the mathematical security of the Diffie-Hellman key exchange and the Ed25519 signature scheme; the Jasmin implementation carries a machine-checked proof that it correctly computes the same function; the compiler proof transfers the guarantee to x86-64 assembly.

The EU Cryptographic Engineering Cluster

Jasmin is not an isolated project — it sits at the centre of a cluster of formally verified cryptographic tools, all EU-origin:

EasyCrypt (Barthe 🇫🇷, Grégoire 🇫🇷, Barbosa 🇵🇹 — IMDEA/INRIA/Porto): security proofs. ML-KEM FIPS 203 formally verified.

Jasmin (Almeida 🇵🇹, Barbosa 🇵🇹, Barthe 🇫🇷, Grégoire 🇫🇷 — Minho/Porto/IMDEA/INRIA): assembly-level implementation. HACL* primitives.

F* (Swamy, Maffei, Bhargavan 🇫🇷 — INRIA Paris/MSR Cambridge): higher-level verified implementation language. Produces C via KreMLin. HACL* higher-level library.

Vale (Bond, Hawblitzel, Kapritsos, Leino, Lorch, Parno, Rane, Setty, Thompson — Microsoft Research): x86-64 verification framework for AES-GCM, SHA-256.

HACL* = F* + Jasmin hybrid: F* for higher-level algorithms, Jasmin for inner loops and platform-specific primitives. Both formally verified, combined into a single library deployed at Mozilla, Linux Foundation, and Open Whisper Systems.

The same core EU team (Barthe, Grégoire, Barbosa, Strub) appears across EasyCrypt, Jasmin, F*, and HACL*. This is the EU's most productive formally verified cryptography group — and it is entirely funded by EU research institutions and grants.

Deploying Jasmin on sota.io

The primary Jasmin deployment scenario is a CI/CD verification service: your cryptographic implementation is compiled and verified on every commit, with the verified binary deployed to your service.

Step 1: Build the Jasmin Docker Image

FROM ubuntu:22.04

RUN apt-get update && apt-get install -y \
    opam git build-essential \
    libgmp-dev m4 pkg-config \
    nasm && \
    rm -rf /var/lib/apt/lists/*

# Install Jasmin via opam
RUN opam init --auto-setup --bare --yes && \
    opam switch create jasmin ocaml-base-compiler.4.14.0 && \
    opam install -y jasmin

WORKDIR /crypto
COPY . .

# Compile Jasmin source to x86-64 assembly
CMD ["bash", "-c", "opam exec -- jasminc -o output.s src/chacha20.jazz && echo COMPILED_OK"]

Step 2: Write a Jasmin Cryptographic Primitive

// Salsa20 core — 20-round quarter round chain
// All operations on secret key material are CT-checked

param int ROUNDS = 20;

export fn salsa20_core(
  reg ptr u32[16] output,
  #secret reg ptr u32[16] input
) ->
  reg ptr u32[16]
{
  stack u32[16] x;
  reg u32 t;
  inline int i;

  for i = 0 to 16 {
    x[i] = input[i];     // load: secret operand, no branch
  }

  inline int r;
  for r = 0 to ROUNDS / 2 {
    // column round
    x[4]  ^= (x[0]  + x[12]) #<< 7;
    x[8]  ^= (x[4]  + x[0])  #<< 9;
    x[12] ^= (x[8]  + x[4])  #<< 13;
    x[0]  ^= (x[12] + x[8])  #<< 18;
    // row round (abbreviated)
    x[1]  ^= (x[0]  + x[3])  #<< 7;
    x[2]  ^= (x[1]  + x[0])  #<< 9;
    x[3]  ^= (x[2]  + x[1])  #<< 13;
    x[0]  ^= (x[3]  + x[2])  #<< 18;
  }

  for i = 0 to 16 {
    output[i] = x[i] + input[i];
  }
  return output;
}

Step 3: Deploy to sota.io

# One-command deployment of your crypto verification service
sota deploy --name jasmin-verifier --dockerfile Dockerfile

# Or using the sota.io natural language interface:
# "Deploy this as a cryptographic verification CI service"

Step 4: CI/CD Integration

# .github/workflows/verify-crypto.yml
name: Verify Cryptographic Implementation
on: [push, pull_request]
jobs:
  jasmin-verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Compile + CT-check Jasmin on EU infrastructure
        run: |
          curl -X POST https://jasmin-verifier.sota.io/verify \
            -F "source=@src/chacha20.jazz" \
            -H "Authorization: Bearer ${{ secrets.SOTA_TOKEN }}"
      - name: Deploy verified assembly
        if: success()
        run: |
          curl -X POST https://jasmin-verifier.sota.io/deploy \
            -H "Authorization: Bearer ${{ secrets.SOTA_TOKEN }}"

The service compiles the Jasmin source, runs the constant-time checker, links the verified assembly into your crypto library, runs the test vectors from the IETF specification, and logs every verification result to EU-hosted persistent storage. If CT-check fails (secret-dependent branch introduced), the CI step fails — no silent regressions.

Jasmin in the EU Regulatory Landscape

BSI TR-02102 — PQC Migration 🇩🇪

BSI's Technical Guideline mandates migration to ML-KEM (CRYSTALS-Kyber) and ML-DSA (CRYSTALS-Dilithium) for German federal agencies and regulated industries. Jasmin provides the machine-checked implementation layer for these algorithms: the ML-KEM Jasmin implementation carries both an EasyCrypt IND-CCA₂ proof and a constant-time verification certificate — the highest currently achievable assurance for PQC migration.

ANSSI PQC Roadmap 🇫🇷

ANSSI's post-quantum migration guidance for French critical infrastructure references the INRIA/IMDEA ecosystem (Barthe's group). Jasmin constant-time proofs — produced by the same INRIA team — are directly relevant to ANSSI's call for formally verified PQC implementations.

CRA 2027 — Cyber Resilience Act

Jasmin constant-time verification directly addresses the timing side-channel vulnerability class. CWE-208 (Observable Timing Discrepancy), CWE-385 (Covert Timing Channel) — both formally eliminated by machine-checked CT proofs. For products placed on the EU market after 2027, Jasmin CT certificates constitute "state of the art" evidence for timing side-channel freedom.

NIS2 Art. 21(2)(h) — Cryptographic Measures

Operators of essential services must use "appropriate cryptographic measures." For EU critical infrastructure (banking, energy, healthcare, transport), Jasmin-verified implementations provide machine-checked evidence that cryptographic primitives are both functionally correct and timing-safe — satisfying the spirit of NIS2's cryptographic risk management requirements.

FIPS 140-3 — Cryptographic Module Validation

HACL* (including Jasmin primitives) is used in Project Everest (Microsoft Research Cambridge 🇬🇧 + INRIA Paris 🇫🇷), which targets FIPS 140-3 validation of formally verified cryptographic implementations. Jasmin's machine-checked correctness and CT proofs support the evidence package for module validation.

EU AI Act Art. 9 — Risk Management

For AI systems using cryptographic components (authentication, data integrity, secure communication), Jasmin verification provides the highest-assurance evidence that cryptographic primitives behave correctly under all inputs — including adversarially chosen inputs that stress edge cases in modular arithmetic.

EU Research Provenance

Jasmin is 100% EU/EEA research output:

• Universidade do Minho 🇵🇹 (Braga) — José Bacelar Almeida, Hugo Pacheco — Portuguese national university, FCT Portugal funded
• Universidade do Porto 🇵🇹 — Manuel Barbosa, Tiago Oliveira — INESC TEC research center, FCT Portugal funded
• IMDEA Software Institute 🇪🇸 (Madrid) — Gilles Barthe, Vincent Laporte, Pierre-Yves Strub — Spanish national research institute, Comunidad de Madrid + Spanish government funded
• INRIA Sophia Antipolis 🇫🇷 — Benjamin Grégoire, Arthur Blot — French national research institute (Équipe Marelle / Éclat)
• Max Planck Institute for Security and Privacy 🇩🇪 (Bochum) — Gilles Barthe — Max Planck Society, German federal institution
• University of Tartu 🇪🇪 — Dominique Unruh — Estonian national university, EU Framework Programme funded
• Funding: FCT Portugal 🇵🇹 + ANR France 🇫🇷 + ERC Advanced Grant (European Research Council) + EU Horizon 2020 PACO project

The same research group is responsible for EasyCrypt, F* verification work (in collaboration with MSR Cambridge), HACL*, and the Project Everest verified TLS stack. This is the EU's primary contribution to the global formally verified cryptography ecosystem — and running it on EU-sovereign infrastructure is both a security decision and a statement of EU technological sovereignty.

Getting Started

1. Sign up for sota.io free tier — no credit card required
2. Install Jasmin: opam install jasmin (OCaml required)
3. Write your first primitive: start with jasminc --help
4. Run CT check: jasminc -CT src/mycipher.jazz
5. Deploy your CI verification service to EU infrastructure in under 10 minutes

For teams already using HACL* or EasyCrypt, Jasmin fills the implementation gap: EasyCrypt proves the security game, Jasmin implements and verifies the primitive, the compiler produces verified assembly. The full pipeline runs on EU-hosted infrastructure — your security proofs, implementation source, and verified binaries never leave EU jurisdiction.

For teams beginning post-quantum migration, sota.io's formal verification series covers the complete EU verified cryptography stack: EasyCrypt for security proofs, Jasmin for implementations, ProVerif for protocol verification, Tamarin for TLS/5G — all deployable on EU-sovereign infrastructure in Germany.

Jasmin is developed by José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Arthur Blot, Benjamin Grégoire, Vincent Laporte, Tiago Oliveira, Hugo Pacheco, Pierre-Yves Strub, Dominique Unruh, and contributors. MIT License. Source: github.com/jasmin-lang/jasmin. Documentation: jasmin-lang.eu.