hacl-star VS ponyc

Nice work. About cryptonite: have IOG considered using crypto primitives provided by HACL*/evercrypt?

Jasmin and F* don't have similar goals, Jasmin is a language designed to precisely express low-level code, while F* is a generalist language for verified programming. There is a subsystem of F* that performs extraction to "readable C code", Karamel (used to be called Kremlin), but you get the usual limitations of C code as a high-level assembler, and also an embedded assembly layer built on Vale. Project Everest therefore generates artifacts that are a mix of C and assembly, rather than a new low-level language design as Jasmin.

Traditional design by contract checks the contracts at runtime. They can be understood as a form of dynamic typing with quite complicated types, which may be equivalent to refinement types

But you can check contracts at compile time too. It's quite the same thing as static typing with something like refinement types. That's because, while with contracts we can add preconditions like "the size of this array passed as parameter must be a prime number", with refinement types we can define the type of arrays whose size is a prime number, and then have this type as the function argument. (likewise, postconditions can be modeled by the return type of the function)

See for example this Rust library: https://docs.rs/contracts/latest/contracts/

It will by default check the contracts at runtime, but has an option to check them at compile time with https://github.com/facebookexperimental/MIRAI

Now, this Rust library isn't generally understood as creating another type system on top of Rust, but we could do the legwork to develop a type theory that models how it works, and show the equivalence.

Or, another example, Liquid Haskell: https://ucsd-progsys.github.io/liquidhaskell/ it implements a variant of refinement types called liquid types, which is essentially design by contract checked at compile type. In this case, the type theory is already developed. I expect Liquid Haskell to be roughly comparable to Rust's contracts checked by MIRAI.

Now, what we could perhaps say is that refinement types are so powerful that they don't feel like regular types! And, while that's true, there are type systems even more powerful: dependent types used in languages like Coq, Lean and F* to prove mathematical theorems (your type is a theorem, and your code, if it typechecks, is a proof of that theorem).

Dependent types were leveraged to create a verified TLS implementation that mathematically proves the absence of large class of bugs, miTLS https://www.mitls.org/ (they discovered a number of vulnerabilities in TLS implementations and proved that their implementation isn't vulnerable), and HACL* https://github.com/hacl-star/hacl-star a verified crypto implementation used by Firefox and Wireguard. They are part of Project Everest https://project-everest.github.io/ which aims to develop provably secure communications software.

With that said, it's a very good thought to make sure that the software you're using is actually secure before trusting it. Personally, I think it's safe to use GnuPG and KeePass/Bitwarden, which have all been audited by the likes of Cure53, but if you're really paranoid, you could always use a formally-verified implementation of your desired algorithm (many are supplied in HACL*, for example)... In this case, I use the term "formally-verified" to mean that the implementation is mathematically proven to guarantee the properties of the algorithm (i.e., there are no "bugs" that affect output at the implementation level)...

CompCert is also very impressive. It's not, however, free software / open source (the source is available though)

https://www.absint.com/compcert/structure.htm

A problem with both seL4 and CompCert is that the code written to express the proofs is huge, much larger than code that actually does stuff. This puts a ceiling on the size of the projects we can verify.

F* is a language that tries to address that, by finding proofs with z3, a smt prover; z3 can't prove everything on its own but it cuts down proof code by orders of magnitude. They have written a verified cryptography stack and TLS stack, and want to write a whole verified http stack.

https://www.fstar-lang.org/

https://github.com/project-everest/hacl-star

https://www.mitls.org/

https://project-everest.github.io/

F* (through Low, a verified low-level subset of F) can extract verified code to C, which is kind of the inverse than the seL4 proof: seL4 begins with C code and enriches it with proofs of correctness; hacl* (a verified crypto F* lib) begins with a proven correct F* code and extracts C code (I gather the actual crypto primitives is compiled directly to asm code because C has some problems with constant time stuff). This enables hacl* to make bindings to other languages that can just call C code, like this Rust binding

https://github.com/franziskuskiefer/evercrypt-rust

Also this F* stuff is all free software / open source, so it might become a very prevalent crypto and TLS stack

This is SO exciting!!! Ituses https://github.com/project-everest/hacl-star - a formally verified cryptography library. And it compiles down to C code, so I suppose it's fast.

Whats cool with that project and overlaps with SPARKNaCI would be the HACL* Library. Its purpose is to provide a formally verified library of modern cryptographic algorithms all written in a subset of F* called Low* and compiled to C using a compiler called KreMLin. The outputs of this are already being used Firefox, see here & here.

Reminds me a little of the Everest project. Sadly, I'm not seeing much recent Everest activity on their web page or github.

For example, the actor's model is not used by a lot of languages, Pony (https://www.ponylang.io/) and Elixir are the only ones that I know, but they address the concurrency problem quite well, while it's a pain to deal with in other languages at large scale.

And that last point is critical. If the language flatly can't represent some concepts it uses, they have to be implemented somewhere else. I had a similar discussion with a proponent for Pony once- the language itself is 100% safe, and fully dependent on C for its runtime and data structures. One of Rust's core strengths is being able to express unsafe concepts, meaning the unsafe code can expose a safe interface that accurately describes its requirements rather than an opaque C ABI. Vale doesn't seem to do that.

"Exterior iteration. Iteration used to be by stack / non-escaping coroutines, which we also called "interior" iteration, as opposed to "exterior" iteration by pointer-like things that live in variables you advance. Such coroutines are now finally supported by LLVM (they weren't at the time) and are actually a fairly old and reliable mechanism for a linking-friendly, not-having-to-inline-tons-of-library-code abstraction for iteration. They're in, like, BLISS and Modula-2 and such. Really normal thing to have, early Rust had them, and they got ripped out for a bunch of reasons that, again, mostly just form "an argument I lost" rather than anything I disagree with today. I wish Rust still had them. Maybe someday it will!"

I remember that one. The change was shortly after I started fooling with Rust and was major. Major as in it broke all the code that I'd written to that point.

"Async/await. I wanted a standard green-thread runtime with growable stacks -- essentially just "coroutines that escape, when you need them too"."

I remember that one, too; it was one of the things that drew me to the language---I was imagining something more like Pony (https://www.ponylang.io/).

"The Rust I Wanted probably had no future, or at least not one anywhere near as good as The Rust We Got."

Almost certainly true. But The Rust We Got is A Better C++, which was never appealing to me because I never liked C++ anyway.

Pony or bust.

If you have a value in mutable storage, and want to treat it as an immutable parameter without copying it first, you will need to provide some way to guarantee that it won't be mutated while being treated as immutable! There doesn't seem to be a definitive best way to do that (although the likes of Pony make a try at it).

The love child of Erlang and Rust exists already: Pony.

https://www.ponylang.io

It really is the best of both languages... unfortunately, the main supporter of Pony seems to have stopped using it in favour of Rust though :D.

But if that's really what you want, Pony is your language. It definitely deserves more love.

You can actually try to have a magic language which "does not ignore decades of PL research" but you are likely to get either something broken or a project that is likely not going to release in our lifetime.

Never a bad time to plug Pony lang[1] - a safety-oriented actor-model language. In addition to the numerous safety guarantees, you also get a beautiful syntax and automatic memory management. Really a great language that often gets overshadowed by Rust's hype-turfing.

[1]: https://www.ponylang.io/