Final Report Summary - PROSECURE (Provably secure systems: foundations, design, and modularity)
Security protocols are short distributed computer programs dedicated to securing communications on digital networks. They are designed to achieve various goals such as data privacy and data authenticity, even when communication channels are controlled by malicious users. The goal of the ProSecure project is to propose foundations for a careful analysis and design of large classes of up-to-date protocols. Proposing a secure environment for network-based communications has a societal as well as an economical prominent impact.
One of the main achievements of the project regards e-voting. While many of legally binding elections make use of black-box, proprietary, solutions, state-of-the art protocols aim at achieving both privacy of the vote (no one will know my vote) and verifiable elections (anyone can check that her ballot has been counted). We have obtained several achievements in this domain both in terms of security definitions, design, and analysis of existing systems. Formal and rigorous definitions are needed to reasons about e-voting protocols. While reviewing existing definitions for vote privacy, we have discovered limitations in many of them. We have proposed new and general definitions for both vote privacy and verifiability. We have also studied two major protocols: one industrial protocol deployed in Norway in trials and one academic protocol, Helios. We have studied in depth these protocols, providing the first security proofs for fully deployed protocols. During this task, we have discovered a flaw in Helios that could compromise ballot secrecy in some situations. This flaw was easy to fix.
Finally we are now developing our own voting platform, Belenios, that enhances the security of Helios. This new solution has been again fully proved and we are discussing with several voting companies to enhance verifiability in existing solutions.
Formally analysing privacy properties such as ballot secrecy amounts into checking that some mathematical properties hold in a formal and symbolic model. To ease security proofs, it is often possible to automate the security analysis, that is, to design tools that automatically find flaws in protocols, or prove security. Within the ProSecure project, we have designed new techniques for automatically proving privacy properties. In particular, we have designed the first tool that can prove ballot secrecy of e-voting protocols. Moreover, we have designed the first algorithm that can check for privacy when protocols are used an unlimited number of times. This significantly advances the state-of-the-art since no decidability procedures was known in this context, even in the simpler case of secrecy or authentication properties.
A``proof of security'' of course only holds in some mathematical model. Part of the project is dedicated to the comparison between two important, yet very different, models. The outcomes are twofolds: first, a better understanding of the two models and, secondly, the combination of the advantages of the two approaches: full automation of security proof in a very precise model (that captures most of the attacks).
Security protocols are inherently designed by composition: a payment protocol may use secure channels, typically implemented by TLS, while another communication protocol may rely on some authenticated channels, that can be implemented in various ways. How to securely implement a secure channel? May secure channels be (securely) used in any context? We have proposed a framework for protocol composition, that can be applied to many protocols of the literature.
One of the main achievements of the project regards e-voting. While many of legally binding elections make use of black-box, proprietary, solutions, state-of-the art protocols aim at achieving both privacy of the vote (no one will know my vote) and verifiable elections (anyone can check that her ballot has been counted). We have obtained several achievements in this domain both in terms of security definitions, design, and analysis of existing systems. Formal and rigorous definitions are needed to reasons about e-voting protocols. While reviewing existing definitions for vote privacy, we have discovered limitations in many of them. We have proposed new and general definitions for both vote privacy and verifiability. We have also studied two major protocols: one industrial protocol deployed in Norway in trials and one academic protocol, Helios. We have studied in depth these protocols, providing the first security proofs for fully deployed protocols. During this task, we have discovered a flaw in Helios that could compromise ballot secrecy in some situations. This flaw was easy to fix.
Finally we are now developing our own voting platform, Belenios, that enhances the security of Helios. This new solution has been again fully proved and we are discussing with several voting companies to enhance verifiability in existing solutions.
Formally analysing privacy properties such as ballot secrecy amounts into checking that some mathematical properties hold in a formal and symbolic model. To ease security proofs, it is often possible to automate the security analysis, that is, to design tools that automatically find flaws in protocols, or prove security. Within the ProSecure project, we have designed new techniques for automatically proving privacy properties. In particular, we have designed the first tool that can prove ballot secrecy of e-voting protocols. Moreover, we have designed the first algorithm that can check for privacy when protocols are used an unlimited number of times. This significantly advances the state-of-the-art since no decidability procedures was known in this context, even in the simpler case of secrecy or authentication properties.
A``proof of security'' of course only holds in some mathematical model. Part of the project is dedicated to the comparison between two important, yet very different, models. The outcomes are twofolds: first, a better understanding of the two models and, secondly, the combination of the advantages of the two approaches: full automation of security proof in a very precise model (that captures most of the attacks).
Security protocols are inherently designed by composition: a payment protocol may use secure channels, typically implemented by TLS, while another communication protocol may rely on some authenticated channels, that can be implemented in various ways. How to securely implement a secure channel? May secure channels be (securely) used in any context? We have proposed a framework for protocol composition, that can be applied to many protocols of the literature.