Automated Security Proofs of Cryptographic Protocols: Privacy, Untrusted Platforms and Applications to E-voting Protocols

The security of electronic transactions is ensured by cryptographic protocols. While historically their main goals were confidentiality and authentication the situation has changed. The ability of people to stay connected constantly combined with ill-conceived systems seriously threatens people’s privacy. Due to viruses and malware, personal computers and mobile phones must not be considered trustworthy anymore; yet they execute the protocols that are to achieve security goals. To detect flaws, prove a protocol's security and propose new design principles the Spooc project will develop solid foundations and practical tools to analyse and formally prove security protocols that ensure user privacy as well as techniques for executing protocols on untrusted platforms. We will develop
- foundations and practical tools for specifying and verifying new security properties, in particular privacy properties;
- techniques for design and automated analysis of protocols that can be executed on untrusted platforms;
- apply these methods in particular to novel e-voting protocols, that aim for strong security guarantees without need to trust the voter client software.

A wide range of security properties, e.g. anonymity in e-voting, unlinkability in RFID and mobile phone protocols, can be naturally expressed as behavioural equivalences in cryptographic process calculi. We made substantial contributions to the foundations and practice of their automated, symbolic verification. These include extensive results on the decidability and complexity of these verification problems, as well as subtle differences between existing models, that were, by folklore, believed equivalent and obtained tight computational complexity results. From a practical point of view we develop several complementary (in terms of expressivity, precision and efficiency) automated verification tools. To ensure scalability we developed partial order and symmetry reductions as well as results for compositional verification: for e-voting protocols we have shown that if there is an attack on vote privacy then there is also an attack that involves at most 3 voters.

We need to take into account that a user's machine may be untrusted, e.g. due to malware. Therefore protocols may (1) involve the user to execute a security-critical action, or (2) rely on trusted, isolated hardware. Multi-factor authentication protocols, e.g. Google 2-factor, follow the first line. We propose a symbolic model, decision procedure and verification tool for this class of protocols and applied it to protocols from the ISO/IEC 9798-6:2010 standard. When using secure hardware modules, one major problem for automated verification is the need to maintain global, non-monotonic state. We propose a new process calculus, called SAPiC (Stateful Applied Pi Calculus) and an eponymous plugin to the Tamarin prover together with a model for specifying and verifying applications based on Isolated Execution Environments, such as ARM TrustZone and Intel SGX. In collaboration with Orange Labs, we devised and formally proved the security of a new mobile payment protocol, secure even in the presence of malware. We also extended the scope and automation of the tamarin prover.

E-voting protocols have to guarantee two fundamental properties: privacy and integrity. Some elections require more than vote-privacy: receipt-freeness ensures that a voter cannot convince a vote buyer or coercer how she voted. Election integrity is generally achieved through end-to-end verifiability: the protocol issues evidence that all, and only, eligible casted votes have been correctly tallied. Moreover, one cannot assume that the platform used by a voter is trusted. We have formally defined what it means for an e-voting protocol to be secure. This is particularly tricky, as through the election result part of the information is leaked, and authorities running the election may be untrusted. We have analysed Du-Vote, a recently presented malware resistant remote e-voting scheme and showed several attacks on both privacy and verifiability, and confirmed security of a voting protocol deployed in the Swiss canton of Neuchâtel. We also propose a new voting scheme, BeleniosRF, that offers both receipt-freeness and end-to-end verifiability, and implemented it for several platforms, including desktop computers and smartphones.

We provide efficient automated verification tools able to verify properties expressed as equivalences. We have significantly improved our theoretical understanding of this verification method, and have built automated verification tools. We were able to increase these tools' efficiency through partial order and symmetry reductions, and provide support for more cryptographic primitives and a wider range of protocols.

To widen the range of protocols that can be formally verified we have built methods and tools for protocols that rely on human intervention, or secure hardware modules. Both kinds of protocols are extremely important when using a malicious, e.g. malware infected, platform. We have developed attacker models, verification methods and tools for these protocols. Tool support for protocols relying on global scope, such as hardware modules, is not fully automatic but we significantly improved the level of automation.

E-voting is a particularly tricky application area for formal verification. Even defining what it means for an e-voting protocol to be secure is a non-trivial question. For instance, in a unanimous vote, the result leaks the choice of each individual voter without necessarily the protocol being insecure. We propose modular definitions that capture security requirements under a wide range of threat scenarios (including malicious election authorities), we have analysed the security of several voting protocols and also designed a new protocol that ensures receipt-freeness.