Periodic Reporting for period 4 - SPOOC (Automated Security Proofs of Cryptographic Protocols: Privacy, Untrusted Platforms and Applications to E-voting Protocols)
Reporting period: 2020-03-01 to 2020-08-31
- foundations and practical tools for specifying and verifying new security properties, in particular privacy properties;
- techniques for design and automated analysis of protocols that can be executed on untrusted platforms;
- apply these methods in particular to novel e-voting protocols, that aim for strong security guarantees without need to trust the voter client software.
We need to take into account that a user's machine may be untrusted, e.g. due to malware. Therefore protocols may (1) involve the user to execute a security-critical action, or (2) rely on trusted, isolated hardware. Multi-factor authentication protocols, e.g. Google 2-factor, follow the first line. We propose a symbolic model, decision procedure and verification tool for this class of protocols and applied it to protocols from the ISO/IEC 9798-6:2010 standard. When using secure hardware modules, one major problem for automated verification is the need to maintain global, non-monotonic state. We propose a new process calculus, called SAPiC (Stateful Applied Pi Calculus) and an eponymous plugin to the Tamarin prover together with a model for specifying and verifying applications based on Isolated Execution Environments, such as ARM TrustZone and Intel SGX. In collaboration with Orange Labs, we devised and formally proved the security of a new mobile payment protocol, secure even in the presence of malware. We also extended the scope and automation of the tamarin prover.
E-voting protocols have to guarantee two fundamental properties: privacy and integrity. Some elections require more than vote-privacy: receipt-freeness ensures that a voter cannot convince a vote buyer or coercer how she voted. Election integrity is generally achieved through end-to-end verifiability: the protocol issues evidence that all, and only, eligible casted votes have been correctly tallied. Moreover, one cannot assume that the platform used by a voter is trusted. We have formally defined what it means for an e-voting protocol to be secure. This is particularly tricky, as through the election result part of the information is leaked, and authorities running the election may be untrusted. We have analysed Du-Vote, a recently presented malware resistant remote e-voting scheme and showed several attacks on both privacy and verifiability, and confirmed security of a voting protocol deployed in the Swiss canton of Neuchâtel. We also propose a new voting scheme, BeleniosRF, that offers both receipt-freeness and end-to-end verifiability, and implemented it for several platforms, including desktop computers and smartphones.
To widen the range of protocols that can be formally verified we have built methods and tools for protocols that rely on human intervention, or secure hardware modules. Both kinds of protocols are extremely important when using a malicious, e.g. malware infected, platform. We have developed attacker models, verification methods and tools for these protocols. Tool support for protocols relying on global scope, such as hardware modules, is not fully automatic but we significantly improved the level of automation.
E-voting is a particularly tricky application area for formal verification. Even defining what it means for an e-voting protocol to be secure is a non-trivial question. For instance, in a unanimous vote, the result leaks the choice of each individual voter without necessarily the protocol being insecure. We propose modular definitions that capture security requirements under a wide range of threat scenarios (including malicious election authorities), we have analysed the security of several voting protocols and also designed a new protocol that ensures receipt-freeness.