A wide range of security properties, e.g. anonymity in e-voting, unlinkability in RFID and mobile phone protocols, can be naturally expressed as behavioural equivalences in cryptographic process calculi. We made substantial contributions to the foundations and practice of their automated, symbolic verification. These include extensive results on the decidability and complexity of these verification problems, as well as subtle differences between existing models, that were, by folklore, believed equivalent and obtained tight computational complexity results. From a practical point of view we develop several complementary (in terms of expressivity, precision and efficiency) automated verification tools. To ensure scalability we developed partial order and symmetry reductions as well as results for compositional verification: for e-voting protocols we have shown that if there is an attack on vote privacy then there is also an attack that involves at most 3 voters.
We need to take into account that a user's machine may be untrusted, e.g. due to malware. Therefore protocols may (1) involve the user to execute a security-critical action, or (2) rely on trusted, isolated hardware. Multi-factor authentication protocols, e.g. Google 2-factor, follow the first line. We propose a symbolic model, decision procedure and verification tool for this class of protocols and applied it to protocols from the ISO/IEC 9798-6:2010 standard. When using secure hardware modules, one major problem for automated verification is the need to maintain global, non-monotonic state. We propose a new process calculus, called SAPiC (Stateful Applied Pi Calculus) and an eponymous plugin to the Tamarin prover together with a model for specifying and verifying applications based on Isolated Execution Environments, such as ARM TrustZone and Intel SGX. In collaboration with Orange Labs, we devised and formally proved the security of a new mobile payment protocol, secure even in the presence of malware. We also extended the scope and automation of the tamarin prover.
E-voting protocols have to guarantee two fundamental properties: privacy and integrity. Some elections require more than vote-privacy: receipt-freeness ensures that a voter cannot convince a vote buyer or coercer how she voted. Election integrity is generally achieved through end-to-end verifiability: the protocol issues evidence that all, and only, eligible casted votes have been correctly tallied. Moreover, one cannot assume that the platform used by a voter is trusted. We have formally defined what it means for an e-voting protocol to be secure. This is particularly tricky, as through the election result part of the information is leaked, and authorities running the election may be untrusted. We have analysed Du-Vote, a recently presented malware resistant remote e-voting scheme and showed several attacks on both privacy and verifiability, and confirmed security of a voting protocol deployed in the Swiss canton of Neuchâtel. We also propose a new voting scheme, BeleniosRF, that offers both receipt-freeness and end-to-end verifiability, and implemented it for several platforms, including desktop computers and smartphones.