Initially, CASCAde created a new efficient attribute-based credential scheme, that is, a cryptographic tool to prove to verifiers that a user has certain attributes while keeping sensitive information confidential. We shaped this scheme such that it encodes data in a way conducive to representing complex data in an efficient and flexible manner. Thereby, this scheme laid the foundation for a new elliptic-curve digital signature scheme that is capable of efficiently certifying complex graph data structures. This scheme comes with a range of procedures to convince another, a verifier, that certain parts of a graph are connected to one another or that they are isolated from one another, that is, there is no connection possible. Thereby, we have created the foundations to certify the topology of an infrastructure. We have developed an extensible and flexible open-source cryptographic library for graph signatures called GSL, a reusable component to build more complex certification and security assurance systems.
We investigated how different hardware-based attestation systems operate, so called Trusted Platform Modules, short TPMs. These modules come with a capability to attest their status in a privacy-preserving fashion, so called Direct Anonymous Attestation. In this area, we established cryptographic protocols and a topology attestation system, called Topographia, which enables the certification and proof of topologies in zero-knowledge, while binding these endeavours to the presence of the TPMs. This approach offers verifiers the guarantee that the actual system has not been changed to deviate from its certification.
We have laid the foundations for the usable security and perceived trustworthiness in the project. We started this investigation from a consideration of the overall state-of-play of user studies in cyber security, hence considering first how the field fares in offering us strong and unshakable foundations in evidence-based methods. In this endeavor, we found a number of weaknesses from how statistical inferences are supported, over how sound the statistical reporting is and problems in statistical power and publication bias, to strength of evidence. Ultimately, these investigations taught us what to rely on and what requirements to impose on our own empirical investigations. We further offered guidance to the community how to pursue socio-technical studies with the end in mind, that is, how to plan for authoritative results.
We pursued a multi-pronged approach researching how to most validly/reliably measure privacy concern with high fidelity or how different factors such as emotions impact a user’s intention to protect privacy. Finally, we created a comprehensive statistical model to show how multiple factors interplay when it comes to trustworthiness and technology acceptance of privacy technologies, with the example of attribute-based credential schemes. This last step lays the foundations to investigate trustworthiness of confidentiality-preserving security assurance as well as other privacy-enhancing technologies.