Community Research and Development Information Service - CORDIS


PERCY Report Summary

Project ID: 321310
Funded under: FP7-IDEAS-ERC
Country: Switzerland

Final Report Summary - PERCY (Personal Cryptography)

The amount of personal data that are stored and processed in digital form has grown tremendously in recent years and this trend shows no sign of abating. All aspects of our lives are concerned. This data include family pictures, insurance documents, bills and receipts, health records, cryptographic keys, electronic identities, certificates, and passwords. We store and process these data on many personal devices and also in the cloud using services such as Flickr, Gmail, Dropbox, and Facebook. Managing all our data is challenging: they have to be updated, backed up, synchronized across devices, and shared with friends and family as well as given various businesses and governmental organizations. Often, we are not or cannot be involved in this process. For instance, in case of emergency, health records must be accessible to doctors or designated family members. Many of these data are sensitive, but adequately protecting them is virtually impossible for private users with current tools.
The best way to protect data is by encrypting them, but doing so makes managing them even more difficult. Encrypting data destroys much of the functionality that users have come to expect such as synchronizing and sharing. Moreover, mismanagement of encryption keys might even render data illegible to the owner himself.

The goal of project PERCY was to develop fundamentally new cryptographic primitives and protocols that let human users deal with cryptographic keys and encrypted personal data. The project has made substantial contributions towards this goal. We have published 53 scientific papers describing our results, the majority of them at the top cryptography and security conferences. A few additional papers are currently under submission. In the following we discuss main results achieved.

Password-based security. Contrary to the wide-spread belief, we have shown that passwords can be the basis for users' security. The problem with how they are used today is that servers typically store a salted hash of their users’ passwords and then, when a server gets breached, an attacker can easily recover the passwords by a brute-force attack employing modern hardware. The best way to alleviate this problem is to distribute the password verification and storage across several servers such that if one of them gets compromised only useless information falls in the hand of the attacker. Following this principle, we have invented a number of very efficient protocols that achieve security but require the user only to remember a human-memorizable password. The protocols we have developed include solutions for securely storing and recovering information, for single-sign-on and browser-based login mechanisms, for virtual smart cards, and for authenticating public keys with simple passwords.

Cryptography for privacy. Protecting privacy for a specific application typically requires the use of a cryptographic protocol that is tailored to the application. We have therefore investigated a number of scenarios and developed practical yet provably secure protocols for these scenarios. Such scenarios include authentication and encryption mechanisms for car to car communication, hierarchical credentials as required in blockchain-based applications, or how users in peer-to-peer networks exchange messages or share pictures without needing to trust a third party. Another important example are distributed databases as they occur in healthcare or governmental scenarios. Here we have
invented mechanisms to generate unlinkable identifiers for the different databases held by different entities such that is is still possible to exchange records about individuals if necessary.

Securing user credentials. An alternative means for users to protect their cryptographic keys is by using a piece of tamperproof hardware such as a smart card or a trusted platform module (TPM). With respect to protecting the privacy of users, the so-called direct anonymous attestation protocol is a key element of the TPM. The original RSA-based protocol co-designed by the principle investigator in 2004 has recently been updated to a new protocol based on elliptic curve cryptography that is much more efficient. We have studied this new protocol and found a number of security flaws. To address these flaws, we have put forth a comprehensive security model for the protocol, provided a new elliptic-curve-based and provably secure protocol, and have then worked with the Trusted Computing Group to update the TPM specification. Furthermore, we have engaged with the FIDO alliance in the development of a similar protocol for mobile-phone based authenticators that allow users to authentication to websites in a secure and privacy-respecting manner. This specification has recently been adopted by W3C.

Quantum-Resilient cryptography. While signature and encryption schemes that are resilient against quantum computers are known, no efficient solutions are known for privacy-protecting cryptographic primitives such as group signatures and anonymous credentials. We have therefore studied means to construct such primitives based on lattice problems and developed voting schemes, verifiable encryption schemes, and group signature schemes.

Provable Security. Many cryptographic applications such as voting schemes or credential systems are constructed by suitably combining cryptographic primitives. Modeling the security properties of such schemes and proving that these properties are obtained is a challenging tasks. To make this task easier, security frameworks such as Canetti's universal composability framework have been proposed. However, the use of such a framework typically results in protocols that are far less efficient than schemes that are designed and proven secure in a monolithic fashion. We have studied the reasons for this loss in efficiency and provided methods to avoid such losses. Furthermore, we studied and developed a number of very efficient protocols and proved them secure in Canetti's framework. Doing this has given us many new insights on how one can build efficient protocols that meet the strongest security notions. These results should allow now for the design of other efficient and secure protocols in such frameworks.

In conclusion: the project has made substantial contributions towards cryptography for end-users and provided many cryptographic tools that allow application developers to design secure applications that protect user data and are compliant with GDPR and a better and more secure way.

Reported by

Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top