Jannik Dreier

Automated Symbolic Proofs of Observational Equivalence

Many cryptographic security definitions can be naturally formulated as observational equivalence properties. However, existing automated tools for verifying the observational equivalence of cryptographic protocols are limited: they do not handle protocols with mutable state and an unbounded number of sessions. We propose a novel definition of observational equivalence for multiset rewriting systems. We then extend the Tamarin prover, based on multiset rewriting, to prove the observational equivalence of protocols with mutable state, an unbounded number of sessions, and equational theories such as Diffie-Hellman exponentiation. We demonstrate its effectiveness on case studies, including a stateful TPM protocol.

Formal verification of e-auction protocols

Auctions have a long history, having been recorded as early as 500 B.C.. With the rise of Internet, electronic auctions have been a great success and are increasingly used. Many cryptographic protocols have been proposed to address the various security requirements of these electronic transactions. We propose a formal framework to analyze and verify security properties of e-Auction protocols. We model protocols in the Applied π-Calculus and define privacy notions, which include secrecy of bids, anonymity of the participants, receipt-freeness and coercion-resistance. We also discuss fairness, non-repudiation and non-cancellation. Additionally we show on two case studies how these properties can be verified automatically using ProVerif, and discover several attacks.

A formal taxonomy of privacy in voting protocols

Privacy is one of the main issues in electronic voting. We propose a family of symbolic privacy notions that allows to assess the level of privacy ensured by a voting protocol. Our definitions are applicable to protocols featuring multiple votes per voter and special attack scenarios such as vote-copying or forced abstention. Finally we employ our definitions on several existing voting protocols to show that our model allows to compare different types of protocols based on different techniques, and is suitable for automated verification using existing tools.

Defining verifiability in e-auction protocols

An electronic auction protocol will only be used by those who trust that it operates correctly. Therefore, e-auction protocols must be verifiable: seller, buyer and losing bidders must all be able to determine that the result was correct. We pose that the importance of verifiability for e-auctions necessitates a formal analysis. Consequently, we identify notions of verifiability for each stakeholder. We formalize these and then use the developed framework to study the verifiability of two examples, the protocols due to Curtis et al. and Brandt, identifying several issues.

Defining Privacy for Weighted Votes, Single and Multi-voter Coercion

Most existing formal privacy definitions for voting protocols are based on observational equivalence between two situations where two voters swap their votes. These definitions are unsuitable for cases where votes are weighted. In such a case swapping two votes can result in a different outcome and both situations become trivially distinguishable. We present a definition for privacy in voting protocols in the Applied π-Calculus that addresses this problem. Using our model, we are also able to define multi-voter coercion, i.e. situations where several voters are attacked at the same time. Then we prove that under certain realistic assumptions a protocol secure against coercion of a single voter is also secure against coercion of multiple voters. This applies for Receipt-Freeness as well as Coercion-Resistance.

Formal analysis of electronic exams

Universities and other educational organizations are adopting computer and Internet-based assessment tools (herein called e-exams) to reach widespread audiences. While this makes examination tests more accessible, it exposes them to new threats. At present, there are very few strategies to check such systems for security, also there is a lack of formal security definitions in this domain. This paper fills this gap: in the formal framework of the applied n-calculus, we define several fundamental authentication and privacy properties and establish the first theoretical framework for the security analysis of e-exam protocols. As proof of concept we analyze two of such protocols with ProVerif. The first “secure electronic exam system” proposed in the literature turns out to have several severe problems. The second protocol, called Remark!, is proved to satisfy all the security properties assuming access control on the bulletin board. We propose a simple protocol modification that removes the need of such assumption though guaranteeing all the security properties.

Vote-independence: a powerful privacy notion for voting protocols

Recently an attack on ballot privacy in Helios has been discovered [20], which is essentially based on copying other voters votes. To capture this and similar attacks, we extend the classical threat model and introduce a new security notion for voting protocols: Vote-Independence. We give a formal definition and analyze its relationship to established privacy properties such as Vote-Privacy, Receipt-Freeness and Coercion-Resistance. In particular we show that even Coercion-Resistant protocols do not necessarily ensure Vote-Independence.

Beyond Subterm-Convergent Equational Theories in Automated Verification of Stateful Protocols

The Tamarin prover is a state-of-the-art protocol verification tool. It supports verification of both trace and equivalence properties, a rich protocol specification language that includes support for global, mutable state and allows the user to specify cryptographic primitives as an arbitrary subterm convergent equational theory, in addition to several built-in theories, which include, among others, Diffie-Hellman exponentiation. In this paper, we improve the underlying theory and the tool to allow for more general user-specified equational theories: our extension supports arbitrary convergent equational theories that have the finite variant property, making Tamarin the first tool to support at the same time this large set of user-defined equational theories, protocols with global mutable state, an unbounded number of sessions, and complex security properties. We demonstrate the effectiveness of this generalization by analyzing several protocols that rely on blind signatures, trapdoor commitment schemes, and ciphertext prefixes that were previously out of scope.

A Framework for Analyzing Verifiability in Traditional and Electronic Exams

The main concern for institutions that organize exams is to detect when students cheat. Actually more frauds are possible and even authorities can be dishonest. If institutions wish to keep exams a trustworthy business, anyone and not only the authorities should be allowed to look into an exam’s records and verify the presence or the absence of frauds. In short, exams should be verifiable. However, what verifiability means for exams is unclear and no tool to analyze an exam’s verifiability is available. In this paper we address both issues: we formalize several individual and universal verifiability properties for traditional and electronic exams, so proposing a set of verifiability properties and clarifying their meaning, then we implement our framework in ProVerif, so making it a tool to analyze exam verifiability. We validate our framework by analyzing the verifiability of two existing exam systems – an electronic and a paper-and-pencil system.

On unique decomposition of processes in the applied π-calculus

Unique decomposition has been a subject of interest in process algebra for a long time (for example in BPP [2] or CCS [11,13]), as it provides a normal form with useful cancellation properties. We provide two parallel decomposition results for subsets of the Applied π-Calculus: we show that any closed normed (i.e. with a finite shortest complete trace) process P can be decomposed uniquely into prime factors Pi with respect to strong labeled bisimilarity, i.e. such that P ~lP1 | …| Pn. We also prove that closed finite processes can be decomposed uniquely with respect to weak labeled bisimilarity.