Section: New Results

Design and Verification of next-generation protocols: identity, blockchains, and messaging

Participants : Harry Halpin, George Danezis [University College London] , Carmela Troncoso [IMDEA] .

We continued work on next-generation protocols via the NEXTLEAP project in 2017. The work started in 2016 to define the principles of design of decentralized protocols and a paper was published in the Privacy Enhancing Techologies Symposium as "Systematizing Decentralization and Privacy: Lessons from 15 years of research and deployments", which systematized over 180 papers from p2p to blockchains. We formally defined decentralization in terms of a distributed system operating in an adversarial environment, which we hope will be a foundational contribution to the field. NEXTLEAP also published a paper in ARES 2017 on how these principles can be applied to secure messaging systems, including the work of Prosecco on formalizing secure messaging as presented in EuroS&P 2017. NEXTLEAP had a successful launch event at Centre Pompidou, colocated with Eurocrypt, which was attended by a panel of prominent cryptographers (Phil Rogaway, Moti Yung, Tanja Lange, Daniel Bernstein) and members of the European Commission and European Parliament, attracting over 100 members of the general public to hear about Prosecco's research.

Building on the work on identity started in 2017, we finished the design of ClaimChain, the privacy-enhanced blockchain-based identity system, and work started on a F* implementation and scalability simulations. Unlike most blockchain systems that are public and are essentially replicated state machines, Claimchains use VRFs for privacy and do not require global consensus, instead allowing private linking between Claimchains and gossiping to maintain local consensus on secret material. We believe that this design may be the first workable approach to decentralizing PKI. Claimchains also use Merkle Trees for efficiency, and some of this library may end up as generally useful for F* programming after more development in 2018. Claimchain has yet to be published in an academic venue, but it has already attracted considerable interest and was presented in the popular CCC security conference in Leipzig Germany. We also continued to raise the bar on security and privacy, hosting the first ever workshop on "Security and Privacy on the Blockchain" at EuroS&P 2017, which was sponsored by Blockstream. We expect the first formally verified blockchain system based on this design to be finished in 2018.

Another aspect of building next-generation protocols is to evaluate their usability. Prior studies have shown that users typically do not understand encryption and are even hostile to open-source code. However, these studies are typically done with students drawn for a general population, and in response Prosecco, in co-operation with sociologists from CNRS/Sorbonne, have started the largest-ever study of high-risk users from countries as diverse as Ukraine, Russia, Egypt and Tunisia. Preliminary results were presented at the European Usable Security (EuroUSEC) workshop, and already have attracted considerable attention from developers of secure messaging applications such as Signal and Briar. We hope that our findings on how users actually do group messaging and key verification will lead to changes in the underlying protocols.

Lastly, we continue to work with standards bodies in order to do security and privacy analysis of new protocols. For example, we have started formalizing W3C Web Authentication and inspecting its privacy properties, and our work on the lack of security in Semantic Web standards led to "Semantic Insecurity: Security and the Semantic Web" at ISWC 2017. Work on the security and privacy properties of the W3C Encrypted Media Extension led to an invited keynote at SPACE 2017.

Next year, we will finalize ClaimChain and add on the mix-network we have been developing over the last year, leading to a metadata-resistant and decentralized secure messaging application. We will work on spreading awareness of the importance of formally verified open standards as being necessary for the future of security, rather than closed-source solutions that may have backdoors and dangerous bugs that could cause severe economic damage if not fixed. To this end, we will work with ECRYPT CSA on the IACR Summer School of Societal and Business Impact of Cryptography, colocated with Real-World Crypto 2018, and co-organize an event at the European Commission and Parliament.