3.2.1 Generic proof techniques

Most automated tools for verifying security properties rely on techniques stemming from automated deduction. Often existing techniques do however not apply directly, or do not scale up due to state explosion problems. For instance, the use of Horn clause resolution techniques requires dedicated resolution methods 4547. Another example is unification modulo equational theory, which is a key technique in several tools, e.g. 54. Security protocols however require to consider particular equational theories that are not naturally studied in classical automated reasoning. Sometimes, even new concepts have been introduced. One example is the finite variant property 49, which is used in several tools, e.g., Akiss  47, Maude-NPA 54 and TAMARIN  57. Another example is the notion of asymmetric unification 53 which is a variant of unification used in Maude-NPA to perform important syntactic pruning techniques of the search space, even when reasoning modulo an equational theory. For each of these topics we need to design efficient decision procedures for a variety of equational theories.

3.2.2 Dedicated procedures and tools

We design dedicated techniques for automated protocol verification. While existing techniques for security protocol verification are efficient and have reached maturity for verification of confidentiality and authentication properties (or more generally safety properties), our goal is to go beyond these properties and the standard attacker models, verifying the properties and attacker models identified in Section 3.1. This includes techniques that:

• can analyse indistinguishability properties, including for instance anonymity and unlinkability properties, but also properties stated in simulation-based (also known as universally composable) frameworks, which express the security of a protocol as an ideal (correct by design) system;
• take into account protocols that rely on a notion of mutable global state which does not arise in traditional protocols, but is essential when verifying tamper-resistant hardware devices, e.g., the RSA PKCS#11 standard, IBM's CCA and the trusted platform module (TPM);
• consider attacker models for protocols relying on weak secrets that need to be copied or remembered by a human, such as multi-factor authentication.

These goals are beyond the scope of most current analysis tools and require both theoretical advances in the area of verification, as well as the design of new efficient verification tools.

3.3.1 General design techniques

Design techniques include composition results that allow one to design protocols in a modular way 50, 48. Composition results come in many flavours: they may allow one to compose protocols with different objectives, e.g. compose a key exchange protocol with a protocol that requires a shared key or rely on a protocol for secure channel establishment, compose different protocols in parallel that may re-use some key material, or compose different sessions of the same protocol.

Another area where composition is of particular importance is Service Oriented Computing, where an “orchestrator” must combine some available component services, while guaranteeing some security properties. In this context, we work on the automated synthesis of the orchestrator or monitors for enforcing the security goals. These problems require the study of new classes of automata that communicate with structured messages.

3.3.2 New protocol design

We also design new protocols. Application areas that seem of particular importance are:

• External hardware devices such as security APIs that allow for flexible key management, including key revocation, and their integration in security protocols. The security fiasco of the PKCS#11 standard 46, 52 witnesses the need for new protocols in this area.
• Election systems that provide strong security guarantees. We have been working (in collaboration with the Caramba team) on a prototype implementation of an e-voting system, Belenios (https://www.belenios.org/).
• Mechanisms for publishing personal information (e.g. on social networks) in a controlled way.

6.1.1 Belenios

• Name: Belenios - Verifiable online voting system
• Keyword: E-voting
• Functional Description:

  Belenios is an open-source online voting system that provides vote confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).

  Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters order candidates and grade them.

  Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

• News of the Year:

  Belenios now supports verifiable mixnets for the tally procedure. Mixnets allow to shuffle and randomize ballots so that ballots can no longer be linked to the original ones. Then ballots can be decrypted one by one, yielding the set of the original votes, in a random order. As a result, arbitrary type of elections can be organized with Belenios, where voters rank or grade the candidates. Belenios offers a complete support of Condorcet, STV, and Majority Judgement but any function can be applied to the raw results.

  Moreover, Belenios now features crowd-sourcing for translating the voter and the administrator interface. Anyone can contribute on https://hosted.weblate.org/projects/belenios/. Thanks to this development, Belenios now offers a dozen of languages.

  Due to the pandemic, the use of our voting platform has increased by a factor of 10 in 2020, with more than 1400 elections organized with our platform and a cumulated total of more than 100 000 voters.

• URL: https://www.belenios.org/
• Authors: Stéphane Glondu, Pierrick Gaudry, Véronique Cortier
• Contact: Stéphane Glondu
• Participants: Pierrick Gaudry, Stéphane Glondu, Véronique Cortier
• Partners: CNRS, Inria

6.1.2 Deepsec

• Name: DEEPSEC - DEciding Equivalence Properties in SECurity protocols
• Keywords: Security, Verification
• Functional Description: DEEPSEC (DEciding Equivalence Properties in SECurity protocols) is a tool for verifying indistinguishability properties in cryptographic protocols, modelled as trace equivalence in a process calculus. Indistinguishability is used to model a variety of properties including anonymity properties, strong versions of confidentiality and resistance against offline guessing attacks, etc. DEEPSEC implements a decision procedure to verify trace equivalence for a bounded number of sessions and cryptographic primitives modeled by a subterm convergent destructor rewrite system. The procedure is based on constraint solving techniques. The tool also implements state-of-the-art partial order reductions and allows to distribute the computation on multiple cores and multiple machines.
• News of the Year: In 2020, we added
  1. a GUI which allows for a user friendly environment that is able to display and animate attack traces when equivalence is violated, or witnesses of equivalent traces when the equivalence is proved,
  2. a detailed, tutorial style user manual available in html and PDF,
  3. support for different semantics (classical, private and eavesdrop).
• URL: https://deepsec-prover.github.io/
• Publications: hal-02269043, hal-02267866, hal-01698177, hal-01763122, hal-01763138
• Contacts: Vincent Cheval, Steve Kremer
• Participants: Steve Kremer, Itsaka Rakotonirina, Vincent Cheval

6.1.3 Tamarin

• Name: Tamarin prover
• Keywords: Security, Verification
• Functional Description: The Tamarin prover is a security protocol verification tool that supports both falsification and unbounded verification of security protocols specified as multiset rewriting systems with respect to (temporal) first-order properties and a message theory that models Diffie-Hellman exponentiation, bilinear pairing, multisets, and exclusive-or (XOR), combined with a user-defined convergent rewriting theory. Its main advantages are its ability to handle stateful protocols and its interactive proof mode. Moreover, it has been extended to verify equivalence properties. The tool is developed jointly by the PESTO team, the Institute of Information Security at ETH Zurich, and CISPA. In a joint effort, the partners wrote and published a user manual in 2016, available from the Tamarin website.
• Release Contributions: Automated generation of sources lemmas.
• News of the Year: One major strength of Tamarin is that it offers an interactive mode, allowing to go beyond what pushbutton tools can typically handle. Tamarin is for example able to verify complex protocols such as TLS or the authentication protocols from the 5G standard. However, one of its drawback is its lack of automation. For many simple protocols, the user often needs to help Tamarin by writing specific lemmas, called "sources lemmas", which requires some knowledge of the internal behaviour of the tool. This year, Cortier and Dreier, in collaboration with Delaune, propose a technique to automatically generate sources lemmas in Tamarin. They prove formally that the lemmas indeed hold, for arbitrary protocols that make use of cryptographic primitives that can be modelled with a subterm convergent equational theory (modulo associativity and commutativity). They have implemented their approach within Tamarin. Experiments show that, in most examples of the literature, suitable sources lemmas can now be automatically generated, in replacement of the handwritten lemmas. As a direct application, many simple protocols can now be analysed fully automatically, while they previously required user interaction.
• URL: http://tamarin-prover.github.io/
• Publications: hal-02991286, hal-02358878
• Contact: Jannik Dreier
• Participants: Jannik Dreier, Elise Klein, Maiwenn Racouchot, Véronique Cortier
• Partner: CISPA Helmholtz Center for Information Security

6.1.4 ProVerif

• Keywords: Security, Verification, Cryptographic protocol
• Functional Description:

  ProVerif is an automatic security protocol verifier in the symbolic model (so called Dolev-Yao model). In this model, cryptographic primitives are considered as black boxes. This protocol verifier is based on an abstract representation of the protocol by Horn clauses. Its main features are:

  It can verify various security properties (secrecy, authentication, process equivalences).

  It can handle many different cryptographic primitives, specified as rewrite rules or as equations.

  It can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space.

• News of the Year: Vincent Cheval and Bruno Blanchet finished their work on several extensions of ProVerif: 1) support for integer counters, with incrementation and inequality tests, 2) lemmas and axioms to give intermediate results to ProVerif, which it exploits to help proving subsequent queries, by deriving additional information in the Horn clauses that it uses to perform the proofs, 3) proofs by induction on the length of the trace, by giving as lemma the property to prove, but obviously for strictly shorter traces, 4) temporal queries, which allow to order events. The soundness of these features is proved (by hand). Moreover, they optimized many algorithms used in ProVerif (generation of clauses, resolution, subsumption ...) resulting in impressive speedups on large examples. These features are included in ProVerif 2.02pl1 and a paper by Bruno Blanchet, Vincent Cheval, and Véronique Cortier is under submission.
• URL: http://proverif.inria.fr/
• Publications: hal-01947972, hal-01423742, hal-01306440, hal-01423760, hal-01102136, hal-01575920, hal-01528752, hal-01575923, hal-01527671, hal-01575861
• Authors: Bruno Blanchet, Vincent Cheval, Marc Sylvestre
• Contact: Bruno Blanchet
• Participants: Bruno Blanchet, Marc Sylvestre, Vincent Cheval

6.1.5 Jasmin

• Name: Jasmin compiler and analyser
• Keywords: Cryptography, Static analysis, Compilers
• Functional Description:

  The Jasmin programming language smoothly combines high-level and low-level constructs, so as to support “assembly in the head” programming. Programmers can control many low-level details that are performance-critical: instruction selection and scheduling, what registers to spill and when, etc. The language also features high-level abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of high-level abstractions incurs no run-time penalty.

  The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machine-checked by the Coq proof assistant). This justifies that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

  Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against side-channel attacks (constant-time).

• URL: https://github.com/jasmin-lang/jasmin
• Publication: hal-02974993
• Contacts: Benjamin Grégoire, Vincent Laporte, Adrien Koutsos
• Participants: Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte

7.1.1 Foundations of Automated Verification: Semantics, Decidability and Complexity

Participants: Vincent Cheval, Véronique Cortier, Steve Kremer, Itsaka Rakotonirina, Christophe Ringeissen.

Security properties of cryptographic protocols are typically expressed as reachability or equivalence properties. Secrecy and authentication are examples of reachability properties while privacy properties such as untraceability, vote secrecy, or anonymity are generally expressed as behavioral equivalence in a process algebra that models security protocols.

In 12, Chrétien, Cortier, Dallon and Delaune show that it is possible to significantly reduce the search space for attacks for both reachability as well as equivalence properties. Specifically, they show that if there is an attack then there is one that is well-typed. The result holds for a large class of typing systems, a family of equational theories that encompasses all standard primitives, and a large class of deterministic security protocols. For many standard protocols, they deduce that it is sufficient to look for attacks that follow the format of the messages expected in an honest execution, therefore considerably reducing the search space. Building on this small attack property, Cortier, Delaune and Sundararajan 13, identify a new decidable class of security protocols, both for reachability and equivalence properties. The result holds for an unbounded number of sessions and for protocols with nonces. It covers all standard cryptographic primitives. The class sets up three main assumptions. (i) Protocols need to be without else branch and “simple”, meaning that an attacker can precisely identify from which participant and which session a message originates from. (ii) Protocols should be type-compliant which is intuitively guaranteed as soon as two encrypted messages of the protocol cannot be confused. (iii) Finally, the dependency graph of the protocol must be acyclic. The dependency graph is a new notion that characterises how actions depend on each other.

In 23, Cheval, Kremer and Rakotonirina provide an extensive survey on decidability and complexity results for the automated verification of behavioral equivalences, casting existing results in a common framework which allows for a precise comparison. This unified view, beyond providing a clearer insight on the current state of the art, allowed them to identify some variations in the statements of the decision problems—sometimes resulting in different complexity results. Additionally, a couple of novel or strengthened results are presented.

In collaboration with Erbatur (UT Dallas, USA) and Marshall (Univ Mary Washington, USA), Ringeissen studies decision procedures for the intruder deduction and the static equivalence problems in combinations of subterm convergent rewrite systems and syntactic theories for which it is possible to apply a mutation principle to simplify equational proofs. As a continuation of a work initially presented at UNIF'18, it has been shown that a matching property is applicable to solve both intruder deduction and static equivalence. This matching property can be satisfied when using a matching algorithm known for syntactic theories 15. In collaboration with the same colleagues, Ringeissen is interested in the development of hierarchical unification procedures for non-disjoint unions of syntactic theories used in protocol analysis. In 29, 30, new results have been obtained to get terminating (combined) hierarchical unification procedures.

Babel, Cheval and Kremer 8 study semantic variants of symbolic models pioneered by Dolev and Yao in their seminal work. Since then, although inspired by the same ideas, many variants of the original model have been developed. In particular, a common assumption is that the attacker has complete control over the network and can therefore intercept any message. This assumption has been interpreted in slightly different ways depending on the particular models: either any protocol output is directly routed to the adversary, or communications may be among any two participants, including the attacker – the scheduling between which exact parties the communication happens is left to the attacker. This difference may seem unimportant at first glance and, depending on the verification tools, either one or the other semantics is implemented. The authors show that, unsurprisingly, both semantics indeed coincide for reachability properties. However, for indistinguishability properties, they prove that these two interpretations lead to incomparable semantics. Therefore they introduce and study a new semantics, where internal communications are allowed but messages are always eavesdropped by the attacker. This new semantics yields strictly stronger equivalence relations. Moreover, they identify two subclasses of protocols for which the three semantics coincide. Finally, they implemented verification of trace equivalence for each of the three semantics in the DeepSec tool and compare their performances on several classical examples.

Beyond the decision problems related to equational unification and (intruder) theories, Ringeissen is interested in the theories used in SMT (Satisfiability Modulo Theories) solvers to model verification conditions. In collaboration with Sheng, Zohar, Lange, Barret (Stanford, USA) and Fontaine (Veridis project-team and University of Liège, Belgium), Ringeissen has studied the theory of datatypes and proved that it is strongly polite, showing also how it can be combined with other arbitrary disjoint theories to get a satisfiability procedure using polite combination 34. These politeness results follow the ones obtained in collaboration with Chocron (Insikt Intelligence, Spain) and Fontaine for data structure theories extended with some bridging functions such as the length operator on lists 11.

7.1.2 Recast of ProVerif

Participants: Vincent Cheval, Véronique Cortier.

Motivated by the addition of global states in ProVerif, Cheval and Cortier have conducted a major revision of the popular tool ProVerif. This revision goes well beyond global states and is conducted in collaboration with Bruno Blanchet, the original and main developer of ProVerif. One of the first main changes is the addition to ProVerif of the notion of “lemmas”, “axioms”, and "restrictions", that can be added to either encode additional properties (axioms and restrictions) or help ProVerif to prove the desired properties. It is indeed now possible to specify lemmas, that will significantly reduce the number of considered clauses in the saturation procedure of ProVerif. These lemmas should of course be proved themselves by ProVerif, possibly by induction thanks to a particular care of the order of literals in the saturation procedure. The new approach provides more flexibility in cases where ProVerif was not able to terminate or yield false attacks (e.g. in the presence of global states).

Moreover, even when ProVerif is able to prove security, the tool is suffering from efficiency issues when applied to complex industrial protocols (up to 1 month running time for the analysis of the NoiseExplorer protocol). While revisiting the core procedure of ProVerif, its efficiency has been considerably improved at several steps of the algorithm. For example, clause generation has been turned into a more lazy approach in order to generate fewer clauses. Moreover, techniques from automated deduction have been introduced to speed up checking when a clause subsumes another one. The detection and removal of redundant clauses have been also optimized. The experimental results show significant speed-up on many examples: On average, ProVerif is now 10 to 50 times faster than its previous release, with some examples peaking at 500 to 1000 times speedup.

The correctness of the new procedure is proven for the entire syntax and semantics of ProVerif, covering optimizations and features that were never formally defined in previous papers. For instance, the correspondence queries are not restricted anymore to be defined only with events in their conclusion.

7.1.3 Improving the Scope and Automation in the TAMARIN Prover

Participants: Véronique Cortier, Jannik Dreier, Lucca Hirschi.

The TAMARIN prover is a state-of-the-art verification tool for cryptographic protocols in the symbolic model developed jointly by CISPA, ETH Zurich and the PESTO team.

Dreier and Hirschi, in collaboration with Sasse (ETH Zurich), and Radomirovic (Dundee), improved the underlying theory and the tool to deal with an equational theory modeling exclusive-or (XOR) operations. XOR operations are common in cryptographic protocols, in particular in RFID protocols and electronic payment protocols. Although there are numerous applications, due to the inherent complexity of faithful models of XOR, there is only limited tool support for the verification of cryptographic protocols using XOR. This makes TAMARIN the first tool to support simultaneously this large set of equational theories, protocols with global mutable state, an unbounded number of sessions, and complex security properties including observational equivalence. They demonstrate the effectiveness of their approach by analyzing several protocols that rely on XOR, in particular multiple RFID-protocols, where they can identify attacks as well as provide proofs. First results were presented at CSF'18, and an extended version was published in the Journal of Computer Security 14.

One major strength of TAMARIN is that it offers an interactive mode, allowing to go beyond what pushbutton tools can typically handle. TAMARIN is for example able to verify complex protocols such as TLS or the authentication protocols from the 5G standard. However, one of its drawback is its lack of automation. For many simple protocols, the user often needs to help TAMARIN by writing specific lemmas, called "sources lemmas", which requires some knowledge of the internal behaviour of the tool. In 25, Cortier and Dreier, in collaboration with Delaune, propose a technique to automatically generate sources lemmas in TAMARIN. They prove formally that the lemmas indeed hold, for arbitrary protocols that make use of cryptographic primitives that can be modelled with a subterm convergent equational theory (modulo associativity and commutativity). They have implemented their approach within TAMARIN. Experiments show that, in most examples of the literature, suitable sources lemmas can now be automatically generated, in replacement of the handwritten lemmas. As a direct application, many simple protocols can now be analysed fully automatically, while they previously required user interaction.

7.1.4 Analysis of Deployed Protocols

Participants: Lucca Hirschi.

7.1.5 Symbolic Methods in Computational Cryptography Proofs

Participants: Charlie Jacomme, Steve Kremer.

In 22, Jacomme and Kremer, in collaboration with Barthe (MPI Security and Privacy), study equivalence checking of probabilistic programs, a fundamental problem which arises in many application areas including cryptography, privacy, algorithmic fairness and machine learning. The programming language they consider manipulates polynomials over a finite field of characteristic $q$ and supports sampling and conditioning, making it sufficiently expressive to encode boolean and arithmetic circuits. They consider two variants of the equivalence checking problem: the first one considers an interpretation over the finite field ${𝔽}_q$, while the second one, which they call universal equivalence, verifies equivalence over all extensions ${𝔽}_{q^k}$ of ${𝔽}_q$. The universal variant typically arises in provable cryptography when one wishes to prove equivalence for any length of bitstrings, i.e., elements of ${𝔽}_{2^k}$ for any $k$. While the first problem is obviously decidable, they establish its exact complexity which lies in the counting hierarchy. To show decidability, and a doubly exponential upper bound, of the universal variant they rely on results from algorithmic number theory and the possibility to compare local zeta functions associated to given polynomials. Finally they study several variants of the equivalence problem, including a problem they call majority, motivated by differential privacy.

7.1.6 Cryptographic Implementations

Participants: Vincent Laporte.

7.1.7 Protocol Design

Participants: Jannik Dreier.

In 10, Dreier in collaboration with Bultel (LIFO, Orléans), Dumas (LJK, Grenoble) and Lafourcade (LIMOS, Clermont-Ferrand) study the Conspiracy Santa problem, a variant of Secret Santa: a group of people offer each other Christmas gifts, where each member of the group receives a gift from the other members of the group. To that end, the members of the group form conspiracies, to decide on appropriate gifts, and usually divide the cost of each gift among all participants of that conspiracy. This requires to settle the shared expenses per conspiracy, so Conspiracy Santa can actually be seen as an aggregation of several shared expenses problems. First, they show that the problem of finding a minimal number of transaction when settling shared expenses is NP-complete. Still, there exist good greedy approximations. Second, they present a greedy distributed secure solution to Conspiracy Santa. This solution allows a group of $n$ people to share the expenses for the gifts in such a way that no participant learns the price of his gift, but at the same time notably reduces the number of transactions to $2·n+1$ with respect to a naïve aggregation of $n·(n-2)$. Furthermore, the solution does not require a trusted third party, and can either be implemented physically (the participants are in the same room and exchange money using envelopes) or, over Internet, using a cryptocurrency.

7.2.1 Definitions for E-Voting

Participants: Véronique Cortier, Joseph Lallemand.

Existing formal (computational) definitions for privacy in electronic voting make the assumption that the bulletin board which collects the votes behaves honestly: the only ballots on the board are created by voters, all ballots are placed without tampering with them, and no ballots are ever removed. This strong assumption is difficult to enforce in practice and whenever it does not hold vote privacy can be broken. As a consequence, voting schemes are proved secure only against an honest voting server while they are designed and claimed to resist a dishonest one. In 27, Cortier and Lallemand, in collaboration with Warinschi (Univ. Bristol and Dfinity), proposed a framework for the analysis of electronic voting schemes in the presence of malicious bulletin boards. They identify a spectrum of notions where the adversary is allowed to tamper with the bulletin board in ways that reflect practical deployment and usage considerations. To clarify the security guarantees provided by the different notions they establish a relationship with simulation-based security with respect to a family of ideal functionalities. The ideal functionalities make clear the set of authorised attacker capabilities which makes it easier to understand and compare the associated levels of security. They then leverage this relationship to show that each distinct level of ballot privacy entails some distinct form of individual verifiability. As an application, they have studied three protocols of the literature (Helios, Belenios, and Civitas) and identified the different levels of privacy they offer.

7.2.2 Design of E-Voting Protocols

Participants: Véronique Cortier, Alexandre Debant, Jannik Dreier, Mathieu Turuani, Quentin Yang.

As a part of a contract with Idemia, Cortier, Debant, Dreier, Turuani and Yang are designing a novel electronic voting system, tailored to the voting context envisioned by Idemia. The system is made for on-site elections, with the use of smart cards. However, the goal is that the trust should not be placed in one single part of the system, hence smart cards can not be trusted. One originality of the approach is the possibility to re-use existing techniques, in conjunction with the use of smart-cards and paper ballots. The designed protocol is meant to achieve vote secrecy, coercion resistance, and cast as intended. Coercion resistance is eased by the fact that voters enter a physical voting booth. Cast-as-intended was more difficult to achieve since Idemia aimed at two strong guarantees: all cast ballots should be audited by voters (this is not an option left to the choice of the voter) and whenever the system attempts to cheat, its misbehavior can be proved to a third party, possibly yielding to a punishment of the system. The proposed protocol has been proved secure with the tool ProVerif and using some of its new features as explained in Section 7.1.2. A proof of concept has been realized and experimented by Idemia. A potential publication of our results is under discussion with Idemia.

There are two main approaches for tallying an election in the context of electronic voting. The first one is the homomorphic tally. Thanks to the homomorphic property of the encryption scheme (typically ElGamal), the ballots are combined to compute the (encrypted) sum of the votes. Then only the resulting ciphertext needs to be decrypted to reveal the election result, without leaking the individual votes. However, it can only be applied to simple vote counting functions. The second main approach is based on mixnets. The encrypted ballots are shuffled and re-randomized such that the resulting ballots cannot be linked to the original ones. Several mixers are successively used and then each (randomized) ballot is decrypted, yielding the original votes in clear, in a random order. It can be used for any vote counting function but it reveals much more information than the result itself (the winner(s) of the election) and is subject to so-called Italian attacks. Quentin Yang did his Master2 internship, co-supervised by Cortier and Gaudry (Caramba project-team), on the possibility to compute the election result from a set of encrypted ballots, without leaking any other information. This can be seen as an instance of Multi-Party Computation (MPC). Cortier, Gaudry and Yang have unveiled several flaws or limitations of the existing works and they have provided a toolbox to implement, at a reasonable cost, several key counting functions of the literature: Majority Judgement, Condorcet, and STV. One of the surprises of the work lies in the fact that they show that it is often preferable to use the very standard El Gamal encryption instead of Paillier encryption, that is typically considered as the Swiss-knife for MPC.

7.2.3 Attacking E-Voting Protocols

Participants: Véronique Cortier, Quentin Yang.

In 2012, Bernhard et al. showed that the Fiat-Shamir heuristic must be used with great care in zero-knowledge proofs. In collaboration with Gaudry, Cortier and Yang have discovered that, in the Belenios voting system, while not using the weak version of Fiat-Shamir, there is still a gap that allows to fake a zero-knowledge proof in certain circumstances. Therefore an attacker who corrupts the voting server and the decryption trustees could break verifiability. This can easily be fixed by strengthening the Fiat-Shamir heuristic. This result has been presented at EvoteID'20 26.

7.3.1 Privacy Protection in Social Networks

Participants: Bizhan Alipour, Noreddine Belhadj-Cheikh, Abdessamad Imine, Michaël Rusinowitch.

Social media such as Facebook provide a new way to connect, interact and learn. Facebook allows users to share photos and express their feelings by using comments. However, Facebook users are vulnerable to attribute inference attacks where an attacker intends to guess private attributes (e.g., gender, age, political view) of target users through their online profiles and/or their vicinity (e.g., what their friends reveal). Given user-generated pictures on Facebook, Alipour, Imine and Rusinowitch show how to launch gender inference attacks on their owners from pictures meta-data composed of: (i) alt-texts generated by Facebook to describe the content of pictures, and (ii) comments posted by friends, friends of friends or regular users. They assume these two meta-data are the only available information to the attacker. Evaluation results demonstrate that an adversary can infer the gender with high accuracy by combining alt-texts and comments. Moreover they can compute sensitive words and hide them to decrease drastically the adversary prediction accuracy. To the best of their knowledge, this is the first inference attack on Facebook that exploits comments and alt-texts solely. This year they have investigated the case where comments are reduced to Emojis 33, 16. They have also introduced a retrofitting process for handling online newly discovered vocabulary in 32. Finally an adapted approach for age inference has been considered in 28.

7.3.2 Compressed and Verifiable Filtering Rules in Software-defined Networking

Participants: Ahmad Abboud, Michaël Rusinowitch.

In a joint project with the Resist research group at Inria Nancy and the Numeryx company, Abboud, Lahmadi (Resist) and Rusinowitch are working on the design, implementation and evaluation of a double-mask technique for building compressed and verifiable filtering rules in Software Defined Networks 18. As an alternative solution to the memory limitation of switches they investigate the possibility of distributing the filtering rules among several devices while preserving the network policy semantics 42, 17.

9.1.1 Inria International Partners

9.2.1 FP7 & H2020 Projects

• ERC Consolidator Grant SPOOC Automated Security Proofs of Cryptographic Protocols: Privacy, Untrusted Platforms and Applications to E-voting Protocols.

  https://members.loria.fr/SKremer/files/spooc/index.html

  Leader: Steve Kremer. 2015–2020.

  The goals of the Spooc project were to develop solid foundations and practical tools to analyze and formally prove security properties that ensure the privacy of users as well as techniques for executing protocols on untrusted platforms. In this project we

  • developed foundations and practical tools for specifying and formally verifying new security properties, in particular privacy properties;
  • developed techniques for the design and automated analysis of protocols that have to be executed on untrusted platforms;
  • applied these methods in particular to novel e-voting protocols, which aim at guaranteeing strong security guarantees without need to trust the voter client software.

  Some of the main outcomes of the project were the development of the DeepSec verification tool, new flexible, security definitions for e-voting protocols and the application of symbolic verification to deployed e-voting protocols.

9.3.1 ANR

• ANR Chaire IA ASAP Tools for automated, symbolic analysis of real-world cryptographic protocols, duration: 4 years, since September 2020, leader: Steve Kremer.

  The goal of this project is the development of efficient algorithms and tools for automated verification of cryptographic protocols, that are able to comprehensively analyse detailed models of real-world protocols building on techniques from automated reasoning. Automated reasoning is the subfield of AI whose goal is the design of algorithms that enable computers to reason automatically, and these techniques underlie almost all modern verification tools. Current analysis tools for cryptographic protocols do however not scale well, or require to (over)simplify models, when applied on real-world, deployed cryptographic protocols. We aim at overcoming these limitations: we therefore design new, dedicated algorithms, include these algorithms in verification tools, and use the resulting tools for the security analyses of real-world cryptographic protocols.

• ANR TECAP Protocol Analysis — Combining Existing Tools, duration: 4 years, starting in 2018, leader: Vincent Cheval, other partners: ENS Cachan, Inria Paris, Inria Sophia Antipolis, IRISA, LIX.

  Despite the large number of automated verification tools, several cryptographic protocols (e.g. stateful protocols) still represent a real challenge for these tools and reveal their limitations. To cope with these limits, each tool focuses on different classes of protocols depending on the primitives, the security properties, etc. Moreover, the tools cannot interact with each other as they evolve in their own model with specific assumptions. The aim of this project is to get the best of all these tools, that is, to improve the theory and implementations of each individual tool towards the strengths of the others and to build bridges that allow the cooperations of the methods/tools. We will focus in this project on CryptoVerif, EasyCrypt, Scary, ProVerif, TAMARIN, Akiss and APTE. In order to validate the results obtained in this project, we will apply our results to several case studies such as the Authentication and Key Agreement protocol from the telecommunication networks, the Scytl and Helios voting protocols, and the low entropy 3D-Secure authentication protocol. These protocols have been chosen to cover many challenges that the current tools are facing.

10.1.1 Scientific Events: Organisation

10.1.2 Scientific Events: Selection

10.1.3 Journal

10.1.4 Invited Talks

• Véronique Cortier. Plenary talk at the 28th edition of Computer Science Logic (CSL 2020), Barcelona, Spain, January 2020. Invited talk at the 21st International Conference on Cryptology in India (IndoCrypt 2020), Bangalore (virtual), India, December 2020. Invited talk at the Workshop on Security and Privacy in Contact Tracing, virtually at the TU Wien (Austria), September 2020.
• Steve Kremer. Invited talk at the 6th Workshop on Hot Issues in Security Principles and Trust (HotSpot 2020).

10.1.5 Leadership within the Scientific Community

• Véronique Cortier: vice-chair of ACM Special Interest Group on Logic and Computation (SigLog)
• Véronique Cortier: member of IFIP WG-1.7 Foundations of Security Analysis
• Véronique Cortier: steering committee member of Foundations of Computer Security (FCS)
• Véronique Cortier: member of the research council of ANSSI
• Steve Kremer: member of IFIP WG-1.7 Foundations of Security Analysis
• Michaël Rusinowitch: member of the IFIP WG-11.14 Secure Engineering

10.1.6 Scientific Expertise

• Véronique Cortier: member of the expert panel on Computer Science of the Research Foundation – Flanders (FWO)
• Lucca Hirschi: external scientific expert for the ANR Generic Call 2020
• Steve Kremer: jury member of the Gilles Kahn PhD award
• Michaël Rusinowitch: external expertises for FNRS

10.1.7 Research Administration

• Steve Kremer: co-chair of Inria's Committee on Gender Equality and Equal Opportunities
• Laurent Vigneron: Head of the computer science commission of the Doctoral School of Lorraine University, and member of the ComiPers of Inria NGE

10.2.1 Teaching

• Licence:

  V. Cheval, Introduction to Theoretical Computer Science (Logic, Languages, Automata), 38 hours (ETD), TELECOM Nancy

  L. Hirschi, Introduction to Theoretical Computer Science (Logic, Languages, Automata), 32 hours (ETD), TELECOM Nancy

• Master:

  V. Cortier, Protocol security, 19 hours (ETD), M2 Computer Science, TELECOM Nancy and Mines Nancy

  A. Imine, Security for XML Documents, 12 hours (ETD), M1, Univ Lorraine

  S. Kremer, Security Theory, 24 hours (ETD), M2 Computer science, Univ Lorraine

  C. Ringeissen, Decision Procedures for Software Verification, 24 hours (ETD), M2 Computer science, Univ Lorraine

  L. Vigneron, Security of information systems, 28 hours (ETD), M2 Computer science, Univ Lorraine

  L. Vigneron, Advanced Security, 28 hours (ETD), Polytech Nancy – Information Systems and Networks, Univ Lorraine

  L. Vigneron, Security of information systems, 24 hours (ETD), M2 MIAGE – Audit and Design of Information Systems, Univ Lorraine

10.2.2 Supervision

• PhD defended in 2020:

  Charlie Jacomme, Preuves de protocoles cryptographiques : méthodes symboliques et attaquants puissants, October 2020 (H. Comon, ENS Paris-Saclay, and S.Kremer). Now post-doc at CISPA, Saarbrucken, Germany.

• PhD in progress:

  Ahmad Abboud, Compressed and Verifiable Filtering Rules in Software-defined Networking, started in August 2018 (A. Lahmadi, M. Rusinowitch and A. Bouhoula)

  Bizhan Alipour, Privacy protection against inference attacks in social networks, started in October 2018 (A. Imine, M. Rusinowitch)

  Noreddine Belhadj-Cheikh, Enforcing Social Network Privacy by Adversarial Machine Learning, started in October 2020 (A. Imine, M. Rusinowitch)

  Itsaka Rakotonirina, Efficient verification of equivalence properties in cryptographic protocols, started in October 2017, defense scheduled on 01/02/2021 (V. Cheval and S. Kremer)

  Quentin Yang, Design of a cast-as-intended, verifiable, and coercion-resistant evoting protocol, started in November 2020 (V. Cortier and P. Gaudry)

• PhD interruption:

  Joshua Peigner, Decision procedures for equivalence properties, started in October 2019 and stopped in October 2020 (V. Cortier and S. Delaune). Joshua Peigner has chosen to switch to a teaching career.

• Master defended in 2020:

  Sanaz Eidizadehakhcheloo, Age category inference from social network metadata, Sapienza Universita di Roma (supervised by A. Imine and M. Rusinowitch).

  Corentin Hug, A symbolic security analysis of QUIC. ENSIMAG (supervised by J. Dreier and S. Kremer).

10.2.3 Juries

• Reviewer and jury president for Benjamin Beurdouche, University PSL (V. Cortier)
• Reviewer and jury president for Tristan Ninet, PhD, Univ Rennes, IRISA (S. Kremer)
• Reviewer for Cécile Baritel-Ruet, PhD, Université Côte d'Azur (S. Kremer)
• Reviewer for Zach Smith, PhD, Univ Luxembourg (S. Kremer)
• Jury president for Pierre Mercuriali, University of Lorraine (M. Rusinowitch)
• Examiner for Guillaume Kaim, University of Rennes (V. Cortier)
• Examiner for Marco Romanelli, Institut Polytechnique de Paris (V. Cortier)
• Examiner for Angèle Bossuat, PhD, Univ Rennes, IRISA (S. Kremer)

10.3.1 Articles and contents

• V. Cortier, L. Hirschi and S. Kremer co-authored “Le traçage anonyme, dangereux oxymore – Analyse de risques à destination des non-spécialistes” 36. This document provides concrete and simple attack scenarios against tracing applications like DP3T or ROBERT, deployed in the context of the covid-19 pandemic. One of the goals of the document was to point out the necessity to clarify the benefits of such applications so that the general public (and in particular the members of the French parliement) can judge the balance between the benefits and the risks. The publication of this document was followed by multiple interviews (Le Monde, Les Echos, Le Figaro, Télérama, AEF, France Culture, ...).

10.3.2 Interventions

• V. Cortier
  • hearing at the European parlementary group PPE on tracing applications
  • conference at the Webinar "sentinelles des libertés" from the barreau de Paris (laywers organization) on tracing applications
  • interview on France 3 on e-voting
• J. Dreier:
  • interview with RCF Lorraine on the security of 5G networks

International journals

• 8 articleKushalK. Babel, VincentV. Cheval and SteveS. Kremer. On the semantics of communications when verifying equivalence propertiesJournal of Computer Security2812020, 71-127
  HALDOIback to text
• 9 articleGillesG. Barthe, SandrineS. Blazy, BenjaminB. Grégoire, RémiR. Hutin, VincentV. Laporte, DavidD. Pichardie and AlixA. Trieu. Formal verification of a constant-time preserving C compilerProceedings of the ACM on Programming Languages4POPLJanuary 2020, 1-30
  HALDOIback to text
• 10 articleXavierX. Bultel, JannikJ. Dreier, Jean-GuillaumeJ.-G. Dumas and PascalP. Lafourcade. A Faster Cryptographer's Conspiracy SantaTheoretical Computer Science839November 2020, 122-134
  HALDOIback to text
• 11 articlePaulaP. Chocron, PascalP. Fontaine and ChristopheC. Ringeissen. Politeness and Combination Methods for Theories with Bridging FunctionsJournal of Automated Reasoning642020, 97-134
  HALDOIback to text
• 12 article RémyR. Chrétien, VéroniqueV. Cortier, AntoineA. Dallon and StéphanieS. Delaune. Typing messages for free in security protocols ACM Transactions on Computational Logic 21 1 2020
  HAL DOI back to text
• 13 article VéroniqueV. Cortier, StéphanieS. Delaune and VaishnaviV. Sundararajan. A decidable class of security protocols for both reachability and equivalence properties Journal of Automated Reasoning 2020
  HAL DOI back to text
• 14 articleJannikJ. Dreier, LuccaL. Hirschi, SašaS. Radomirović and RalfR. Sasse. Verification of Stateful Cryptographic Protocols with Exclusive ORJournal of Computer Security281February 2020, 1--34
  HALDOIback to text
• 15 articleSerdarS. Erbatur, Andrew MA. Marshall and ChristopheC. Ringeissen. Computing Knowledge in Equational Extensions of Subterm Convergent TheoriesMathematical Structures in Computer Science306June 2020, 683-709
  HALDOIback to text
• 16 articleBizhan AlipourB. Pijani, AbdessamadA. Imine and MichaëlM. Rusinowitch. Inferring attributes with picture metadata embeddingsACM SIGAPP applied computing review : a publication of the Special Interest Group on Applied Computing202July 2020, 36-45
  HALDOIback to text

International peer-reviewed conferences

• 17 inproceedings AhmadA. Abboud, RémiR. Garcia, AbdelkaderA. Lahmadi, MichaëlM. Rusinowitch and AdelA. Bouhoula. Efficient Distribution of Security Policy Filtering Rules in Software Defined Networks NCA 2020 - 19th IEEE International Symposium on Network Computing and Applications Online conference, France November 2020
  HAL back to text
• 18 inproceedingsAhmadA. Abboud, AbdelkaderA. Lahmadi, MichaelM. Rusinowitch, MiguelM. Couceiro, AdelA. Bouhoula and MondherM. Ayadi. Double Mask: An efficient rule encoding for Software Defined NetworkingICIN 2020 - 23rd Conference on Innovation in Clouds, Internet and Networks and WorkshopsParis, Francehttps://www.icin-conference.org/2020/2020, 186--193
  HALback to text
• 19 inproceedingsJosé BacelarJ. Almeida, ManuelM. Barbosa, GillesG. Barthe, BenjaminB. Grégoire, AdrienA. Koutsos, VincentV. Laporte, TiagoT. Oliveira and Pierre-YvesP.-Y. Strub. The Last Mile: High-Assurance and High-Speed Cryptographic ImplementationsSP 2020 - 41st IEEE Symposium on Security and PrivacySan Francisco / Virtual, United Stateshttps://www.ieee-security.org/TC/SP2020/index.htmlMay 2020, 965-982
  HALDOIback to text
• 20 inproceedings José BacelarJ. Almeida, ManuelM. Barbosa, GillesG. Barthe, VincentV. Laporte and TiagoT. Oliveira. Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time Verification International Conference on Cryptology in India Progress in Cryptology – INDOCRYPT 2020 Bangalore, India December 2020
  HAL back to text
• 21 inproceedings BoazB. Barak, RaphaëlleR. Crubillé and UgoU. Dal Lago. On Higher-Order Cryptography ICALP 2020 - 47th International Colloquium on Automata, Languages, and Programming Saarbrucken, Germany July 2020
  HAL DOI
• 22 inproceedingsGillesG. Barthe, CharlieC. Jacomme and SteveS. Kremer. Universal equivalence and majority of probabilistic programs over finite fieldsACM/IEEE LICS 2020 - 35th Annual Symposium on Logic in Computer ScienceSaarbrücken / Virtual, GermanyJuly 2020, 155-166
  HALDOIback to text
• 23 inproceedings VincentV. Cheval, SteveS. Kremer and ItsakaI. Rakotonirina. The hitchhiker's guide to decidability and complexity of equivalence properties in security protocols Logic, Language, and Security. Essays Dedicated to Andre Scedrov on the Occasion of His 65th Birthday 12300 Lecture Notes in Computer Science Philadelphia, United States 2020
  HAL back to text
• 24 inproceedingsHubertH. Comon, CharlieC. Jacomme and GuillaumeG. Scerri. Oracle simulation: a technique for protocol composition with long term shared secretsACM CCS 2020CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityOrlando, United StatesINRIA; LSV, ENS Paris Saclay, Université Paris-Saclay; Université Versailles Saint-QuentinNovember 2020, 1427–1444
  HAL
• 25 inproceedingsBest paperVéroniqueV. Cortier, StéphanieS. Delaune and JannikJ. Dreier. Automatic generation of sources lemmas in Tamarin: towards automatic proofs of security protocolsESORICS 2020 - 25th European Symposium on Research in Computer Security12309Lecture Notes in Computer ScienceGuilford, United Kingdomhttps://www.surrey.ac.uk/esorics-2020September 2020, 3--22
  HALDOIback to textback to text
• 26 inproceedings VéroniqueV. Cortier, PierrickP. Gaudry and QuentinQ. Yang. How to fake zero-knowledge proofs, again E-Vote-Id 2020 - The International Conference for Electronic Voting Bregenz / virtual, Austria 2020
  HAL back to text
• 27 inproceedings Best paper VéroniqueV. Cortier, JosephJ. Lallemand and BogdanB. Warinschi. Fifty Shades of Ballot Privacy: Privacy against a Malicious Board CSF 2020 - 33rd IEEE Computer Security Foundations Symposium Boston / Virtual, United States June 2020
  HAL back to text back to text
• 28 inproceedingsSanazS. Eidizadehakhcheloo, Bizhan AlipourB. Pijani, AbdessamadA. Imine and MichaëlM. Rusinowitch. Your Age Revealed by Facebook Picture MetadataADBIS/TPDL/EDA Workshops 2020BBIGAP 2020 - Second Workshop of BI and Big Data Applications1260Communications in Computer and Information ScienceLyon / Virtual, FranceAugust 2020, 259-270
  HALDOIback to text
• 29 inproceedings SerdarS. Erbatur, Andrew MA. Marshall and ChristopheC. Ringeissen. Terminating Non-Disjoint Combined Unification (Extended Abstract) UNIF 2020 - 34th International Workshop on Unification Informal Proceedings Paris, France June 2020
  HAL back to text
• 30 inproceedingsSerdarS. Erbatur, Andrew MA. Marshall and ChristopheC. Ringeissen. Terminating Non-Disjoint Combined UnificationLOPSTR 2020 - 30th International Symposium on Logic-based Program Synthesis and Transformation12561Lecture Notes in Computer ScienceBologna, ItalySeptember 2020, 113-130
  HALDOIback to text
• 31 inproceedings GuillaumeG. Girol, LuccaL. Hirschi, RalfR. Sasse, DennisD. Jackson, CasC. Cremers and DavidD. Basin. A Spectral Analysis of Noise: A Comprehensive, Automated, Formal Analysis of Diffie-Hellman Protocols USENIX 2020 - 29th Usenix Security Symposium Virtual, United States https://www.usenix.org/conference/usenixsecurity20 August 2020
  HAL back to text
• 32 inproceedingsBizhan AlipourB. Pijani, AbdessamadA. Imine and MichaëlM. Rusinowitch. Online Attacks on Picture Owner PrivacyDEXA 2020 - 31st International Conference on Database and Expert Systems Applications12392Lecture Notes in Computer ScienceBratislava, SlovakiaSeptember 2020, 33-47
  HALDOIback to text
• 33 inproceedingsBizhan AlipourB. Pijani, AbdessamadA. Imine and MichaëlM. Rusinowitch. You are what emojis say about your pictures: Language - independent gender inference attack on FacebookSAC '20 - 35th ACM/SIGAPP Symposium on Applied ComputingBrno, Czech RepublicMarch 2020, 1826-1834
  HALDOIback to text
• 34 inproceedingsBest paperYingY. Sheng, YoniY. Zohar, ChristopheC. Ringeissen, JaneJ. Lange, PascalP. Fontaine and ClarkC. Barrett. Politeness for the Theory of Algebraic Datatypes10th International Joint Conference on Automated Reasoning, IJCAR12166Lecture Notes in Computer ScienceParis, France2020, 238--255
  HALDOIback to textback to text

Reports & preprints

• 35 report GillesG. Barthe, CharlieC. Jacomme and SteveS. Kremer. Universal equivalence and majority of probabilistic programs over finite fields MPI SP; LSV, ENS Cachan, CNRS, INRIA, Université Paris-Saclay, Cachan (France); LORIA, UMR 7503, Université de Lorraine, CNRS, Vandoeuvre-lès-Nancy April 2020
  HAL
• 36 misc XavierX. Bonnetain, AnneA. Canteaut, VéroniqueV. Cortier, PierrickP. Gaudry, LuccaL. Hirschi, SteveS. Kremer, StéphanieS. Lacour, MatthieuM. Lequesne, GaëtanG. Leurent, LéoL. Perrin, AndréA. Schrottenloher, EmmanuelE. Thomé, SergeS. Vaudenay and ChristopheC. Vuillot. Le traçage anonyme, dangereux oxymore: Analyse de risques à destination des non-spécialistes April 2020
  HAL back to text
• 37 report VincentV. Cheval, SteveS. Kremer and ItsakaI. Rakotonirina. Exploiting symmetries when proving equivalence properties for security protocols (Technical report) INRIA Nancy Grand-Est April 2020
  HAL
• 38 report VincentV. Cheval, SteveS. Kremer and ItsakaI. Rakotonirina. The hitchhiker's guide to decidability and complexity of equivalence properties in security protocols (technical report) Inria Nancy Grand-Est March 2020
  HAL
• 39 report VéroniqueV. Cortier, StéphanieS. Delaune and VaishnaviV. Sundararajan. A decidable class of security protocols for both reachability and equivalence properties Loria & Inria Grand Est; Irisa January 2020
  HAL
• 40 misc JannikJ. Dreier, Jean-GuillaumeJ.-G. Dumas, PascalP. Lafourcade and LéoL. Robert. Optimal Threshold Padlock Systems April 2020
  HAL
• 41 misc LuccaL. Hirschi. Symbolic Abstractions for Quantum Protocol Verification September 2020
  HAL

Other scientific publications

• 42 misc AhmadA. Abboud, RémiR. Garcia, AbdelkaderA. Lahmadi, MichaëlM. Rusinowitch and AdelA. Bouhoula. R2-D2: Filter Rule set Decomposition and Distribution in Software Defined Networks Izmir/Virtual, Turkey November 2020
  HAL back to text

Scientific popularization

• 43 article I. Rakotonirina. Les livraisons dangereuses Interstices January 2021
  HAL