Most cryptographic protocols use cryptographic hash functions as a building block. The security analyses of these protocols typically assume that the hash functions are perfect (such as in the random oracle model). However, in practice, most widely deployed hash functions are far from perfect – and as a result, the analysis may miss attacks that exploit the gap between the model and the actual hash function used.

In collaboration with Cremers (CISPA), Cheval (Inria Paris), Dax (CISPA) and Jacomme (Inria Paris), Hirschi and Kremer develop the first methodology to systematically discover attacks on security protocols that exploit weaknesses in widely deployed hash functions. We achieve this by revisiting the gap between theoretical properties of hash functions and the weaknesses of real-world hash functions, from which we develop a lattice of threat models. For all of these threat models, we develop fine-grained symbolic models.

Our methodology's fine-grained models cannot be directly encoded in existing state-of-the-art analysis tools by just using their equational reasoning. We therefore develop extensions for the two leading tools, TAMARIN and ProVerif. In extensive case studies using our methodology, the extended tools rediscover all attacks that were previously reported for these protocols and discover several new variants. These results have been presented at USENIX'23 14.

Unlinkability is a privacy property of crucial importance for several systems such as mobile phones or RFID chips. Analysing this security property is very complex, and highly error-prone. Therefore, formal verification with machine support is desirable. Unfortunately, existing tools perform over-approximations which eventually lead to false attacks, and thus prevent direct and automatic security proofs of unlinkability. To overcome this limitation, different techniques have been developed: either verifying a (maybe) weaker notion of unlinkability (e.g.,  44) or following an indirect approach that consists in proving sufficient conditions (e.g.,  36, 50, 32). If these last properties avoid the main limitations of the tools, they still appear difficult to prove and often require non-negligible protocol abstractions.

In collaboration with Baelde (IRISA) and Delaune (IRISA), Debant develops a new approach that allows direct and automatic proofs of unlinkability 12. They overcome the limitations of the tool ProVerif by defining a simple transformation that will exploit some of its specific features recently introduced in  34. This transformation, together with some generic axioms, allows the tool to successfully conclude on several case studies. They have implemented their approach, effectively obtaining direct proofs of unlinkability on several protocols that were, until now, out of reach of automatic verification tools. This approach is also promising to prove anonymity properties but this application remains a future work.

In collaboration with Jacomme (Inria Paris) Klein, Kremer and Racouchot have analyzed EDHOC. EDHOC is a key exchange proposed by IETF's Lightweight Authenticated Key Exchange (LAKE) Working Group (WG). Its design focuses on small message sizes to be suitable for constrained IoT communication technologies. We provide an in-depth formal analysis of EDHOC–draft version 12, taking into account the different proposed authentication methods and various options. For our analysis we use the SAPIC${}^{+}$ protocol platform that allows to compile a single specification to three state-of-the-art protocol verification tools (ProVerif, TAMARIN and DeepSec) and take advantage of the strengths of each of the tools. In our analysis we consider a large variety of compromise scenarios, and also exploit recent results that allow to model existing weaknesses in cryptographic primitives, relaxing the perfect cryptography assumption, common in symbolic analysis. While our analysis confirmed security for the most basic threat models, a number of weaknesses were uncovered in the current design when more advanced threat models were taken into account. These weaknesses have been acknowledged by the LAKE WG and the mitigations we propose (and prove secure) have been included in version 14 of the draft 23.

WireGuard is a Virtual Private Network (VPN), presented at NDSS 2017, recently integrated into the Linux Kernel and paid commercial VPNs such as NordVPN, Mullvad and ProtonVPN. It proposes a different approach from other classical VPN such as IPsec or OpenVPN because it does not let users configure cryptographic algorithms. The protocol inside WireGuard is a dedicated extension of IKpsk2 protocol from Noise Framework. Different analyses of WireGuard and IKpsk2 protocols have been proposed, in both the symbolic and the computational model, with or without computer-aided proof assistants. These analyses however consider different adversarial models or refer to incomplete versions of the protocols. In this work, we propose a unified formal model of WireGuard protocol in the symbolic model. Our model uses the automatic cryptographic protocol verifiers SAPIC${}^{+}$, ProVerif and TAMARIN. We consider a complete protocol execution, including cookie messages used for resistance against denial of service attacks. We model a precise adversary that can read or set static, ephemeral or pre-shared keys, read or set ecdh pre-computations, control key distribution. Eventually, we present our results in a unified and interpretable way, allowing comparisons with previous analyses. Finally, thanks to our models, we give necessary and sufficient conditions for security properties to be compromised, we confirm a flaw on the anonymity of the communications and point an implementation choice which considerably weakens its security. We propose a remediation that we prove secure using our models.

Timing side-channels are arguably one of the main sources of vulnerabilities in cryptographic implementations. One effective mitigation against timing side-channels is to write programs complying with the “cryptographic constant-time” discipline. This source-level mitigation aims to enforce that program execution does not leak secrets, where leakage is defined by a formal leakage model. In practice, different leakage models coexist, sometimes even within a single library, both to reflect different architectures and to accommodate different security-efficiency trade-offs.

Constant-timeness is popular and can be checked automatically by many tools. However, most sound tools are focused on a baseline (BL) leakage model in which branches and memory accesses leak. Moreover, usual leakage models do not capture leakage during speculative execution, as exemplified by the Spectre attacks. Thus, Laporte and his co-authors have designed a type-system such that well-typed programs are secure against Spectre attacks. We implemented an efficient type-checker that is precise enough to automatically verify a comprehensive library of high-speed cryptographic implementations 9.

Compilers play a key role in implementations; their formal verification provides a strong justification to source-level reasoning: a verified compiler can be trusted to enforce at target-level properties that are proved at the level of source code.

We are developing an approach for building cryptographic implementations, delivering assembly code that is provably functionally correct, protected against side-channels, and as efficient as hand-written assembly. Laporte and his co-authors have successfully applied to the efficient implementation of Kyber, a post-quantum primitive for key encapsulation 11. This has required to extend Jasmin and correspondingly update its verified compiler.

Belenios is the main voting protocol developed by the team, as described in Section 7.1.1. Until now, a missing feature was the cast-as-intended property, that allows a voter to check that their vote has been sent as intended, even when their device is malicious and tries to vote for another candidate. Reusing some of the ideas proposed in the Themis protocol, Cortier, Debant, Gaudry (project-team Caramba), and Glondu are designing a variant of Belenios, called BeleniosCaI, that offers cast-as-intended, without requiring voters to use code sheets nor a second device 15. Goestchmann and Cortier, in a joint work with Gaudry (Caramba) and Lemonnier (Larsen), conducted a first user study of BeleniosCaI, to analyze whether the protocol was usable in practice and how well it protects vote privacy and verifiability.

Anyone should be able to check that ballots have been cast by legitimate voters only. However, in practice, voters are often authenticated through a login and password sent through email or text messages, which offers low guarantee and no verifiability. Cortier, Debant, Hirschi, and Goetschmann have shown that it is possible to use the well-spread OpenID authentication protocol and to turn it into a protocol that offers eligibility verifiability. The first main idea is to use the signature of the identity provider as a proof of eligibility. Then, they show how to replace this signature by a zk-SNARK proof of knowledge of this signature, to avoid leaking any additional information provided by the OpenID protocol. A PoC implementation shows that computing such proofs remain feasible for large scale elections.

Yang, in collaboration with Devillez, Pereira, and Peters (UCL Louvain), has explored 19 the interaction between receipt-freeness and cast-as-intended. They demonstrate that it is impossible to obtain a receipt-free voting protocol with cast-as-intended if the voting process is non-interactive, unless a trusted authority is available. They also demonstrate that, if a trusted voter registration authority is available, then cast-as-intended verifiability and receipt-freeness can be obtained. Furthermore, the same security properties can be obtained using an interactive voting process.

The JCJ voting scheme  51 is the reference paradigm when designing a coercion-resistant protocol. Cortier, Gaudry (project-team Caramba), and Yang noticed a weakness in JCJ that is also present in all the systems following its general structure. This comes from the procedure that precedes the tally, where the trustees remove the ballots that should not be counted. This phase leaks more information than necessary, leading to potential threats for the coerced voters. Fixing this leads to the notion of cleansing-hiding, that they apply to form a variant of JCJ, called CHide. One reason for the problem not being seen before is the fact that the associated formal definition of coercion-resistance was too weak. They propose a definition that can take into account more behaviors such as revoting or the addition of fake ballots by authorities, and prove that CHide is coercion-resistant w.r.t. this definition 17.

End-to-end verifiability can be expressed as follows: the result of an election should count the votes of all voters (at least those who have verified their vote) plus at most $k$ votes where $k$ is the number of voters under the control of the attacker. Such a property requires to count the votes, which seemed out of reach of tools like ProVerif. Cheval (Inria Paris), Cortier, and Debant show that end-to-end verifiability can be (equivalently) expressed with two simple injectives queries, with no loss of generality. These two simple injective queries can immediately be expressed in ProVerif. Yet, they may be hard to prove. They therefore developed a framework using most of the new features of ProVerif (e.g. counters and lemmas) in order to prove E2E-verifiability in ProVerif. They applied this approach to usual protocols like Helios and Belenios but also to industrial-scale protocols like CHVote and SwissPost 13.

For the 2022 French legislative elections, Cortier (together with Gaudry and Glondu) was mandated as third party to check correctness of the cryptographic material produced during the election 16. They required that the specification of the protocol, used for our work, was made public.

With this (sadly incomplete) specification as a starting point, Debant and Hirschi conducted  18 a security analysis of the underlying e-voting protocol. Due to a lack of system and threat model specifications, they built and contributed such specifications by studying the French legal framework and by reverse-engineering the code base accessible to the voters. Their analysis revealed that this protocol is affected by two design-level and implementation level vulnerabilities. They shown how those allow a standard voting server attacker and even more so a channel attacker to defeat the election integrity and ballot privacy due to 5 attack variants. They proposed and discussed 5 fixes to prevent those attacks. The specifications, the attacks, and the fixes were acknowledged by the relevant stakeholders during the responsible disclosure. They implemented the fixes to prevent the attacks for future elections.

Roenne, in collaboration with Sutopo and Haines, studied 25 the IVXV system used for municipal and national elections in Estonia as well as European Parliament elections. It appears that, despite the code being public for over five years, the cryptographic protocol has not seen much scrutiny at the code level. A previously unknown vulnerability was discovered, which contradicts the claimed individual verifiability of the system; this vulnerability should be patched in the next version of IVXV system.