Section: Scientific Foundations

Application to new security protocols

In addition to classical, academic protocols, such as those presented in the “Clark Jacob library”  [67] , we have applied our methods to other protocols, and classes of protocols which often require to model new properties.

In this vein other properties and other protocols were studied:

• Anonymity properties and electronic voting

  Electronic voting schemes require the voter to be unable to prove his vote to a bully, a property named receipt-freeness in the passive case and coercion-resistance in the more demanding active case [5] . Anonymity, privacy, unlinkability and in general all opacity properties are also the topic of objective 1.4.

• Security APIs

  Security APIs allow untrusted code to access sensitive resources in a secure way. A security API provides an interface between a trusted component, such as a smart card or cryptographic security module, and the untrusted outside world such that no matter what sequence of commands in the interface are called, and no matter what the parameters, certain `good' properties will continue to hold, e.g. the secret long term keys on the smartcard are never revealed. Analysis of security APIs is a new theme which has recently started in SECSI with the arrival of Graham Steel. First results on the widely deployed standard PKCS#11 were presented in  [81] .

• Password-based protocols

  Guessing attacks are attacks where a weak secret can be guessed, e.g. by brute force enumeration (passwords). Some protocols use passwords but are still immune to guessing attacks [76] , [78] , and a general decision procedure was proposed by Baudet [59] in the (realistic) offline case, using a definition of security based on static equivalence.

• Group protocols

  Secrecy and authentication properties were examined in the challenging case of group protocols. See Roger's PhD thesis [100] , and the paper [90] . Antoine Mercier has started a PhD thesis on security properties of group protocols with Ralf Treinen and Steve Kremer, Fall 2006. First results on secrecy for an unbounded number of participants were presented in  [92] .

• Electronic purse

  We have worked on a challenging case study of an electronic purse protocol which was provided by France Télécom in the RNTL project PROUVÉ. The protocol relies on algebraic properties of a fragment of arithmetic, typically containing modular exponentiation. This case study motivated work on Associative-Commutative deducibility constraints and gave rise to new decidability results [2] , [63] .

• Fair exchange and contract signing protocols

  Boisseau studied contract-signing protocols (see his PhD thesis [62] ); Kremer studied optimistic multi-party contract signing protocols [65] , and fair exchange protocols [97] , where one of the crucial properties is fairness (none of the signers can prove the contract signed to a third-party while the other has not yet signed), not secrecy.

Overall, objective 1.5 differs from the other objectives in providing a source of sundry exciting perspectives (other properties, other protocols, other models).

The thrust is on more properties and more realism , while more automation is still a running concern.