DISSERTATION Defense held on 18 / 11 / 2013 in Luxembourg to obtain the degree of DOCTEUR DE L ’ UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE

Privacy protection is an important requirement in both everyday life and the Inter-net. As the Internet is an open network, adversaries can observe and manipulate data flowing over it. To ensure privacy in communications over open networks, cryptographic protocols have been widely used, and thus, proposing such protocols has become a popular research area. However, design of cryptographic protocols is difficult and error-prone. Thus, verification of such protocols is a necessary step before implementation. Formal analysis has shown its strength in proving or disproving privacy properties of cryptographic protocols, contrary to informal verification of cryptographic protocols which is not suitable for finding subtle privacy flaws. To formally verify whether a protocol satisfies a property, there are usually three steps: 1) formally model the protocol, 2) formalise the property and 3) decide whether the formalised property is satisfied on the formal model. Depending on the differences on the formalisms used to model the protocol and the property, there are various formal approaches. Once a formal approach is chosen, that is, the first and third steps are determined, one only needs to focus on the second step. In this thesis, we use a formalism called the applied pi calculus. The applied pi calculus provides an intuitive way to model cryptographic protocols. In addition, the applied pi calculus is equipped with proof techniques for privacy properties modelled as equivalences of processes. Furthermore, the verification of a protocol modelled in the applied pi calculus is supported by an automatic verification tool ProVerif. Many privacy properties have been proposed, most of which are with respect to an adversary controlling the network. Recently, a stronger privacy property was identified in the e-voting domain. This privacy property assumes that the adversary can perform extra actions, namely bribing or coercing voters, to obtain additional information. To distinguish such strong privacy properties, we from here refer to these as enforced privacy, capturing the idea that the system enforces privacy, even if users try to reveal themselves due to bribery or coercion. Properties such as receipt-freeness and coercion-resistance, have been formalised in e-voting, to formally verify whether a protocol satisfies enforced privacy. The leading work of formalising enforced privacy in the applied pi calculus is the DKR framework, proposed by Delaune et al. Following studies of enforced privacy in e-voting, protocols ensuring enforced privacy have also been proposed in other domains, e-auctions and e-health. However, such protocols have not been …