Lucca Hirschi, a new researcher within the Pesto team

Originally from Romandie in Switzerland, Lucca has always had a particular flair for mathematics. After completing his schooling in Avignon, he took his classes préparatoires(an intensive foundation degree) in science in Lyon before going on to pursue his thesis at the École Normale Supérieure in Cachan. There, he studied “the development and the application of formal methods used to verify cryptographic protocols, as well as mathematical modelling for information privacy”.  In other words, Lucca’s work was focused on strengthening privacy in the digital world, including online. He developed algorithms and tools that could be used to verify whether or not certain properties, including anonymity and non-traceability, were being effectively and accurately respected. His work was then applied to industrial case studies, including one involving electronic passports.

On 1st January 2019, following a postdoc at ETH Zurich, Lucca joined the Inria Nancy - Grand Est project team Pesto, a team set up to develop models and techniques capable of analysing the security of cryptographic protocols. The overarching objective is to protect confidentiality, anonymity and authentication for communications involving data and individuals. 

What does your research project involve?

What I enjoy more than anything else is combining theoretical research with real practical applications. I design, for example, mathematical models of attackers from whom we must defend ourselves, and privacy, which is what we need to protect, in order to then be able to develop algorithms capable of verifying properties such as the ones outlined above. I then make sure that current privacy protection systems are able to hold out against my model attackers. Systematising this approach enables me to assess the security levels of communicating systems.

Could you tell us a bit more about your current research work?

I’m interested in mobile phone protocols (e.g. 5G) and the impact they have on privacy, as well as electronic voting protocols and quantum protocols. My focus is always on the question of mathematical modelling when it comes to privacy protection and the methods used to verify this in practice.

I have recently been focused more specifically on two projects centred around privacy in the context of mobile phone communication:

• The first concerns security breaches in 5G mobile technology , work undertaken in collaboration with ETH Zurich (Switzerland) during my postdoc, the University of Dundee (Scotland) and with Jannik Dreier, a lecturer and member of the Pesto team.

What happens when you switch on your phone? The first thing that happens is that a whole host of security protocols exchange messages with antennae in the surrounding area in a way that is completely transparent for users. One of the most important protocols is the one used to ensure that the phone is communicating with the antenna of its operator, in addition to ensuring that the network recognises the phone in the interests of fair billing. 

In order to assess the security of this protocol, we began with the international specifications published by 3GPP* (3rd Generation Partnership Project, https://www.3gpp.org/about-3gpp), and were able to demonstrate that the protocol was not fulfilling its duties. Phones sometimes unknowingly establish contact with the wrong antenna, for example.

• The second project was focused on the impact this same protocol has on privacy. It was widely known that this protocol in 3G and 4G had been targeted by attacks from IMSI-catchers (monitoring devices that can be used to pinpoint the location of phones by simulating fake relay antennae). 3GPP were able to resolve this problem using 5G technology.

Unfortunately, we also revealed a new attack violating privacy that affected all networks, from 3G to 5G: there is a breach that allows malicious users to access the activity of phones in the surrounding area and to obtain their phone usage profile.

All of these research results, which have been presented at conferences and covered in the media (ZDnet, The Register, Forbes, NextInpact, EFF, Temps des affaires internationales, Silicon.de., etc.) prove that there remain a number of different security breaches in mobile communication. These could have serious consequences if they are not corrected, not only for the privacy of users but for the very way in which these phone networks operate (identity theft, for example).

Plenty of work for Lucca to be getting on with then! Fingers crossed he’ll also be able to find a bit of spare time for his hobbies, climbing, skiing and mountaineering.

Welcome to Inria!

This work was awarded the 2018 security GDR (Groupement de Recherche) thesis prize.