Date post: | 17-Jan-2016 |
Category: |
Documents |
Upload: | emil-hunter |
View: | 217 times |
Download: | 0 times |
Probabilistic and Nondeterministic Aspects of
Anonymity
Catuscia Palamidessi, INRIA & LIX
Based on joint work with
Mohit Bhargava, IIT New DelhiKostas Chatzikokolakis, LIX
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 2
Plan of the talk
• The concept of anonymity
• Nondeterministic (aka possibilistic) Anonymity
• Example: the Dining Cryptographers
• Limitations of the nondeterministic approach
• The hierarchy of Reiter and Rubin:– Beyond Suspicion and Probable Innocence
• Formalization of Beyond Suspicion: Conditional anonymity
• Equivalent formulation for probabilistic users – independence from users’ probabilistic distribution
• Corresponding formulation for nondeterministic users
• Formalization of Probable Innocence
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 3
The concept of anonymity
• Goal:– To ensure that the identity of the agent involved in a certain action remains
secret.
• Some examples of situations in which anonymity may be desirable: – Electronic elections– Delation– Donations– File sharing
• Some systems:
– Crowds [Reiter and Rubin,1998],
• anonymous communication (anonymity of the sender)
– Onion Routing [Syverson, Goldschlag and Reed, 1997]
• anonymous communication
– Freenet [Clarke et al. 2001]
• anonymous information storage and retrieval
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 4
Formal approaches to Anonymity
• Concurrency Theory (CSP)– Schneider and Sidiropoulos, 1996
• Epistemic Logic– Sylverson and Stubblebine, 1999– Halpern and O’Neil, 2004
• Function views– Hughes and Shmatikov, 2004
• These approaches are nondeterministic (except Halpern and O’Neill) although many systems, including Crowds, Onion Routing, and Freenet, use randomized primitives
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 5
Nondeterministic Anonymity
• We will focus on the “Concurrency theory” approach, which started with the work by Schneider and Sidiropoulos, ESORICS 1996
• Systems and protocols for anonymity are describes as CSP processes
• Actions for which we want anonymity of the agent are modeled as consisting of two components:
– the action itself, a, – the identity of the agent performing the action, i
a(i)• AnonymousAgs: the agents who want to remain secret
• Given x, define A = { a(i) | i AnononymousAgs }
• A protocol described as a process P provides anonymity if an arbitrary permutation ρA of the events in A, applied to the observables of P, does not change the observables
ρA( Obs(P) ) = Obs(P)
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 6
Nondeterministic Anonymity
• In general, given P, consider the sets: – A = { x(i) | i AnonymousAgs } : the actions for which we want
anonymity– B = the actions that are visible to the observers– C = Actions – (B U A) : The actions we want to hide
B C
A
The observables to consider for the Anonymity analysis are B U A. In CSP this is obtained by abstracting the system P wrt the actions in C.
Definition: The system is anonymous if an arbitrary permutation ρA of the events in A, applied to the observables of P, does not change the observables
ρA( Obs(P) ) = Obs(P)
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 7
Example: The dining cryptographers
• Problem formulated originally by David Chaum, 1988
• The Problem:– Three cryptographers share a meal– The meal is paid either by the organization (master) or by one
of them. The master decides who pays– Each of the cryptographers is informed by the master whether
or not he is has to pay
• GOAL: – The cryptographers would like to make known whether the
meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 8
The dining cryptographers
Crypt(0)
Crypt(1) Crypt(2)
Master
Pays(0)Notpays(0)
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 9
The dining cryptographers A nondeterministic solution
• Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers.
• The result of each coin-tossing is visible to the adjacent cryptographers, and only to them.
• Each cryptographer examines the two adjacent coins – If he is not paying, he announces “agree” if the results
are the same, and “disagree” otherwise.– If he is paying, he says the opposite
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 10
The dining cryptographers
Crypt(0)
Crypt(1) Crypt(2)
Master
Coin(2)
Coin(1) Coin(0)
Pays(0)Notpays(0)
look02
agree1 /disagree1
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 11
The dining cryptographers Properties of the solution
Proposition 1: if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying.
Proposition 2 (Anonymity): In the latter case, if the coins are fair then the non paying cryptographers and the external observers will not be able to deduce who is paying
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 12
The dining cryptographers - Automatic verification
• Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP and FDR.
– The protocol : system P of parallel CSP processes (master, cryptographers, coins)
– A (anonymous actions): pays(0), pays(1), pays(2)
– B (observable actions): • For an external observer: agree0, disagree0, …, disagree2• For cryptographer Crypto(0): agree0, disagree0, …, disagree2, look00,
look10
– C (hidden actions): the other results of coins: look i j
– Observables : all traces of P abstracting from C
• For every permutation ρ on A, we have
ρ( Obs(P) ) = Obs(P)
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 13
Limitations of the nondeterministic approach
• The nondeterministic components may be produced by random devices– nondeterministic coin random coin
• An observer may deduce probabilistic info about the system from the probability distribution of the devices.
• The probability distribution of the devices may be inferred statistically by repeating the observations
• The leakage of probabilistic info is not captured by the nondeterministic formulation
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 14
Limitations of the nondeterministic approach
• Example. Suppose that we observe with high frequency one of the following results. What can we infer from them?
a
a
d
• We can deduce that the coins are biased, and how• Therefore we can probabilistically guess who is the payer
• This breach in anonymity is not detected by the nondeterministic approach (as long as the fourth possible configuration appears, from time to time). In a sense the nondeterministic notion of anonymity is too weak.
d
a
a d
d
d
H H
T
p
pp
H H
T
H H
T
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 15
• By introducing probabilities we can distinguish different levels of strength
• Example: Crowds [Reiter and Robin 98] – a system designed to provide the anonymity of the originator of a message. – The originator sends the message to another user selected randomly, who in turns forwards
the message to another user, and so on, until the message reaches its destination.
• Reiter and Robin proposed the following (informal) hierarchy – Beyond suspicion: from the point of view of the observer, the sender appears
no more likely than any other agent to be the originator– Probable innocence: … the sender appears no more likely to be the originator
than not to be– Possible innocence: … there is a non trivial probability that the sender is not
the originator
• Reiter and Robin proved “probable innocence” of Crowds under certain conditions.
• In the nondeterministic approach the hierarchy collapses at the lowest level
Reiter and Robin ‘s hierarchy
originatorsender
observer
destination
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 16
• The rest of this talk is dedicated to generalizing and formalizing the notions of probabilistic anonymity. In particular, “beyond suspicion” and “probable innocence”
• We describe the random mechanisms of the protocol probabilistically. The users may be probabilistic or nondeterministic
• We use (a simplified form of) Segala and Lynch’s probabilistic automata, which can represent both probabilistic and nondeterministic behavior
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 17
Fully probabilistic automata
a
b
c b
c1/2
2/31/3
1/2
1/21/2
1/31/3
1/3
• Observable actions: a, b, c• Execution: a path from the root to a leaf• Probability of an execution: the product
of the probabilities on the edges
• Event: a set of executions• Probability of an event: the sum of the
probabilities of the executions
• Examples:•The event c has probability
•p(c) = 1/2 + 1/6 = 2/3•The event ab has probability
•p(ab) = 1/6 + 1/18 = 2/9
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 18
(Simplified) Probabilistic Automata • White nodes: nondeterministic
Green nodes: probabilistic
• Scheduler: a function that associates to each nondeterministic nodes a node among its successors
• Etree(): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by
• p (o) = the probability of the event o under
1/2
1/21/3
1/3 1/3
1/3 2/3
1/2 1/2
a
a
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 19
(Simplified) Probabilistic Automata • White nodes: nondeterministic
Green nodes: probabilistic
• Scheduler: a function that associates to each nondeterministic nodes a node among its successors
• Etree(): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by
• p (o) = the probability of the event o under
1/2
1/21/3
1/3 1/3
1/3 2/3
1/2 1/2
a
a
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 20
(Simplified) Probabilistic Automata • White nodes: nondeterministic
Green nodes: probabilistic
• Scheduler: a function that associates to each nondeterministic nodes a node among its successors
• Etree(): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by
• p (o) = the probability of the event o under
• p (a) = 1/4
1/2
1/2
1/2 1/2
a
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 21
(Simplified) Probabilistic Automata • White nodes: nondeterministic
Green nodes: probabilistic
• Scheduler: a function that associates to each nondeterministic nodes a node among its successors
• Etree(): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by
• p (o) = the probability of the event o under
1/2
1/21/3
1/3 1/3
1/3 2/3
1/2 1/2
a
a
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 22
(Simplified) Probabilistic Automata • White nodes: nondeterministic
Green nodes: probabilistic
• Scheduler: a function that associates to each nondeterministic nodes a node among its successors
• Etree(): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by
• p (o) = the probability of the event o under
• p (a) = 1/9
1/3
1/3 1/3
1/3 2/3
a
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 23
Notation and assumptions
• Conditional probability: p(x | y) = p(x and y) / p(y)
• Events: – a(i) : user i has performed anonymous action a
– a = Ui a(i) : anonymous action a has been performed
– o = b1…bn : observable actions b1, … , bn have been performed
• We assume – The a(i) ‘s form a partition of a– Each observable event o implies either a or not a
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 24
Formalization of anonymity: first attempt
The immediate interpretation of the notions of Reiter and Rubin:• Beyond suspicion:
Forall i, j, o . p(a(i) | o) = p(a(j) | o) • Probable innocence:
Forall i, j, o. p(a(i) | o) < p(not a(i) | o) • Possible innocence:
Forall i, j, o . p(a(i) | o) < 1
However: - These notions do not apply for nondeterministic users- They depend on the probability distribution of the users- We expect “beyond suspicion” to hold for the Dining
Cryptographers with fair coins, and “probable innocence” to hold for Crowds, but the above notions (in general) don’t hold
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 25
Formalization of “beyond suspicion”
• The property which has been proved by Chaum for the dining cryptographers with probabilistic users and probabilistic fair coins is :
Forall i, j, o . p(a(i) | o) = p(a(i) | a)
• Namely: the observation of o does not add anything to the knowledge of the probability of a(i), except that the action a has been performed.
• This is similar to the property called conditional anonymity by Halpern and O’Neill
• Problems: – In general it may depend on the probability distribution of the users– Not applicable for nondeterministic users
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 26
Formalization of “beyond suspicion”• Proposition:
Forall i, j, o . if o a then p(a(i) | o) = p(a(i) | a) (*)
is equivalent to
Forall i, j, o . if p(a(i)) > 0 and p(a(j)) > 0 then p(o | a(i) ) = p(o | a(j)) (**)
• Proposition: if the choice of the a(i)’s is done only once, then the formula (**) does not depend on the probability distribution of the a(i)’s
• The corresponding definition, for nondeterministic users:
Forall i, j, o, if selects a(i), and selects a(j), then p (o) = p (o) (***)
• Proposition: (***) is satisfied by the dining cryptographers with fair coins and nondeterministic users (master)
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 27
a(1)a(2) a(3) not a
p1
p2 p3p
q
q qo
o o
p(o | a(i)) = p(o and a(i)) / p(a(i) = q pi /pi = q
p(o | a(j))
Independence from the probability distribution of the a(i)’s
=
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 28
a(1)a(2) a(3) not a
q
q qo
o o
ps(o) = q
pd(o)
Nondeterministic users
=
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 29
Formalization of “probable innocence” (ongoing work)
We assume here that a is always performed
Probabilistic users:
Forall i, j, o . if p(a(i)) > 0 and p(a(i)) < 1 then p(o | a(i) ) < p(o | not a(i))
Nondeterministic users:
Forall i, j, o . if s selects a(i) and d does not select a(i) then p(o) < p(o)
• In the case of Crowds, this property corresponds to the one which has been effectively proved by Reiter and Rubin
Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 30
Conclusion
• Notion of probabilistic anonymity– Probabilistic users: conditional probability– Nondeterministic users: scheduler– Beyond suspicion and probable innocence
• Application to the example of the Dining Cryptographers and Crowds