Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on...

Probabilistic and Nondeterministic Aspects of

Anonymity

Catuscia Palamidessi, INRIA & LIX

Based on joint work with

Mohit Bhargava, IIT New DelhiKostas Chatzikokolakis, LIX

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 2

Plan of the talk

• The concept of anonymity

• Nondeterministic (aka possibilistic) Anonymity

• Example: the Dining Cryptographers

• Limitations of the nondeterministic approach

• The hierarchy of Reiter and Rubin:– Beyond Suspicion and Probable Innocence

• Formalization of Beyond Suspicion: Conditional anonymity

• Equivalent formulation for probabilistic users – independence from users’ probabilistic distribution

• Corresponding formulation for nondeterministic users

• Formalization of Probable Innocence


The concept of anonymity

• Goal:– To ensure that the identity of the agent involved in a certain action remains

secret.

• Some examples of situations in which anonymity may be desirable: – Electronic elections– Delation– Donations– File sharing

• Some systems:

– Crowds [Reiter and Rubin,1998],

• anonymous communication (anonymity of the sender)

– Onion Routing [Syverson, Goldschlag and Reed, 1997]

• anonymous communication

– Freenet [Clarke et al. 2001]

• anonymous information storage and retrieval


Formal approaches to Anonymity

• Concurrency Theory (CSP)– Schneider and Sidiropoulos, 1996

• Epistemic Logic– Sylverson and Stubblebine, 1999– Halpern and O’Neil, 2004

• Function views– Hughes and Shmatikov, 2004

• These approaches are nondeterministic (except Halpern and O’Neill) although many systems, including Crowds, Onion Routing, and Freenet, use randomized primitives


Nondeterministic Anonymity

• We will focus on the “Concurrency theory” approach, which started with the work by Schneider and Sidiropoulos, ESORICS 1996

• Systems and protocols for anonymity are describes as CSP processes

• Actions for which we want anonymity of the agent are modeled as consisting of two components:

– the action itself, a, – the identity of the agent performing the action, i

a(i)• AnonymousAgs: the agents who want to remain secret

• Given x, define A = { a(i) | i AnononymousAgs }

• A protocol described as a process P provides anonymity if an arbitrary permutation ρA of the events in A, applied to the observables of P, does not change the observables

ρA( Obs(P) ) = Obs(P)


Nondeterministic Anonymity

• In general, given P, consider the sets: – A = { x(i) | i AnonymousAgs } : the actions for which we want

anonymity– B = the actions that are visible to the observers– C = Actions – (B U A) : The actions we want to hide

B C

A

The observables to consider for the Anonymity analysis are B U A. In CSP this is obtained by abstracting the system P wrt the actions in C.

Definition: The system is anonymous if an arbitrary permutation ρA of the events in A, applied to the observables of P, does not change the observables

ρA( Obs(P) ) = Obs(P)


Example: The dining cryptographers

• Problem formulated originally by David Chaum, 1988

• The Problem:– Three cryptographers share a meal– The meal is paid either by the organization (master) or by one

of them. The master decides who pays– Each of the cryptographers is informed by the master whether

or not he is has to pay

• GOAL: – The cryptographers would like to make known whether the

meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master


The dining cryptographers

Crypt(0)

Crypt(1) Crypt(2)

Master

Pays(0)Notpays(0)


The dining cryptographers A nondeterministic solution

• Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers.

• The result of each coin-tossing is visible to the adjacent cryptographers, and only to them.

• Each cryptographer examines the two adjacent coins – If he is not paying, he announces “agree” if the results

are the same, and “disagree” otherwise.– If he is paying, he says the opposite


The dining cryptographers

Crypt(0)

Crypt(1) Crypt(2)

Master

Coin(2)

Coin(1) Coin(0)

Pays(0)Notpays(0)

look02

agree1 /disagree1


The dining cryptographers Properties of the solution

Proposition 1: if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying.

Proposition 2 (Anonymity): In the latter case, if the coins are fair then the non paying cryptographers and the external observers will not be able to deduce who is paying


The dining cryptographers - Automatic verification

• Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP and FDR.

– The protocol : system P of parallel CSP processes (master, cryptographers, coins)

– A (anonymous actions): pays(0), pays(1), pays(2)

– B (observable actions): • For an external observer: agree0, disagree0, …, disagree2• For cryptographer Crypto(0): agree0, disagree0, …, disagree2, look00,

look10

– C (hidden actions): the other results of coins: look i j

– Observables : all traces of P abstracting from C

• For every permutation ρ on A, we have

ρ( Obs(P) ) = Obs(P)


Limitations of the nondeterministic approach

• The nondeterministic components may be produced by random devices– nondeterministic coin random coin

• An observer may deduce probabilistic info about the system from the probability distribution of the devices.

• The probability distribution of the devices may be inferred statistically by repeating the observations

• The leakage of probabilistic info is not captured by the nondeterministic formulation


Limitations of the nondeterministic approach

• Example. Suppose that we observe with high frequency one of the following results. What can we infer from them?

a

a

d

• We can deduce that the coins are biased, and how• Therefore we can probabilistically guess who is the payer

• This breach in anonymity is not detected by the nondeterministic approach (as long as the fourth possible configuration appears, from time to time). In a sense the nondeterministic notion of anonymity is too weak.

d

a

a d

d

d

H H

T

p

pp

H H

T

H H

T


• By introducing probabilities we can distinguish different levels of strength

• Example: Crowds [Reiter and Robin 98] – a system designed to provide the anonymity of the originator of a message. – The originator sends the message to another user selected randomly, who in turns forwards

the message to another user, and so on, until the message reaches its destination.

• Reiter and Robin proposed the following (informal) hierarchy – Beyond suspicion: from the point of view of the observer, the sender appears

no more likely than any other agent to be the originator– Probable innocence: … the sender appears no more likely to be the originator

than not to be– Possible innocence: … there is a non trivial probability that the sender is not

the originator

• Reiter and Robin proved “probable innocence” of Crowds under certain conditions.

• In the nondeterministic approach the hierarchy collapses at the lowest level

Reiter and Robin ‘s hierarchy

originatorsender

observer

destination


• The rest of this talk is dedicated to generalizing and formalizing the notions of probabilistic anonymity. In particular, “beyond suspicion” and “probable innocence”

• We describe the random mechanisms of the protocol probabilistically. The users may be probabilistic or nondeterministic

• We use (a simplified form of) Segala and Lynch’s probabilistic automata, which can represent both probabilistic and nondeterministic behavior


Fully probabilistic automata

a

b

c b

c1/2

2/31/3

1/2

1/21/2

1/31/3

1/3

• Observable actions: a, b, c• Execution: a path from the root to a leaf• Probability of an execution: the product

of the probabilities on the edges

• Event: a set of executions• Probability of an event: the sum of the

probabilities of the executions

• Examples:•The event c has probability

•p(c) = 1/2 + 1/6 = 2/3•The event ab has probability

•p(ab) = 1/6 + 1/18 = 2/9


(Simplified) Probabilistic Automata • White nodes: nondeterministic

Green nodes: probabilistic

• Scheduler: a function that associates to each nondeterministic nodes a node among its successors

• Etree(): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by

• p (o) = the probability of the event o under

1/2

1/21/3

1/3 1/3

1/3 2/3

1/2 1/2

a

a







1/2

1/21/3

1/3 1/3

1/3 2/3

1/2 1/2

a

a







• p (a) = 1/4

1/2

1/2

1/2 1/2

a







1/2

1/21/3

1/3 1/3

1/3 2/3

1/2 1/2

a

a







• p (a) = 1/9

1/3

1/3 1/3

1/3 2/3

a


Notation and assumptions

• Conditional probability: p(x | y) = p(x and y) / p(y)

• Events: – a(i) : user i has performed anonymous action a

– a = Ui a(i) : anonymous action a has been performed

– o = b1…bn : observable actions b1, … , bn have been performed

• We assume – The a(i) ‘s form a partition of a– Each observable event o implies either a or not a


Formalization of anonymity: first attempt

The immediate interpretation of the notions of Reiter and Rubin:• Beyond suspicion:

Forall i, j, o . p(a(i) | o) = p(a(j) | o) • Probable innocence:

Forall i, j, o. p(a(i) | o) < p(not a(i) | o) • Possible innocence:

Forall i, j, o . p(a(i) | o) < 1

However: - These notions do not apply for nondeterministic users- They depend on the probability distribution of the users- We expect “beyond suspicion” to hold for the Dining

Cryptographers with fair coins, and “probable innocence” to hold for Crowds, but the above notions (in general) don’t hold


Formalization of “beyond suspicion”

• The property which has been proved by Chaum for the dining cryptographers with probabilistic users and probabilistic fair coins is :

Forall i, j, o . p(a(i) | o) = p(a(i) | a)

• Namely: the observation of o does not add anything to the knowledge of the probability of a(i), except that the action a has been performed.

• This is similar to the property called conditional anonymity by Halpern and O’Neill

• Problems: – In general it may depend on the probability distribution of the users– Not applicable for nondeterministic users


Formalization of “beyond suspicion”• Proposition:

Forall i, j, o . if o a then p(a(i) | o) = p(a(i) | a) (*)

is equivalent to

Forall i, j, o . if p(a(i)) > 0 and p(a(j)) > 0 then p(o | a(i) ) = p(o | a(j)) (**)

• Proposition: if the choice of the a(i)’s is done only once, then the formula (**) does not depend on the probability distribution of the a(i)’s

• The corresponding definition, for nondeterministic users:

Forall i, j, o, if selects a(i), and selects a(j), then p (o) = p (o) (***)

• Proposition: (***) is satisfied by the dining cryptographers with fair coins and nondeterministic users (master)


a(1)a(2) a(3) not a

p1

p2 p3p

q

q qo

o o

p(o | a(i)) = p(o and a(i)) / p(a(i) = q pi /pi = q

p(o | a(j))

Independence from the probability distribution of the a(i)’s

=


a(1)a(2) a(3) not a

q

q qo

o o

ps(o) = q

pd(o)

Nondeterministic users

=


Formalization of “probable innocence” (ongoing work)

We assume here that a is always performed

Probabilistic users:

Forall i, j, o . if p(a(i)) > 0 and p(a(i)) < 1 then p(o | a(i) ) < p(o | not a(i))

Nondeterministic users:

Forall i, j, o . if s selects a(i) and d does not select a(i) then p(o) < p(o)

• In the case of Crowds, this property corresponds to the one which has been effectively proved by Reiter and Rubin


Conclusion

• Notion of probabilistic anonymity– Probabilistic users: conditional probability– Nondeterministic users: scheduler– Beyond suspicion and probable innocence

• Application to the example of the Dining Cryptographers and Crowds

Date post:	17-Jan-2016
Category:	Documents
Upload:	emil-hunter
View:	217 times
Download:	0 times

Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on...

Documents