1 / 22

Probabilistic Anonymity

Probabilistic Anonymity. Mohit Bhargava, IIT New Delhi. Catuscia Palamidessi, INRIA Futurs & LIX. Plan of the talk. • The concept of anonymity • Anonymity and nondeterminism • Example: the Dining Cryptographers • Conditional probability • Anonymity and randomization

bever
Télécharger la présentation

Probabilistic Anonymity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX

  2. Plan of the talk • The concept of anonymity • Anonymity and nondeterminism • Example: the Dining Cryptographers • Conditional probability • Anonymity and randomization • The randomized Dining Cryptographers • Analysis and verification in probabilistic π- calculus • Generalized D.C. • Conclusion 2 LIX, 25 January 2005 Probabilistic Anonymity

  3. The concept of anonymity • Goal: – To ensure that a certain part of an information becomes public while another part of it remains secret. – Typically, what we want to maintain secret is the identity of the agent involved • Examples: – Electronic elections – Delation • We will consider the case of in which the information to make public is whether or not a certain event has taken place, and the information to hide is the identity of the agent performing that event 3 LIX, 25 January 2005 Probabilistic Anonymity

  4. Anonymity and nondeterminism (1/2) • Work by Schneider and Sidiropoulos, ESORICS 1996 • Events are modeled as consisting of two components: the event itself, x, and the identity of the agent performing the event, a ax • AnonyAgs: the agents who want to remain secret • Given x, define A = {ax | a  AnonyAgs } • A protocol described as a process P provides anonymity if an arbitrary permutation ρA of the events in A, applied to the observables of P, does not change the observables ρA(Obs(P)) = Obs(P) 4 LIX, 25 January 2005 Probabilistic Anonymity

  5. Anonymity and nondeterminism (2/2) • In general, given P, consider the sets: – A = { ax | a  AnonyAgs } : the actions that we want to know only partially (we want to know x but not a) – B : the actions that we want to observe – C = Actions – (B U A) : The actions we want to hide A The observables to consider for the Anonymity analysis must abstract wrt the events in C.  Definition: The system is anonymous if an arbitrary permutation ρAof the events in A, applied to the observables of P, does not change the observables B C ρA(Obs(P)) = Obs(P) 5 LIX, 25 January 2005 Probabilistic Anonymity

  6. The dining cryptographers (1/6) • Problem and solution formulated originally by David Chaum, J. Cryptology, 1988 • The Problem: – Three cryptographers share a meal – The meal is paid either by the organization (master) or by one of them. The master decides who pays – Each of the cryptographers is informed by the master whether or not he is has to pay • GOAL: – The cryptographers would like to know whether the meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master 6 LIX, 25 January 2005 Probabilistic Anonymity

  7. The dining cryptographers (2/6) Crypt(0) notpays0 pays0 Master Crypt(1) Crypt(2) 7 LIX, 25 January 2005 Probabilistic Anonymity

  8. The dining cryptographers (3/6) A solution • Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers. • The result of each coin-tossing is visible to the adjacent cryptographers, and only to them. • Each cryptographer examines the two adjacent coins – If he is paying, he announces “agree” if the results are the same, and “disagree” otherwise. – If he is not paying, he says the opposite 8 LIX, 25 January 2005 Probabilistic Anonymity

  9. The dining cryptographers (4/6): A solution Crypt(0) notpays0 pays0 Coin(0) Coin(1) look20 Master Crypt(2) Crypt(1) Coin(2) agree1 / disagree1 9 LIX, 25 January 2005 Probabilistic Anonymity

  10. The dining cryptographers (5/6) Properties of the solution Proposition 1 (Public information): if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. Proposition 2 (Anonymity): In the latter case, if the coin is fair then the non paying cryptographers and the external observers will not be able to deduce whom exactly is paying 10 LIX, 25 January 2005 Probabilistic Anonymity

  11. The dining cryptographers (6/6) Automatic verification • Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP. – The protocol : system P of parallel CSP processes (master, cryptographers, coins) – A (anonymous events): pays0, notpays0, …, notpays2 – B (observable events): agree0, disagree0, …, disagree2 – C (hidden events): results of coins – Observables : all traces of P with events from C removed • For every permutation ρ on A, we have ρ(Obs(P)) = Obs(P) 11 LIX, 25 January 2005 Probabilistic Anonymity

  12. Limitations of the nondeterministic approach • The nondeterministic components must be produced by random devices – nondeterministic coin  random coin • An observer may deduce info about the system from the probability distribution of the devices. This possibility is not captured by the nondeterministic formulation: The nondeterministic definition is “too coarse” – For example, if we know that two adjacent coins are biased, we can deduce when the corresponding cryptographer is likely to be lying • The probability distribution of the devices may be guessed by testing the system – For example in if the cryptographers are more than 3, we can deduce that two coins are biased by looking at the results several times 12 LIX, 25 January 2005 Probabilistic Anonymity

  13. Conditional probability (1/3) • We propose a notion of anonymity based on conditional probability • A brief recall of the notion of conditional probability • Puzzle: – A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty – After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty – Then the king offers to the guest to exchange the box he picked with the other (closed) one – Question: should the guest exchange? 13 LIX, 25 January 2005 Probabilistic Anonymity

  14. Conditional probability (2/3) • Answer: it depends on whether the king opens intentionally an empty box, or not. • In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring • In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring 14 LIX, 25 January 2005 Probabilistic Anonymity

  15. Conditional probability (3/3) • pb(X|Y) = conditional probability of X given Y = pb(X and Y) / pb(Y) Let us consider again the puzzle in Case 2 • • • Bi= Box i contains the ring Initially: pb(B1) = pb(B2) = pb(B3) = 1/3 After opening one box, say Box 1, if it turns out to be empty, we have: pb(B2) = pb(B2| not B1) = pb(B2and not B1) / pb(not B1) = pb(B2)/pb(not B1) = (1/3) / (2/3) = 1 / 2 15 LIX, 25 January 2005 Probabilistic Anonymity

  16. Anonymity and randomization (1/2) • Remember that, given P, we consider the sets: – A = { ax | a  AnonyAgs } : the actions that we want to know only partially (we want to know x but not a) – B : the actions that we want to observe (it may include x but not a) – C = Actions – (B U A) : The actions we want to hide A  B C 16 LIX, 25 January 2005 Probabilistic Anonymity

  17. Anonymity and randomization (2/2) • The observables must abstract wrt C • Definition: The system is anonymous if for every nonderministic choice, for every observations O1,O2in which x happens, and for every action ax  A, we have pb(ax | O1) = pb(ax | O2) i.e. the observables do not allow to deduce anything about the identity of the agent • Equivalently: for every O, a and b, we have pb(O | ax) = pb(O | bx) namely, the probability of an observable does not depend on the identity of the agent • Note that the second formulation can be regarded as the probabilistic version of the definition of Schneider/ Sidiropoulos • Note that in general pb(ax | O) =/= pb(bx | O), hence the latter cannot be a good definition of probabilistic anonymity 17 LIX, 25 January 2005 Probabilistic Anonymity

  18. The randomized dining cryptographers • Each cryptographer tosses a probabilistic coin • All the rest is the same as before. In particular, the master is nondeterministic 18 LIX, 25 January 2005 Probabilistic Anonymity

  19. Verification in probabilistic p- calculus We have verified the anonymity of the randomized solution to the dining cryptographers by using the probabilistic p-calculus. • – The protocol : system P of parallel processes: • Master: probabilistic (blind) • Coins: probabilistic (blind) • Cryptographers: deterministic – A (anonymous events): pays0, notpays0, …, notpays2 • combination chosen nondeterministically – C (hidden events): results of coins • chosen probabilistically – B (observable events): agree0, disagree0, …, disagree2 • Determined by the choice of the master and of the coins – Observables : all traces of P with events from C removed • For every i,k, and for every combination O of agree/disagree, we have ρb(O | paysi) = pb(O | paysk) 19 LIX, 25 January 2005 Probabilistic Anonymity

  20. The generalized dining philosophers • In general, given an arbitrary graph, where the nodes represent the cryptographers, and the arcs the coins, we can extend the protocol as follows: – bi = 0 if cryptographer i does not pay, bi = 1 otherwise – coink= 0 if coin k gives head, coink= 1 otherwise – crypti= output of cryptographer i, calculated as follows: Crypti Coink crypti= Sk adjacent icoink+ bi where the sums are binary 20 LIX, 25 January 2005 Probabilistic Anonymity

  21. The protocol in the general case • Proposition: there is a payer iff Sicrypti= 0 Proof: just observe that in this sum each coinkis counted twice. Furthermore there is at most one k s.t. bk= 1. Hence the result is 0 iff there is no k s.t. bk= 1. • Proposition: If all the coins are fair, and the graph is connected, then – the system is anonymous for every external observer – the system is anonymous for any node j such that, if we remove j and all its adjacent arcs, the rest of the graph is still connected 21 LIX, 25 January 2005 Probabilistic Anonymity

  22. Conclusion • Notion of probabilistic anonymity – Extending the classic one of Schneider- Sidiropoulos • Application to the example of the generalized dining cryptographers • Verification using the p-calculus • In retrospect, we should have verified the protocol using a probabilistic master 22 LIX, 25 January 2005 Probabilistic Anonymity

More Related