Probabilistic and Nondeterministic Aspects of Anonymity

Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on joint work with Mohit Bhargava, IIT New Delhi Kostas Chatzikokolakis, LIX

Plan of the talk • The concept of anonymity • Nondeterministic (aka possibilistic) Anonymity • Example: the Dining Cryptographers • Limitations of the nondeterministic approach • The hierarchy of Reiter and Rubin: – Beyond Suspicion and Probable Innocence • Formalization of Beyond Suspicion: Conditional anonymity • Equivalent formulation for probabilistic users – independence from users’ probabilistic distribution • Corresponding formulation for nondeterministic users • Formalization of Probable Innocence 2 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

The concept of anonymity • Goal: – To ensure that the identity of the agent involved in a certain action remains secret. • Some examples of situations in which anonymity may be desirable: – Electronic elections – Delation – Donations – File sharing • Some systems: – Crowds [Reiter and Rubin,1998], • anonymous communication (anonymity of the sender) – Onion Routing [Syverson, Goldschlag and Reed, 1997] • anonymous communication – Freenet [Clarke et al. 2001] • anonymous information storage and retrieval 3 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Formal approaches to Anonymity • Concurrency Theory (CSP) – Schneider and Sidiropoulos, 1996 • Epistemic Logic – Sylverson and Stubblebine, 1999 – Halpern and O’Neil, 2004 • Function views – Hughes and Shmatikov, 2004 • These approaches are nondeterministic (except Halpern and O’Neill) although many systems, including Crowds, Onion Routing, and Freenet, use randomized primitives 4 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Nondeterministic Anonymity • We will focus on the “Concurrency theory” approach, which started with the work by Schneider and Sidiropoulos, ESORICS 1996 • Systems and protocols for anonymity are describes as CSP processes • Actions for which we want anonymity of the agent are modeled as consisting of two components: – the action itself, a, – the identity of the agent performing the action, i a(i) AnonymousAgs: the agents who want to remain secret • • Given x, define A = { a(i) | i  AnononymousAgs } • A protocol described as a process P provides anonymity if an arbitrary permutation ρA of the events in A, applied to the observables of P, does not change the observables ρA( Obs(P) ) = Obs(P) 5 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Nondeterministic Anonymity • In general, given P, consider the sets: – A = { x(i) | i  AnonymousAgs } : the actions for which we want anonymity – B = the actions that are visible to the observers – C = Actions – (B U A) : The actions we want to hide A The observables to consider for the Anonymity analysis are B U A. In CSP this is obtained by abstracting the system P wrt the actions in C.  Definition: The system is anonymous if an arbitrary permutation ρAof the events in A, applied to the observables of P, does not change the observables B C ρA( Obs(P) ) = Obs(P) 6 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Example: The dining cryptographers • Problem formulated originally by David Chaum, 1988 • The Problem: – Three cryptographers share a meal – The meal is paid either by the organization (master) or by one of them. The master decides who pays – Each of the cryptographers is informed by the master whether or not he is has to pay • GOAL: – The cryptographers would like to make known whether the meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master 7 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

The dining cryptographers Crypt(0) Notpays(0) Pays(0) Master Crypt(1) Crypt(2) 8 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

The dining cryptographers A nondeterministic solution • Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers. • The result of each coin-tossing is visible to the adjacent cryptographers, and only to them. • Each cryptographer examines the two adjacent coins – If he is not paying, he announces “agree” if the results are the same, and “disagree” otherwise. – If he is paying, he says the opposite 9 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

The dining cryptographers Crypt(0) Notpays(0) Pays(0) Coin(0) Coin(1) look02 Master Crypt(2) Crypt(1) Coin(2) agree1 / disagree1 10 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

The dining cryptographers Properties of the solution Proposition 1: if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. Proposition 2 (Anonymity): In the latter case, if the coins are fair then the non paying cryptographers and the external observers will not be able to deduce who is paying 11 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

The dining cryptographers - Automatic verification • Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP and FDR. – The protocol : system P of parallel CSP processes (master, cryptographers, coins) – A (anonymous actions): pays(0), pays(1), pays(2) – B (observable actions): • For an external observer: • For cryptographer Crypto(0): agree0, disagree0, …, disagree2, look00, look10 agree0, disagree0, …, disagree2 – C (hidden actions): the other results of coins: look i j – Observables : all traces of P abstracting from C • For every permutation ρ on A, we have ρ( Obs(P) ) = Obs(P) 12 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Limitations of the nondeterministic approach • The nondeterministic components may be produced by random devices – nondeterministic coin  random coin • An observer may deduce probabilistic info about the system from the probability distribution of the devices. • The probability distribution of the devices may be inferred statistically by repeating the observations • The leakage of probabilistic info is not captured by the nondeterministic formulation 13 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Limitations of the nondeterministic approach • Example. Suppose that we observe with high frequency one of the following results. What can we infer from them? p d a a H H H H H H d d a d d a p p T T T • • We can deduce that the coins are biased, and how Therefore we can probabilistically guess who is the payer • This breach in anonymity is not detected by the nondeterministic approach (as long as the fourth possible configuration appears, from time to time). In a sense the nondeterministic notion of anonymity is too weak. 14 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Reiter and Robin ‘s hierarchy • By introducing probabilities we can distinguish different levels of strength • Example: Crowds [Reiter and Robin 98] – a system designed to provide the anonymity of the originator of a message. – The originator sends the message to another user selected randomly, who in turns forwards the message to another user, and so on, until the message reaches its destination. observer destination originator sender • Reiter and Robin proposed the following (informal) hierarchy – Beyond suspicion: from the point of view of the observer, the sender appears no more likely than any other agent to be the originator – Probable innocence: … the sender appears no more likely to be the originator than not to be – Possible innocence: … there is a non trivial probability that the sender is not the originator • Reiter and Robin proved “probable innocence” of Crowds under certain conditions. • In the nondeterministic approach the hierarchy collapses at the lowest level 15 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

• The rest of this talk is dedicated to generalizing and formalizing the notions of probabilistic anonymity. In particular, “beyond suspicion” and “probable innocence” • We describe the random mechanisms of the protocol probabilistically. The users may be probabilistic or nondeterministic • We use (a simplified form of) Segala and Lynch’s probabilistic automata, which can represent both probabilistic and nondeterministic behavior 16 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Fully probabilistic automata • • • Observable actions: a, b, c Execution: a path from the root to a leaf Probability of an execution: the product of the probabilities on the edges a 1/2 1/2 b c 2/3 • • Event: a set of executions Probability of an event: the sum of the probabilities of the executions 1/3 c 1/2 1/2 • Examples: •The event c has probability •p(c) = 1/2 + 1/6 = 2/3 •The event ab has probability •p(ab) = 1/6 + 1/18 = 2/9 b 1/3 1/3 1/3 17 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

(Simplified) Probabilistic Automata • White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors • 1/3 1/2 1/3 • Etree(s): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by s ps(o) = the probability of the event o under s 1/2 1/3 a 1/3 2/3 • a 1/2 1/2 18 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

(Simplified) Probabilistic Automata • White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors s • 1/3 1/2 1/3 • Etree(s): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by s ps(o) = the probability of the event o under s 1/2 1/3 s a 1/3 2/3 • a 1/2 1/2 19 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

(Simplified) Probabilistic Automata • White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors • 1/2 • Etree(s): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by s ps(o) = the probability of the event o under s 1/2 • a 1/2 1/2 • ps(a) = 1/4 20 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

(Simplified) Probabilistic Automata • White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors d • 1/3 1/2 1/3 • Etree(s): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by s ps(o) = the probability of the event o under s 1/2 1/3 a 1/3 2/3 • a 1/2 1/2 21 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

(Simplified) Probabilistic Automata • White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors d • 1/3 1/3 • Etree(s): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by s ps(o) = the probability of the event o under s 1/3 a 1/3 2/3 • • pd(a) = 1/9 22 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Notation and assumptions • Conditional probability: p(x | y) = p(x and y) / p(y) • Events: – a(i) : user i has performed anonymous action a – a = Uia(i) : anonymous action a has been performed – o = b1…bn: observable actions b1, … , bnhave been performed • We assume – The a(i) ‘s form a partition of a – Each observable event o implies either a or not a 23 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Formalization of anonymity: first attempt The immediate interpretation of the notions of Reiter and Rubin: • Beyond suspicion: Forall i, j, o . p(a(i) | o) = p(a(j) | o) • Probable innocence: Forall i, j, o. p(a(i) | o) < p(not a(i) | o) • Possible innocence: Forall i, j, o . p(a(i) | o) < 1 However: - These notions do not apply for nondeterministic users - They depend on the probability distribution of the users - We expect “beyond suspicion” to hold for the Dining Cryptographers with fair coins, and “probable innocence” to hold for Crowds, but the above notions (in general) don’t hold 24 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Formalization of “beyond suspicion” • The property which has been proved by Chaum for the dining cryptographers with probabilistic users and probabilistic fair coins is : Forall i, j, o . p(a(i) | o) = p(a(i) | a) • Namely: the observation of o does not add anything to the knowledge of the probability of a(i), except that the action a has been performed. • This is similar to the property called conditional anonymity by Halpern and O’Neill • Problems: – In general it may depend on the probability distribution of the users – Not applicable for nondeterministic users 25 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Formalization of “beyond suspicion” • Proposition: Forall i, j, o . if o  a then p(a(i) | o) = p(a(i) | a) (*) is equivalent to Forall i, j, o . if p(a(i)) > 0 and p(a(j)) > 0 then p(o | a(i) ) = p(o | a(j)) (**) • Proposition: if the choice of the a(i)’s is done only once, then the formula (**) does not depend on the probability distribution of the a(i)’s • The corresponding definition, for nondeterministic users: Forall i, j, o, if s selects a(i), and d selects a(j), then ps(o) = pd(o) (***) • Proposition: nondeterministic users (master) (***) is satisfied by the dining cryptographers with fair coins and 26 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Independence from the probability distribution of the a(i)’s p1 p p2 p3 a(1) not a a(2) a(3) q o q q o o p(o | a(i)) = p(o and a(i)) / p(a(i) = = q pi/pi = q p(o | a(j)) 27 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Nondeterministic users s a(1) not a a(2) a(3) q o q q o o ps(o) = q = pd(o) 28 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Formalization of “probable innocence” (ongoing work) We assume here that a is always performed Probabilistic users: Forall i, j, o . if p(a(i)) > 0 and p(a(i)) < 1 then p(o | a(i) ) < p(o | not a(i)) Nondeterministic users: Forall i, j, o . if s selects a(i) and d does not select a(i) then ps(o) < pd(o) • In the case of Crowds, this property corresponds to the one which has been effectively proved by Reiter and Rubin 29 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Conclusion • Notion of probabilistic anonymity – Probabilistic users: conditional probability – Nondeterministic users: scheduler – Beyond suspicion and probable innocence • Application to the example of the Dining Cryptographers and Crowds 30 Probabilistic and Nondeterministic Aspects of Anonymity Birmingham, 19 May 2005

Probabilistic and Nondeterministic Aspects of Anonymity

Probabilistic and Nondeterministic Aspects of Anonymity

Presentation Transcript

Nondeterministic Finite Automata

Privacy and Anonymity

System Aspects of Probabilistic DBs Part II: Advanced Topics

Anonymity

In favor of Anonymity

Quantitative Analysis of Information Leakage in Probabilistic and Nondeterministic Systems

On the Anonymity of Anonymity Systems

Anonymity

Nondeterministic TMs

Anonymity

Privacy and anonymity

Anonymity

Nondeterministic Finite Automata

Nondeterministic Finite Automata

Nondeterministic Finite Automata

Deniable and Traceable Anonymity

Probabilistic Anonymity

Nondeterministic Finite Automata