MPRI Course on Concurrency. Lecture 14. Application of probabilistic process calculi to security

Similar documents
Quantitative Approaches to Information Protection

On the Bayes Risk in Information-Hiding Protocols

Probable Innocence Revisited

Quantitative Information Flow. Lecture 7

Measuring Anonymity with Relative Entropy

arxiv: v2 [cs.cr] 21 May 2018

On the Bayes Risk in Information-Hiding Protocols

Quantitative Information Leakage. Lecture 9

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Composable Bounds on Information Flow from Distribution Differences

Introduction to Cryptography Lecture 13

How to Work with Honest but Curious Judges? (Preliminary Report)

Notes on Zero Knowledge

Institutionen för datavetenskap Department of Computer and Information Science

Quantum Wireless Sensor Networks

Information Hiding in Probabilistic Concurrent Systems

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Provable Anonymity ABSTRACT. Categories and Subject Descriptors. General Terms. Keywords

Probability theory basics

Quantum Symmetrically-Private Information Retrieval

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Anonymity and Information Hiding in Multiagent Systems

Chapter 2.5 Random Variables and Probability The Modern View (cont.)

Round-Efficient Multi-party Computation with a Dishonest Majority

Topics. Probability Theory. Perfect Secrecy. Information Theory

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Randomized Algorithms

Chapter 7: Section 7-1 Probability Theory and Counting Principles

Symbolic Model Checking of Probabilistic Knowledge

Previous Exam Questions, Chapter 2

Chapter 01: Probability Theory (Cont d)

2011 Pearson Education, Inc

LECTURE 1. 1 Introduction. 1.1 Sample spaces and events

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

and Other Fun Stuff James L. Massey

Chapter 1 (Basic Probability)

Intermediate Math Circles November 8, 2017 Probability II

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Calculating Quantitative Integrity and Security for Imperative Programs

Cryptographic Protocols Notes 2

Privacy-preserving Data Mining

COS 424: Interacting with Data. Lecturer: Dave Blei Lecture #2 Scribe: Ellen Kim February 7, 2008

Information Theoretical Analysis of Digital Watermarking. Multimedia Security

Foundations of Cryptography

Lecture 1. ABC of Probability

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

6.02 Fall 2011 Lecture #9

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Information Disclosure in Identity Management

AGREEMENT PROBLEMS (1) Agreement problems arise in many practical applications:

Mathematical Foundations of Computer Science Lecture Outline October 18, 2018

FAIR AND EFFICIENT SECURE MULTIPARTY COMPUTATION WITH REPUTATION SYSTEMS

George Danezis Microsoft Research, Cambridge, UK

Shannon's Theory of Communication

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Classification & Information Theory Lecture #8

Complexity of automatic verification of cryptographic protocols

Final Examination CS 540-2: Introduction to Artificial Intelligence

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

I - Probability. What is Probability? the chance of an event occuring. 1classical probability. 2empirical probability. 3subjective probability

Discrete Probability and State Estimation

Introduction to Bayesian Learning

The probability of an event is viewed as a numerical measure of the chance that the event will occur.

Lecture 1: Shannon s Theorem

9 Forward-backward algorithm, sum-product on factor graphs

An Anonymous Authentication Scheme for Trusted Computing Platform

1. Basics of Information

Clock Synchronization

CS 188: Artificial Intelligence Fall 2009

Lecture 2: Repetition of probability theory and statistics

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Lecture 1: Probability Fundamentals

The odd couple: MQV and HMQV

Multiparty Computation

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

A Note on the Cramer-Damgård Identification Scheme

CMPSCI 240: Reasoning about Uncertainty

Lecture 2: Probability, conditional probability, and independence

Lecture 1: Introduction to Public key cryptography

Introduction to probability

Probability COMP 245 STATISTICS. Dr N A Heard. 1 Sample Spaces and Events Sample Spaces Events Combinations of Events...

Probabilistic Guarded Commands Mechanized in HOL

Beyond the MD5 Collisions

Knowledge and Action in Semi-Public Environments

ECE531: Principles of Detection and Estimation Course Introduction

ECash and Anonymous Credentials

Plan for today. ! Part 1: (Hidden) Markov models. ! Part 2: String matching and read mapping

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Lecture 14: Secure Multiparty Computation

6.3 Bernoulli Trials Example Consider the following random experiments

Notes for Lecture 17

Cryptology. Vilius Stakėnas autumn

Probability Review Lecturer: Ji Liu Thank Jerry Zhu for sharing his slides

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

An Identification Scheme Based on KEA1 Assumption

Research, Development and Simulation of Quantum Cryptographic Protocols

Information Complexity and Applications. Mark Braverman Princeton University and IAS FoCM 17 July 17, 2017

Round-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols

Low-Density Parity-Check Codes

Transcription:

MPRI Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia Palamidessi LIX, Ecole Polytechnique kostas@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia Page of the course: http://mpri.master.univ-paris7.fr/c-2-3.html

Plan of the lecture Randomized protocols for security Focus on protection of identity (anonymity) The dining cryptographers Correctness of the protocol Anonymity analysis Crowds (a protocol for anonymous web surfing) 2

Anonymity: particular case of Privacy To prevent information from becoming known to unintended agents or entities Protection of private data (credit card number, personal info etc.) Anonymity: protection of identity of an user performing a certain action Unlinkability: protection of link between information and user Unobservability: impossibility to determine what the user is doing More properties and details at www.freehaven.net/anonbib/cache/terminology.pdf 3

Anonymity Hide the identity of a user performing a given action The action itself might be revealed Many applications Elections Anonymous donation Anonymous web-surfing Anonymous posting on forums Protocols for anonymity often use randomization 4

The dining cryptographers A simple anonymity problem Introduced by Chaum in 1988 Chaum proposed a solution satisfying the socalled strong anonymity 5

The problem Three cryptographers share a meal with a master In the end the master decides who pays It can be himself, or a cryptographer The master informs each cryptographer individually The cryptographers want to find out if - one of them pays, or - it is the master who pays Anonymity requirement: the identity of the paying cryptographer (if any) should not be revealed Don t pay C 1 C 0 Master Pay C 1 6

The protocol Each pair of adjacent cryptographers flips a coin Each cryptographer has access only to its adjacent coins Each cryptographer looks at the coins and declares agree if the coins have the same value and disagree otherwise If a cryptographer is the payer he will say the opposite Consider the number of disagrees: Coin C 0 C 1 C 2 odd: a cryptographer is paying agree / agree / even: the master is paying disagree disagree 7 Coin agree / disagree Coin

Examples agree disagree C 0 C 0 Heads Heads Tails Heads payer the master pays C 1 C 2 C 1 C 2 Tails Heads agree disagree disagree agree 8

Correctness of the protocol Let v i {0,1} be the value of coin i Each cryptographer announces v i-1+v i where + is the sum modulo 2: - 0 means agree - 1 means disagree The payer announces v i-1+v i +1 The total sum is - (v 0+v 1 ) + (v 1 +v 2 ) + (v 2 +v 0 ) = 0 if the master pays - (v 0+v 1 +1) + (v 1 +v 2 ) + (v 2 +v 0 ) = 1 if a cryptographer (C 1 ) pays C 0 payer C 1 C 2 v 1 v 2 +v 0 v 0 v 2 v 0 +v 1 +1 v 1 +v 2 9

Correctness of the protocol The protocol is correct for any (connected) network graph The key idea is that all coins are added twice, so the cancel out Only the extra 1 added by the payer (if there is a payer) remains Note: this protocol could be extended to broadcast data anonymously, but the problem is that there in no distributed, efficient way to ensure that there is only one agent communicating the datum at each moment. 10

Anonymity of the protocol How can we define the notion of anonymity? First we have to fix the notion of observable: The anonymity property change depending on who is the observer / what actions he can see - - An external observer can only see the declarations One of the cryptographers can also see some of the coins 11

Notion of anonymity Once we have fixed the observables, the protocol can be seen as a channel identity (info to be protected) Observables a1 o1... Protocol... am Input on Output 12

Notion of anonymity a1 o1......... am on Protocols are noisy channels 13

Notion of anonymity C0 C1 C2 aad ada daa ddd Example: The protocol of the dining cryptographers 14

Notion of anonymity a1 p(o1 a1) o1 am... p(on a1)...... on The conditional probabilities 15

Notion of anonymity a1 o1 p(o1 a1)...... on p(on a1)...... am p(o1 am) p(on am) The conditional probabilities form a matrix. In general the notion of anonymity will depend on these conditional probabilities 16

Notions of strong anonymity In the following, a, a are hidden events, o is an observable 1. [Halpern and O Neill - like] for all a, a : p(a o) = p(a o) 2. [Chaum], [Halpern and O Neill]: for all a, o: p(a o) = p(a) 3. [Bhargava and Palamidessi]: for all a, a, o: p(o a) = p(o a ) (2) and (3) are equivalent. Exercise: prove it (1) is equivalent to (2),(3) plus p(a) = p(a ) for all a, a the condition for all a, a p(a) = p(a ) depends on the input s distribution rather than on the features of the protocol 17

Anonymity in the Dining Cryptographers For an external observer the only observable actions are sequences of agree/disagree (daa, ada, aad,...) Strong anonymity: different payers produce the observables with equal probability p(daa C 0 pays) = p(daa C 1 pays) p(daa C 0 pays) = p(daa C 2 pays) p(ada C 0 pays) = p(ada C 1 pays)... This is equivalent to requiring that p(c i pays) = p(c i pays o 0 o 1 o 2 ) 18

Expressing the protocol in probabilistic (value passing) CCS Advantage: use model checker of probabilistic CCS to compute the conditional probabilities automatically Master = 2 i=0 p i m i 1. m i+1 0. m i+2 0.0 p m m 0 0. m 1 0. m 2 0.0 Crypt i = m i (x).c i,i (y).c i,i+1 (z).out x + y + z.0 Coin i = p h c i,i 0. c i 1,i 0.0 p t c i,i 1. c i 1,i 1.0 DC = (ν m)(master (ν c)(π 2 i=0 Crypt i Π 2 i=0 Coin i)) 19

Expressing the protocol in probabilistic (value-passing) CCS Anonymous action Master = 2 i=0 p i m i 1. m i+1 0. m i+2 0.0 p m m 0 0. m 1 0. m 2 0.0 Crypt i = m i (x).c i,i (y).c i,i+1 (z).out x + y + z.0 Observables Coin i = p h c i,i 0. c i 1,i 0.0 p t c i,i 1. c i 1,i 1.0 DC = (ν m)(master (ν c)(π 2 i=0 Crypt i Π 2 i=0 Coin i)) Probabilistic choices 20

Probabilistic automaton associated to the probabilistic π program for the D.C. Assume we already fixed the scheduler aaa aaa 21

Anonymity of the protocol Assuming fair coins, we compute these probabilities daa ada aad ddd C 0 1/4 1/4 1/4 1/4 C 1 1/4 1/4 1/4 1/4 C 2 1/4 1/4 1/4 1/4 Strong anonymity is satisfied 22

Anonymity of the protocol If the coins are unfair this is no longer true For example, if p(heads) = 0.7 daa ada aad ddd C 0 0.37 0.21 0.21 0.21 C 1 0.21 0.37 0.21 0.21 C 2 0.21 0.21 0.37 0.21 Now if we see daa, we know that c1 is more likely to be the payer 23

Anonymity of the protocol Even if we don t know the fact that the coins are unfair, we could find out using statistical analysis Exercise: suppose we see almost all the time one of the following announcements - - ada aad daa what can we infer about the coins? then can we find the payer? - Now if we see daa, we know that C 0 is more likely to be the payer 24

Weaker notions of anonymity There are some problems in which it is practically impossible to achieve strong anonymity We need to define weaker notions In general, we need to give a quantitative characterization of the degree of protection provided by a protocol 25

Example: Crowds A protocol for anonymous web surfing goal: send a request from a user (initiator) to a web serer problem: sending the message directly reveals the user s identity more efficient that the dining cryptographers: involves only a small fraction of the users in each execution server 26

Crowds A crowd of n users participates in the protocol The initiator forwards the message to a randomly selected user (forwarder) A forwarder: With probability p f forwards again the message With probability 1-p f send the message directly to the server server 27

Anonymity of the protocol Wrt the server: strong anonymity. The server sees only the last user More interesting case: some user is corrupted server Information gathered by the corrupted user can be used to detect the initiator 28

Anonymity of the protocol In presence of corrupted users: strong anonymity is no longer satisfied A weaker notion called probable innocence can be achieved, defined as: the detected user is less likely to be the initiator than not to be the initiator Formally: p(u is initiator u is detected) < p(u is not initiator u is detected) 29

Degree of protection: an Information-theoretic approach The entropy H(A) measures the uncertainty about the anonymous events: H(A) = a A p(a) log p(a) The conditional entropy H(A O) measures the uncertainty about A after we know the value of O (after the execution of the protocol). The mutual information I(A; O) measures how much uncertainty about A we lose by observing O: I(A; O) = H(A) H(A O) We can use (the converse of) the mutual information as a measure of the degree of protection of the protocol 30

Open problems Information protection is a very active field of research. There are many open problems. For instance: Make model-checking more efficient for the computation of conditional probabilities Active attackers: how does the model of protocol-as-channel change? Inference of the input distribution from the observers 31

Bibliography D. Chaum. The Dining Cryptographers Problem. Journal of Cryptology, 1, 65--75, 1988. J. Y. Halpern and K. R. O'Neill. Anonymity and information hiding in multiagent systems. Journal of Computer Security, 13(3), 483-512, 2005 K. Chatzikokolakis, C. Palamidessi, P. Panangaden. Anonymity Protocols as Noisy Channels. Information and Computation.To appear. 2007. http://www.lix.polytechnique.fr/~catuscia/papers/anonymity/channels/full.pdf 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback