Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX.

Slides:

Advertisements

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Advertisements

Logic Puzzles and Modal Logic. Closure properties in modal logic.

How to Schedule a Cascade in an Arbitrary Graph F. Chierchetti, J. Kleinberg, A. Panconesi February 2012 Presented by Emrah Cem 7301 – Advances in Social.

1 Nondeterministic Space is Closed Under Complement Presented by Jing Zhang and Yingbo Wang Theory of Computation II Professor: Geoffrey Smith.

Week11 Parameter, Statistic and Random Samples A parameter is a number that describes the population. It is a fixed number, but in practice we do not know.

Hypothesis Testing A hypothesis is a claim or statement about a property of a population (in our case, about the mean or a proportion of the population)

Playing Fair at Sudoku Joshua Cooper USC Department of Mathematics.

Chapter 8: Binomial and Geometric Distributions

Chapter 4 Mathematical Expectation.

Chapter 4 Probability and Probability Distributions

+ The Practice of Statistics, 4 th edition – For AP* STARNES, YATES, MOORE Chapter 6: Random Variables Section 6.3 Binomial and Geometric Random Variables.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.

Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi

Chapter 5 Understanding Randomness

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Bangalore, 2 Feb 2005Probabilistic security protocols 1 CIMPA School on Security Specification and verification of randomized security protocols Lecture.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Adapted from Oded Goldreich’s course lecture notes.

Excursions in Modern Mathematics, 7e: Copyright © 2010 Pearson Education, Inc. 15 Chances, Probabilities, and Odds 15.1Random Experiments and Sample.

Confidential2 Warm Up 1.Tossing a quarter and a nickel HT, HT, TH, TT; 4 2. Choosing a letter from D,E, and F, and a number from 1 and 2 D1, D2, E1, E2,

Information Theory and Security

Information Theory and Security Prakash Panangaden McGill University First Canada-France Workshop on Foundations and Practice of Security Montréal 2008.

COMP14112: Artificial Intelligence Fundamentals L ecture 3 - Foundations of Probabilistic Reasoning Lecturer: Xiao-Jun Zeng

Excursions in Modern Mathematics, 7e: Copyright © 2010 Pearson Education, Inc. 15 Chances, Probabilities, and Odds 15.1Random Experiments and.

Confidential2 Warm Up 1.Tossing a quarter and a nickel 2. Choosing a letter from D,E, and F, and a number from 1 and 2 3.Choosing a tuna, ham, or egg.

Chapter 5 Sampling Distributions

SYSTEM OF EQUATIONS SYSTEM OF LINEAR EQUATIONS IN THREE VARIABLES

1 9/8/2015 MATH 224 – Discrete Mathematics Basic finite probability is given by the formula, where |E| is the number of events and |S| is the total number.

1 9/23/2015 MATH 224 – Discrete Mathematics Basic finite probability is given by the formula, where |E| is the number of events and |S| is the total number.

PROBABILITY AND STATISTICS FOR ENGINEERING Hossein Sameti Department of Computer Engineering Sharif University of Technology Independence and Bernoulli.

1 2. Independence and Bernoulli Trials Independence: Events A and B are independent if It is easy to show that A, B independent implies are all independent.

10 December 2002ENS Cachan1 Generalized dining philosophers Catuscia Palamidessi, INRIA in collaboration with Mihaela Oltea Herescu, IBM Michael Pilquist,

Epistemic Strategies and Games on Concurrent Processes Prakash Panangaden: Oxford University (on leave from McGill University). Joint work with Sophia.

Independence and Bernoulli Trials. Sharif University of Technology 2 Independence  A, B independent implies: are also independent. Proof for independence.

MPRI – Course on Concurrency Probabilistic methods in Concurrency Catuscia Palamidessi INRIA Futurs and LIX

Interactive proof systems Section 10.4 Giorgi Japaridze Theory of Computability.

Quantum Cryptography Slides based in part on “A talk on quantum cryptography or how Alice outwits Eve,” by Samuel Lomonaco Jr. and “Quantum Computing”

Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on joint work with Mohit Bhargava, IIT New Delhi Kostas.

Rules of Probability. Recall: Axioms of Probability 1. P[E] ≥ P[S] = 1 3. Property 3 is called the additive rule for probability if E i ∩ E j =

Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia.

MPRI 3 Dec 2007Catuscia Palamidessi 1 Why Probability and Nondeterminism? Concurrency Theory Nondeterminism –Scheduling within parallel composition –Unknown.

Conditional Probability Mass Function. Introduction P[A|B] is the probability of an event A, giving that we know that some other event B has occurred.

MPRI – Course on Concurrency Lectures 11 and 12 The pi-calculus expressiveness hierarchy Catuscia Palamidessi INRIA Futurs and LIX

CS 6204, Spring 2005 Dining Cryptographers, Glenn Fink1 Dining Cryptographers Paper by David Chaum (1988) Presentation by Glenn Fink.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

6 June Lecture 3 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State university,

6 October PPDP / GPCE 2002 Mobile Calculi Catuscia Palamidessi, INRIA Futurs, France joint work with Mihaela Herescu, IBM, Austin for Distributed.

Basic Probability. Introduction Our formal study of probability will base on Set theory Axiomatic approach (base for all our further studies of probability)

The NP class. NP-completeness Lecture2. The NP-class The NP class is a class that contains all the problems that can be decided by a Non-Deterministic.

Chance We will base on the frequency theory to study chances (or probability).

Lecture 4 1 Honnor Projects Supervised by Catuscia Palamidessi The  -calculus, a small language for specification and verification of concurrency and.

The Law of Averages. What does the law of average say? We know that, from the definition of probability, in the long run the frequency of some event will.

1 Recap lecture 28 Examples of Myhill Nerode theorem, Quotient of a language, examples, Pseudo theorem: Quotient of a language is regular, prefixes of.

3.1 Basic Concepts of Probability. Definitions Probability experiment: An action through which specific results (counts, measurements, or responses) are.

Chapter5 Statistical and probabilistic concepts, Implementation to Insurance Subjects of the Unit 1.Counting 2.Probability concepts 3.Random Variables.

Introduction to probability (3) Definition: - The probability of an event A is the sum of the weights of all sample point in A therefore If A1,A2,…..,An.

1 What Is Probability?. 2 To discuss probability, let’s begin by defining some terms. An experiment is a process, such as tossing a coin, that gives definite.

16 January 2004LIX1 Equipe Comète Concurrency, Mobility, and Transactions Catuscia Palamidessi INRIA-Futurs and LIX.

Conditional probabilities and independence of events.

PROBABILITY AND COMPUTING RANDOMIZED ALGORITHMS AND PROBABILISTIC ANALYSIS CHAPTER 1 IWAMA and ITO Lab. M1 Sakaidani Hikaru 1.

Security attacks.

Objective The student will be able to:

Probability Probability underlies statistical inference - the drawing of conclusions from a sample of data. If samples are drawn at random, their characteristics.

Lectures on Graph Algorithms: searching, testing and sorting

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Chapter 2.3 Counting Sample Points Combination In many problems we are interested in the number of ways of selecting r objects from n without regard to.

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Presentation transcript:

Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX

Cachan, 13 December 2004 Probabilistic Anonymity 2 Plan of the talk The concept of anonymity Anonymity and nondeterminism Example: the Dining Cryptographers Conditional probability Anonymity and randomization The randomized Dining Cryptographers Analysis and verification in probabilistic π- calculus Generalized D.C. Conclusion

Cachan, 13 December 2004 Probabilistic Anonymity 3 The concept of anonymity Goal: –To ensure that a certain part of an information becomes public while another part of it remains secret. –Typically, what we want to maintain secret is the identity of the agent involved Examples: –Electronic elections –Delation We will consider the case of in which the information to make public is whether or not a certain event has taken place, and the information to hide is the identity of the agent performing that event

Cachan, 13 December 2004 Probabilistic Anonymity 4 Anonymity and nondeterminism (1/2) Work by Schneider and Sidiropoulos, ESORICS 1996 Events are modeled as consisting of two components: the event itself, x, and the identity of the agent performing the event, a ax AnonyAgs: the agents who want to remain secret Given x, define A = {ax | a  AnonyAgs } A protocol described as a process P provides anonymity if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A (Obs(P)) = Obs(P)

Cachan, 13 December 2004 Probabilistic Anonymity 5 Anonymity and nondeterminism (2/2) In general, given P, consider the sets: –A = { ax | a  AnonyAgs } : the actions that we want to know only partially (we want to know x but not a) –B : the actions that we want to observe –C = Actions – (B U A) : The actions we want to hide B C A  The observables to consider for the Anonymity analysis must abstract wrt the events in C. Definition: The system is anonymous if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A (Obs(P)) = Obs(P)

Cachan, 13 December 2004 Probabilistic Anonymity 6 The dining cryptographers (1/6) Problem and solution formulated originally by David Chaum, J. Cryptology, 1988 The Problem: –Three cryptographers share a meal –The meal is paid either by the organization (master) or by one of them. The master decides who pays –Each of the cryptographers is informed by the master whether or not he is has to pay GOAL: –The cryptographers would like to know whether the meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master

Cachan, 13 December 2004 Probabilistic Anonymity 7 The dining cryptographers (2/6) Crypt (0) Crypt (1) Crypt (2) Master pays0notpays0

Cachan, 13 December 2004 Probabilistic Anonymity 8 The dining cryptographers (3/6) A solution Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers. The result of each coin-tossing is visible to the adjacent cryptographers, and only to them. Each cryptographer examines the two adjacent coins –If he is paying, he announces “agree” if the results are the same, and “disagree” otherwise. –If he is not paying, he says the opposite

Cachan, 13 December 2004 Probabilistic Anonymity 9 The dining cryptographers (4/6): A solution Crypt (0) Crypt (1) Crypt (2) Master Coin( 2) Coin (1) Coin (0) pays0notpays0 look20 agree1 / disagree1

Cachan, 13 December 2004 Probabilistic Anonymity 10 The dining cryptographers (5/6) Properties of the solution Proposition 1 (Public information): if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. Proposition 2 (Anonymity): In the latter case, if the coin is fair then the non paying cryptographers and the external observers will not be able to deduce whom exactly is paying

Cachan, 13 December 2004 Probabilistic Anonymity 11 The dining cryptographers (6/6) Automatic verification Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP. –The protocol : system P of parallel CSP processes (master, cryptographers, coins) –A (anonymous events): pays0, notpays0, …, notpays2 –B (observable events): agree0, disagree0, …, disagree2 –C (hidden events): results of coins –Observables : all traces of P with events from C removed For every permutation ρ on A, we have ρ(Obs(P)) = Obs(P)

Cachan, 13 December 2004 Probabilistic Anonymity 12 Limitations of the nondeterministic approach The nondeterministic components must be produced by random devices – nondeterministic coin  random coin An observer may deduce info about the system from the probability distribution of the devices. This possibility is not captured by the nondeterministic formulation: The nondeterministic definition is “too coarse” –For example, if we know that two adjacent coins are biased, we can deduce when the corresponding cryptographer is likely to be lying The probability distribution of the devices may be guessed by testing the system –For example in if the cryptographers are more than 3, we can deduce that two coins are biased by looking at the results several times

Cachan, 13 December 2004 Probabilistic Anonymity 13 Conditional probability (1/3) We propose a notion of anonymity based on conditional probability A brief recall of the notion of conditional probability Puzzle: –A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty –After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty –Then the king offers to the guest to exchange the box he picked with the other (closed) one –Question: should the guest exchange?

Cachan, 13 December 2004 Probabilistic Anonymity 14 Conditional probability (2/3) Answer: it depends on whether the king opens intentionally an empty box, or not. In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring

Cachan, 13 December 2004 Probabilistic Anonymity 15 Conditional probability (3/3) pb(X|Y) = conditional probability of X given Y = pb(X and Y) / pb(Y) Let us consider again the puzzle in Case 2 B i = Box i contains the ring Initially: pb(B 1 ) = pb(B 2 ) = pb(B 3 ) = 1/3 After opening one box, say Box 1, if it turns out to be empty, we have: pb(B 2 ) = pb(B 2 | not B 1 ) = pb(B 2 and not B 1 ) / pb(not B 1 ) = pb(B 2 )/pb(not B 1 ) = (1/3) / (2/3) = 1 / 2

Cachan, 13 December 2004 Probabilistic Anonymity 16 Anonymity and randomization (1/2) Remember that, given P, we consider the sets: –A = { ax | a  AnonyAgs } : the actions that we want to know only partially (we want to know x but not a) –B : the actions that we want to observe (it may include x but not a) –C = Actions – (B U A) : The actions we want to hide B C A 

Cachan, 13 December 2004 Probabilistic Anonymity 17 Anonymity and randomization (2/2) The observables must abstract wrt C Definition: The system is anonymous if for every nonderministic choice, for every observations O 1,O 2 in which x happens, and for every action ax  A, we have pb(ax | O 1 ) = pb(ax | O 2 ) i.e. the observables do not allow to deduce anything about the identity of the agent Equivalently: for every O, a and b, we have pb(O | ax) = pb(O | bx) namely, the probability of an observable does not depend on the identity of the agent Note that the second formulation can be regarded as the probabilistic version of the definition of Schneider/ Sidiropoulos Note that in general pb(ax | O) =/= pb(bx | O), hence the latter cannot be a good definition of probabilistic anonymity

Cachan, 13 December 2004 Probabilistic Anonymity 18 The randomized dining cryptographers Each cryptographer tosses a probabilistic coin All the rest is the same as before. In particular, the master is nondeterministic

Cachan, 13 December 2004 Probabilistic Anonymity 19 Verification in probabilistic  -calculus We have verified the anonymity of the randomized solution to the dining cryptographers by using the probabilistic  -calculus. –The protocol : system P of parallel processes: Master: nondeterministic (blind) Coins: probabilistic (blind) Cryptographers: deterministic –A (anonymous events): pays 0, notpays 0, …, notpays 2 combination chosen nondeterministically –C (hidden events): results of coins chosen probabilistically –B (observable events): agree 0, disagree 0, …, disagree 2 Determined by the choice of the master and of the coins –Observables : all traces of P with events from C removed For every i,k, and for every combination O of agree/disagree, we have ρb(O | pays i ) = pb(O | pays k )

Cachan, 13 December 2004 Probabilistic Anonymity 20 The generalized dining philosophers In general, given an arbitrary graph, where the nodes represent the cryptographers, and the arcs the coins, we can extend the protocol as follows: –b i = 0 if cryptographer i does not pay, b i = 1 otherwise –coin k = 0 if coin k gives head, coin k = 1 otherwise –crypt i = output of cryptographer i, calculated as follows: crypt i =  k adjacent i coin k + b i where the sums are binary Crypt i Coin k

Cachan, 13 December 2004 Probabilistic Anonymity 21 The protocol in the general case Proposition: there is a payer iff  i crypt i = 0 Proof: just observe that in this sum each coin k is counted twice. Furthermore there is at most one k s.t. b k = 1. Hence the result is 0 iff there is no k s.t. b k = 1. Proposition: If all the coins are fair, and the graph is connected, then –the system is anonymous for every external observer –the system is anonymous for any node j such that, if we remove j and all its adjacent arcs, the rest of the graph is still connected

Cachan, 13 December 2004 Probabilistic Anonymity 22 Conclusion Notion of probabilistic anonymity –Extending the classic one of Schneider- Sidiropoulos Application to the example of the generalized dining cryptographers Verification using the  -calculus In retrospect, we should have verified the protocol using a probabilistic master