Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on joint work with Mohit Bhargava, IIT New Delhi Kostas.

Slides:



Advertisements
Similar presentations
Aaron Johnson with Joan Feigenbaum Paul Syverson
Advertisements

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Partial Order Reduction: Main Idea
How to Schedule a Cascade in an Arbitrary Graph F. Chierchetti, J. Kleinberg, A. Panconesi February 2012 Presented by Emrah Cem 7301 – Advances in Social.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 Nondeterministic Space is Closed Under Complement Presented by Jing Zhang and Yingbo Wang Theory of Computation II Professor: Geoffrey Smith.
Weakening the Causal Faithfulness Assumption
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Chapter 4 Probability and Probability Distributions
COUNTING AND PROBABILITY
+ The Practice of Statistics, 4 th edition – For AP* STARNES, YATES, MOORE Chapter 6: Random Variables Section 6.3 Binomial and Geometric Random Variables.
MAT 103 Probability In this chapter, we will study the topic of probability which is used in many different areas including insurance, science, marketing,
Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.
Copyright © Cengage Learning. All rights reserved.
Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi
Bangalore, 2 Feb 2005Probabilistic security protocols 1 CIMPA School on Security Specification and verification of randomized security protocols Lecture.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen
The Byzantine Generals Strike Again Danny Dolev. Introduction We’ll build on the LSP presentation. Prove a necessary and sufficient condition on the network.
Composition Model and its code. bound:=bound+1.
Information Theory and Security
. PGM 2002/3 – Tirgul6 Approximate Inference: Sampling.
1 10. Joint Moments and Joint Characteristic Functions Following section 6, in this section we shall introduce various parameters to compactly represent.
Database Systems Normal Forms. Decomposition Suppose we have a relation R[U] with a schema U={A 1,…,A n } – A decomposition of U is a set of schemas.
The physical reductive explainability of phenomenal consciousness and the logical impossibility of zombies Marco Giunti University of Cagliari (Italy)
Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.
PROBABILITY AND STATISTICS FOR ENGINEERING Hossein Sameti Department of Computer Engineering Sharif University of Technology Independence and Bernoulli.
Basics of Probability. A Bit Math A Probability Space is a triple, where  is the sample space: a non-empty set of possible outcomes; F is an algebra.
1 2. Independence and Bernoulli Trials Independence: Events A and B are independent if It is easy to show that A, B independent implies are all independent.
1 TABLE OF CONTENTS PROBABILITY THEORY Lecture – 1Basics Lecture – 2 Independence and Bernoulli Trials Lecture – 3Random Variables Lecture – 4 Binomial.
Epistemic Strategies and Games on Concurrent Processes Prakash Panangaden: Oxford University (on leave from McGill University). Joint work with Sophia.
+ The Practice of Statistics, 4 th edition – For AP* STARNES, YATES, MOORE Chapter 6: Random Variables Section 6.3 Day 1 Binomial and Geometric Random.
Summer 2004CS 4953 The Hidden Art of Steganography A Brief Introduction to Information Theory  Information theory is a branch of science that deals with.
Independence and Bernoulli Trials. Sharif University of Technology 2 Independence  A, B independent implies: are also independent. Proof for independence.
MPRI – Course on Concurrency Probabilistic methods in Concurrency Catuscia Palamidessi INRIA Futurs and LIX
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
Interactive proof systems Section 10.4 Giorgi Japaridze Theory of Computability.
Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX.
Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia.
Conditional Probability Mass Function. Introduction P[A|B] is the probability of an event A, giving that we know that some other event B has occurred.
MPRI – Course on Concurrency Lectures 11 and 12 The pi-calculus expressiveness hierarchy Catuscia Palamidessi INRIA Futurs and LIX
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
6 June Lecture 3 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State university,
Joint Moments and Joint Characteristic Functions.
Fault tolerance and related issues in distributed computing Shmuel Zaks GSSI - Feb
Basic Probability. Introduction Our formal study of probability will base on Set theory Axiomatic approach (base for all our further studies of probability)
The NP class. NP-completeness Lecture2. The NP-class The NP class is a class that contains all the problems that can be decided by a Non-Deterministic.
Chance We will base on the frequency theory to study chances (or probability).
Lecture 4 1 Honnor Projects Supervised by Catuscia Palamidessi The  -calculus, a small language for specification and verification of concurrency and.
The Law of Averages. What does the law of average say? We know that, from the definition of probability, in the long run the frequency of some event will.
16 January 2004LIX1 Equipe Comète Concurrency, Mobility, and Transactions Catuscia Palamidessi INRIA-Futurs and LIX.
Theory of Computational Complexity Probability and Computing Chapter Hikaru Inada Iwama and Ito lab M1.
The NP class. NP-completeness
P & NP.
Probabilistic Algorithms
What is Probability? Quantification of uncertainty.
Copyright © Cengage Learning. All rights reserved.
A Brief Introduction to Information Theory
Information Security CS 526
Alternating tree Automata and Parity games
Information Security CS 526
‘Crowds’ through a PRISM
Information Security CS 526
Presentation transcript:

Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on joint work with Mohit Bhargava, IIT New Delhi Kostas Chatzikokolakis, LIX

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 2 Plan of the talk The concept of anonymity Nondeterministic (aka possibilistic) Anonymity Example: the Dining Cryptographers Limitations of the nondeterministic approach The hierarchy of Reiter and Rubin: – Beyond Suspicion and Probable Innocence Formalization of Beyond Suspicion: Conditional anonymity Equivalent formulation for probabilistic users – independence from users’ probabilistic distribution Corresponding formulation for nondeterministic users Formalization of Probable Innocence

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 3 The concept of anonymity Goal: –To ensure that the identity of the agent involved in a certain action remains secret. Some examples of situations in which anonymity may be desirable: –Electronic elections –Delation –Donations –File sharing Some systems: –Crowds [Reiter and Rubin,1998], anonymous communication (anonymity of the sender) –Onion Routing [Syverson, Goldschlag and Reed, 1997] anonymous communication –Freenet [Clarke et al. 2001] anonymous information storage and retrieval

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 4 Formal approaches to Anonymity Concurrency Theory (CSP) –Schneider and Sidiropoulos, 1996 Epistemic Logic –Sylverson and Stubblebine, 1999 –Halpern and O’Neil, 2004 Function views –Hughes and Shmatikov, 2004 These approaches are nondeterministic (except Halpern and O’Neill) although many systems, including Crowds, Onion Routing, and Freenet, use randomized primitives

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 5 Nondeterministic Anonymity We will focus on the “Concurrency theory” approach, which started with the work by Schneider and Sidiropoulos, ESORICS 1996 Systems and protocols for anonymity are describes as CSP processes Actions for which we want anonymity of the agent are modeled as consisting of two components: –the action itself, a, –the identity of the agent performing the action, i a(i) AnonymousAgs: the agents who want to remain secret Given x, define A = { a(i) | i  AnononymousAgs } A protocol described as a process P provides anonymity if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A ( Obs(P) ) = Obs(P)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 6 Nondeterministic Anonymity In general, given P, consider the sets: –A = { x(i) | i  AnonymousAgs } : the actions for which we want anonymity –B = the actions that are visible to the observers –C = Actions – (B U A) : The actions we want to hide B C A  The observables to consider for the Anonymity analysis are B U A. In CSP this is obtained by abstracting the system P wrt the actions in C. Definition: The system is anonymous if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A ( Obs(P) ) = Obs(P)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 7 Example: The dining cryptographers Problem formulated originally by David Chaum, 1988 The Problem: –Three cryptographers share a meal –The meal is paid either by the organization (master) or by one of them. The master decides who pays –Each of the cryptographers is informed by the master whether or not he is has to pay GOAL: –The cryptographers would like to make known whether the meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 8 The dining cryptographers Crypt (0) Crypt (1) Crypt (2) Master Pays(0)Notpays(0)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 9 The dining cryptographers A nondeterministic solution Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers. The result of each coin-tossing is visible to the adjacent cryptographers, and only to them. Each cryptographer examines the two adjacent coins –If he is not paying, he announces “agree” if the results are the same, and “disagree” otherwise. –If he is paying, he says the opposite

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 10 The dining cryptographers Crypt (0) Crypt (1) Crypt (2) Master Coin( 2) Coin (1) Coin (0) Pays(0)Notpays(0) look02 agree1 / disagree1

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 11 The dining cryptographers Properties of the solution Proposition 1: if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. Proposition 2 (Anonymity): In the latter case, if the coins are fair then the non paying cryptographers and the external observers will not be able to deduce who is paying

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 12 The dining cryptographers - Automatic verification Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP and FDR. –The protocol : system P of parallel CSP processes (master, cryptographers, coins) –A (anonymous actions): pays(0), pays(1), pays(2) –B (observable actions): For an external observer: agree0, disagree0, …, disagree2 For cryptographer Crypto(0): agree0, disagree0, …, disagree2, look00, look10 –C (hidden actions): the other results of coins: look i j –Observables : all traces of P abstracting from C For every permutation ρ on A, we have ρ( Obs(P) ) = Obs(P)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 13 Limitations of the nondeterministic approach The nondeterministic components may be produced by random devices – nondeterministic coin  random coin An observer may deduce probabilistic info about the system from the probability distribution of the devices. The probability distribution of the devices may be inferred statistically by repeating the observations The leakage of probabilistic info is not captured by the nondeterministic formulation

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 14 Limitations of the nondeterministic approach Example. Suppose that we observe with high frequency one of the following results. What can we infer from them? a a d We can deduce that the coins are biased, and how Therefore we can probabilistically guess who is the payer This breach in anonymity is not detected by the nondeterministic approach (as long as the fourth possible configuration appears, from time to time). In a sense the nondeterministic notion of anonymity is too weak. d a a d d d H H T p p p H H T H H T

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 15 By introducing probabilities we can distinguish different levels of strength Example: Crowds [Reiter and Robin 98] –a system designed to provide the anonymity of the originator of a message. –The originator sends the message to another user selected randomly, who in turns forwards the message to another user, and so on, until the message reaches its destination. Reiter and Robin proposed the following (informal) hierarchy –Beyond suspicion: from the point of view of the observer, the sender appears no more likely than any other agent to be the originator –Probable innocence: … the sender appears no more likely to be the originator than not to be –Possible innocence: … there is a non trivial probability that the sender is not the originator Reiter and Robin proved “probable innocence” of Crowds under certain conditions. In the nondeterministic approach the hierarchy collapses at the lowest level Reiter and Robin ‘s hierarchy originator sender observer destination

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 16 The rest of this talk is dedicated to generalizing and formalizing the notions of probabilistic anonymity. In particular, “beyond suspicion” and “probable innocence” We describe the random mechanisms of the protocol probabilistically. The users may be probabilistic or nondeterministic We use (a simplified form of) Segala and Lynch’s probabilistic automata, which can represent both probabilistic and nondeterministic behavior

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 17 Fully probabilistic automata a b c b c 1/2 2/3 1/3 1/2 1/3 Observable actions: a, b, c Execution: a path from the root to a leaf Probability of an execution: the product of the probabilities on the edges Event: a set of executions Probability of an event: the sum of the probabilities of the executions Examples: The event c has probability p(c) = 1/2 + 1/6 = 2/3 The event ab has probability p(ab) = 1/6 + 1/18 = 2/9

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 18 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  1/2 1/3 2/3 1/2 a a

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 19 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  1/2 1/3 2/3 1/2 a a  

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 20 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  p  (a) = 1/4 1/2 a

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 21 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  1/2 1/3 2/3 1/2 a a 

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 22 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  p  (a) = 1/9 1/3 2/3 a 

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 23 Notation and assumptions Conditional probability: p(x | y) = p(x and y) / p(y) Events: –a(i) : user i has performed anonymous action a –a = U i a(i) : anonymous action a has been performed –o = b 1 …b n : observable actions b 1, …, b n have been performed We assume –The a(i) ‘s form a partition of a –Each observable event o implies either a or not a

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 24 Formalization of anonymity: first attempt The immediate interpretation of the notions of Reiter and Rubin: Beyond suspicion: Forall i, j, o. p(a(i) | o) = p(a(j) | o) Probable innocence: Forall i, j, o. p(a(i) | o) < p(not a(i) | o) Possible innocence: Forall i, j, o. p(a(i) | o) < 1 However: -These notions do not apply for nondeterministic users -They depend on the probability distribution of the users -We expect “beyond suspicion” to hold for the Dining Cryptographers with fair coins, and “probable innocence” to hold for Crowds, but the above notions (in general) don’t hold

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 25 Formalization of “beyond suspicion” The property which has been proved by Chaum for the dining cryptographers with probabilistic users and probabilistic fair coins is : Forall i, j, o. p(a(i) | o) = p(a(i) | a) Namely: the observation of o does not add anything to the knowledge of the probability of a(i), except that the action a has been performed. This is similar to the property called conditional anonymity by Halpern and O’Neill Problems: –In general it may depend on the probability distribution of the users –Not applicable for nondeterministic users

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 26 Formalization of “beyond suspicion” Proposition: Forall i, j, o. if o  a then p(a(i) | o) = p(a(i) | a) (*) is equivalent to Forall i, j, o. if p(a(i)) > 0 and p(a(j)) > 0 then p(o | a(i) ) = p(o | a(j)) (**) Proposition: if the choice of the a(i)’s is done only once, then the formula (**) does not depend on the probability distribution of the a(i)’s The corresponding definition, for nondeterministic users: Forall i, j, o, if  selects a(i), and  selects a(j), then p  (o) = p  (o) (***) Proposition: (***) is satisfied by the dining cryptographers with fair coins and nondeterministic users (master)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 27 a(1) a(2) a(3) not a p1p1 p2p2 p3p3 p q q q o o o p(o | a(i)) = p(o and a(i)) / p(a(i) = q p i /p i = q p(o | a(j)) Independence from the probability distribution of the a(i)’s =

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 28 a(1) a(2) a(3) not a q q q o o o p s (o) = q  p d (o) Nondeterministic users =

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 29 Formalization of “probable innocence” (ongoing work) We assume here that a is always performed Probabilistic users: Forall i, j, o. if p(a(i)) > 0 and p(a(i)) < 1 then p(o | a(i) ) < p(o | not a(i)) Nondeterministic users: Forall i, j, o. if s selects a(i) and d does not select a(i) then p  (o) < p  (o) In the case of Crowds, this property corresponds to the one which has been effectively proved by Reiter and Rubin

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 30 Conclusion Notion of probabilistic anonymity –Probabilistic users: conditional probability –Nondeterministic users: scheduler –Beyond suspicion and probable innocence Application to the example of the Dining Cryptographers and Crowds

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 31 The randomized dining cryptographers Each cryptographer tosses a probabilistic coin the master is probabilistic All the rest is the same as before. In case the coins are fair, this system is, intuitively, anonymous in the strongest sense (beyond suspicion). Note that this is true independently of the probability distribution of the master. However the formulation based on a “naïve” interpretation of Reiter and Robin’s definition fails, because in general pb(ax) =/= pb(bx) (they depend on the probability distribution of the master) We need to take into account the perspective and limitations of the observer, somehow. Idea: the system is (strongly) anonymous if the agent cannot be inferred from the observations. Namely, the probability of an observation does not depend on the agent. Concept of conditional probability

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 32 Conditional probability (1/3) We propose a notion of anonymity based on conditional probability A brief recall of the notion of conditional probability Puzzle: –A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty –After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty –Then the king offers to the guest to exchange the box he picked with the other (closed) one –Question: should the guest exchange?

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 33 Conditional probability (2/3) Answer: it depends on whether the king opens intentionally an empty box, or not. In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring. We can explain this outcome by using the notion of conditional probability.

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 34 Conditional probability (3/3) pb(X|Y) = conditional probability of X given Y = pb(X and Y) / pb(Y) Let us consider again the puzzle in Case 2 B i = Box i contains the ring Initially: pb(B 1 ) = pb(B 2 ) = pb(B 3 ) = 1/3 After opening one box, say Box 1, if it turns out to be empty, we have: pb(B 2 ) = pb(B 2 | not B 1 ) = pb(B 2 and not B 1 ) / pb(not B 1 ) = pb(B 2 )/pb(not B 1 ) = (1/3) / (2/3) = 1 / 2

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 35 Probabilistic Anonymity (1/2) Remember that given a system we consider the sets: –A = { ax | a  AnonAgs } : the actions for which we want anonymity –B = the actions visible to the observer –C = Actions – (B U A) : The actions we hide B C A 

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 36 Probabilistic Anonymity (2/2) Definition: The system is (strongly) anonymous if for every nonderministic choice, for every observation O, and for every anonymous agents a and b, we have pb(O | ax) = pb(O | bx) namely, the probability of an observable does not depend on the identity of the agent who performed the action Proposition: Each of the following conditions is equivalent to anonymity –pb(ax | O 1 ) = pb(ax | O 2 ), for every ax  A and for every O 1, O 2 in which x happens –pb(ax | O) = pb(ax) / pb(x), for every ax  A and for every O in which x happens Note that the “natural” probabilistic extension of the definition of Schneider/ Sidiropoulos would be pb(ax and O) = pb(bx and O), or equivalently pb(ax | O) = pb(bx | O), However in general pb(ax and O) is not equal to pb(bx and O), (this is easy to check, for instance, on the example of the randomized dining cryptographers) hence the latter cannot be a good definition of probabilistic anonymity

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 37 Verification in probabilistic  -calculus We have verified the anonymity of the randomized solution to the dining cryptographers by using the probabilistic  -calculus. –The protocol : system P of parallel processes: Master: probabilistic (blind) Coins: probabilistic (blind) Cryptographers: deterministic –A (anonymous actions): pays 0, notpays 0, …, notpays 2 chosen probabilistically –B (observable actions): agree 0, disagree 0, …, disagree 2,, plus the result of the adjacent coins for the internal observers Determined by the choice of the master and of the coins –C (hidden actions): results of the other coins chosen probabilistically For every i,k, and for every combination O of agree/disagree, we have ρb(O | pays i ) = pb(O | pays k ) Note: the probabilities are defined on the computations of P. For instance, pb(O) is the measure of all the computations in which we get O

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 38 The generalized dining philosophers In general, given an arbitrary graph, where the nodes represent the cryptographers, and the arcs the coins, we can extend the protocol as follows: –b i = 0 if cryptographer i does not pay, b i = 1 otherwise –coin k = 0 if coin k gives head, coin k = 1 otherwise –crypt i = output of cryptographer i, calculated as follows: crypt i =  k adjacent i coin k + b i where the sums are binary Crypt i Coin k

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 39 The protocol in the general case Proposition: there is a payer iff  i crypt i = 0 Proof: just observe that in this sum each coin k is counted twice. Furthermore there is at most one k s.t. b k = 1. Hence the result is 0 iff there is no k s.t. b k = 1. Proposition: If all the coins are fair, and the graph is connected, then –the system is anonymous for every external observer –the system is anonymous for any node j such that, if we remove j and all its adjacent arcs, the rest of the graph is still connected