Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX.

Published byDorothy McLaughlin Modified over 9 years ago

Similar presentations

Presentation on theme: "Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX."— Presentation transcript:

1 Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX

2 Cachan, 13 December 2004 Probabilistic Anonymity 2 Plan of the talk The concept of anonymity Anonymity and nondeterminism Example: the Dining Cryptographers Conditional probability Anonymity and randomization The randomized Dining Cryptographers Analysis and verification in probabilistic π- calculus Generalized D.C. Conclusion

3 Cachan, 13 December 2004 Probabilistic Anonymity 3 The concept of anonymity Goal: –To ensure that a certain part of an information becomes public while another part of it remains secret. –Typically, what we want to maintain secret is the identity of the agent involved Examples: –Electronic elections –Delation We will consider the case of in which the information to make public is whether or not a certain event has taken place, and the information to hide is the identity of the agent performing that event

4 Cachan, 13 December 2004 Probabilistic Anonymity 4 Anonymity and nondeterminism (1/2) Work by Schneider and Sidiropoulos, ESORICS 1996 Events are modeled as consisting of two components: the event itself, x, and the identity of the agent performing the event, a ax AnonyAgs: the agents who want to remain secret Given x, define A = {ax | a  AnonyAgs } A protocol described as a process P provides anonymity if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A (Obs(P)) = Obs(P)

5 Cachan, 13 December 2004 Probabilistic Anonymity 5 Anonymity and nondeterminism (2/2) In general, given P, consider the sets: –A = { ax | a  AnonyAgs } : the actions that we want to know only partially (we want to know x but not a) –B : the actions that we want to observe –C = Actions – (B U A) : The actions we want to hide B C A  The observables to consider for the Anonymity analysis must abstract wrt the events in C. Definition: The system is anonymous if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A (Obs(P)) = Obs(P)

6 Cachan, 13 December 2004 Probabilistic Anonymity 6 The dining cryptographers (1/6) Problem and solution formulated originally by David Chaum, J. Cryptology, 1988 The Problem: –Three cryptographers share a meal –The meal is paid either by the organization (master) or by one of them. The master decides who pays –Each of the cryptographers is informed by the master whether or not he is has to pay GOAL: –The cryptographers would like to know whether the meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master

7 Cachan, 13 December 2004 Probabilistic Anonymity 7 The dining cryptographers (2/6) Crypt (0) Crypt (1) Crypt (2) Master pays0notpays0

8 Cachan, 13 December 2004 Probabilistic Anonymity 8 The dining cryptographers (3/6) A solution Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers. The result of each coin-tossing is visible to the adjacent cryptographers, and only to them. Each cryptographer examines the two adjacent coins –If he is paying, he announces “agree” if the results are the same, and “disagree” otherwise. –If he is not paying, he says the opposite

9 Cachan, 13 December 2004 Probabilistic Anonymity 9 The dining cryptographers (4/6): A solution Crypt (0) Crypt (1) Crypt (2) Master Coin( 2) Coin (1) Coin (0) pays0notpays0 look20 agree1 / disagree1

10 Cachan, 13 December 2004 Probabilistic Anonymity 10 The dining cryptographers (5/6) Properties of the solution Proposition 1 (Public information): if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. Proposition 2 (Anonymity): In the latter case, if the coin is fair then the non paying cryptographers and the external observers will not be able to deduce whom exactly is paying

11 Cachan, 13 December 2004 Probabilistic Anonymity 11 The dining cryptographers (6/6) Automatic verification Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP. –The protocol : system P of parallel CSP processes (master, cryptographers, coins) –A (anonymous events): pays0, notpays0, …, notpays2 –B (observable events): agree0, disagree0, …, disagree2 –C (hidden events): results of coins –Observables : all traces of P with events from C removed For every permutation ρ on A, we have ρ(Obs(P)) = Obs(P)

12 Cachan, 13 December 2004 Probabilistic Anonymity 12 Limitations of the nondeterministic approach The nondeterministic components must be produced by random devices – nondeterministic coin  random coin An observer may deduce info about the system from the probability distribution of the devices. This possibility is not captured by the nondeterministic formulation: The nondeterministic definition is “too coarse” –For example, if we know that two adjacent coins are biased, we can deduce when the corresponding cryptographer is likely to be lying The probability distribution of the devices may be guessed by testing the system –For example in if the cryptographers are more than 3, we can deduce that two coins are biased by looking at the results several times

13 Cachan, 13 December 2004 Probabilistic Anonymity 13 Conditional probability (1/3) We propose a notion of anonymity based on conditional probability A brief recall of the notion of conditional probability Puzzle: –A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty –After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty –Then the king offers to the guest to exchange the box he picked with the other (closed) one –Question: should the guest exchange?

14 Cachan, 13 December 2004 Probabilistic Anonymity 14 Conditional probability (2/3) Answer: it depends on whether the king opens intentionally an empty box, or not. In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring

15 Cachan, 13 December 2004 Probabilistic Anonymity 15 Conditional probability (3/3) pb(X|Y) = conditional probability of X given Y = pb(X and Y) / pb(Y) Let us consider again the puzzle in Case 2 B i = Box i contains the ring Initially: pb(B 1 ) = pb(B 2 ) = pb(B 3 ) = 1/3 After opening one box, say Box 1, if it turns out to be empty, we have: pb(B 2 ) = pb(B 2 | not B 1 ) = pb(B 2 and not B 1 ) / pb(not B 1 ) = pb(B 2 )/pb(not B 1 ) = (1/3) / (2/3) = 1 / 2

16 Cachan, 13 December 2004 Probabilistic Anonymity 16 Anonymity and randomization (1/2) Remember that, given P, we consider the sets: –A = { ax | a  AnonyAgs } : the actions that we want to know only partially (we want to know x but not a) –B : the actions that we want to observe (it may include x but not a) –C = Actions – (B U A) : The actions we want to hide B C A 

17 Cachan, 13 December 2004 Probabilistic Anonymity 17 Anonymity and randomization (2/2) The observables must abstract wrt C Definition: The system is anonymous if for every nonderministic choice, for every observations O 1,O 2 in which x happens, and for every action ax  A, we have pb(ax | O 1 ) = pb(ax | O 2 ) i.e. the observables do not allow to deduce anything about the identity of the agent Equivalently: for every O, a and b, we have pb(O | ax) = pb(O | bx) namely, the probability of an observable does not depend on the identity of the agent Note that the second formulation can be regarded as the probabilistic version of the definition of Schneider/ Sidiropoulos Note that in general pb(ax | O) =/= pb(bx | O), hence the latter cannot be a good definition of probabilistic anonymity

18 Cachan, 13 December 2004 Probabilistic Anonymity 18 The randomized dining cryptographers Each cryptographer tosses a probabilistic coin All the rest is the same as before. In particular, the master is nondeterministic

19 Cachan, 13 December 2004 Probabilistic Anonymity 19 Verification in probabilistic  -calculus We have verified the anonymity of the randomized solution to the dining cryptographers by using the probabilistic  -calculus. –The protocol : system P of parallel processes: Master: nondeterministic (blind) Coins: probabilistic (blind) Cryptographers: deterministic –A (anonymous events): pays 0, notpays 0, …, notpays 2 combination chosen nondeterministically –C (hidden events): results of coins chosen probabilistically –B (observable events): agree 0, disagree 0, …, disagree 2 Determined by the choice of the master and of the coins –Observables : all traces of P with events from C removed For every i,k, and for every combination O of agree/disagree, we have ρb(O | pays i ) = pb(O | pays k )

20 Cachan, 13 December 2004 Probabilistic Anonymity 20 The generalized dining philosophers In general, given an arbitrary graph, where the nodes represent the cryptographers, and the arcs the coins, we can extend the protocol as follows: –b i = 0 if cryptographer i does not pay, b i = 1 otherwise –coin k = 0 if coin k gives head, coin k = 1 otherwise –crypt i = output of cryptographer i, calculated as follows: crypt i =  k adjacent i coin k + b i where the sums are binary Crypt i Coin k

21 Cachan, 13 December 2004 Probabilistic Anonymity 21 The protocol in the general case Proposition: there is a payer iff  i crypt i = 0 Proof: just observe that in this sum each coin k is counted twice. Furthermore there is at most one k s.t. b k = 1. Hence the result is 0 iff there is no k s.t. b k = 1. Proposition: If all the coins are fair, and the graph is connected, then –the system is anonymous for every external observer –the system is anonymous for any node j such that, if we remove j and all its adjacent arcs, the rest of the graph is still connected

22 Cachan, 13 December 2004 Probabilistic Anonymity 22 Conclusion Notion of probabilistic anonymity –Extending the classic one of Schneider- Sidiropoulos Application to the example of the generalized dining cryptographers Verification using the  -calculus In retrospect, we should have verified the protocol using a probabilistic master

Download ppt "Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Logic Puzzles and Modal Logic. Closure properties in modal logic.

Logic Puzzles and Modal Logic. Closure properties in modal logic.
How to Schedule a Cascade in an Arbitrary Graph F. Chierchetti, J. Kleinberg, A. Panconesi February 2012 Presented by Emrah Cem 7301 – Advances in Social.

How to Schedule a Cascade in an Arbitrary Graph F. Chierchetti, J. Kleinberg, A. Panconesi February 2012 Presented by Emrah Cem 7301 – Advances in Social.
1 Nondeterministic Space is Closed Under Complement Presented by Jing Zhang and Yingbo Wang Theory of Computation II Professor: Geoffrey Smith.

1 Nondeterministic Space is Closed Under Complement Presented by Jing Zhang and Yingbo Wang Theory of Computation II Professor: Geoffrey Smith.
Week11 Parameter, Statistic and Random Samples A parameter is a number that describes the population. It is a fixed number, but in practice we do not know.

Week11 Parameter, Statistic and Random Samples A parameter is a number that describes the population. It is a fixed number, but in practice we do not know.
Hypothesis Testing A hypothesis is a claim or statement about a property of a population (in our case, about the mean or a proportion of the population)

Hypothesis Testing A hypothesis is a claim or statement about a property of a population (in our case, about the mean or a proportion of the population)
Playing Fair at Sudoku Joshua Cooper USC Department of Mathematics.

Playing Fair at Sudoku Joshua Cooper USC Department of Mathematics.
Chapter 8: Binomial and Geometric Distributions

Chapter 8: Binomial and Geometric Distributions
Chapter 4 Mathematical Expectation.

Chapter 4 Mathematical Expectation.
Chapter 4 Probability and Probability Distributions

Chapter 4 Probability and Probability Distributions
+ The Practice of Statistics, 4 th edition – For AP* STARNES, YATES, MOORE Chapter 6: Random Variables Section 6.3 Binomial and Geometric Random Variables.

+ The Practice of Statistics, 4 th edition – For AP* STARNES, YATES, MOORE Chapter 6: Random Variables Section 6.3 Binomial and Geometric Random Variables.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.

Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.
Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi

Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi
Chapter 5 Understanding Randomness

Chapter 5 Understanding Randomness
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Bangalore, 2 Feb 2005Probabilistic security protocols 1 CIMPA School on Security Specification and verification of randomized security protocols Lecture.

Bangalore, 2 Feb 2005Probabilistic security protocols 1 CIMPA School on Security Specification and verification of randomized security protocols Lecture.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Excursions in Modern Mathematics, 7e: 15.1 - 1Copyright © 2010 Pearson Education, Inc. 15 Chances, Probabilities, and Odds 15.1Random Experiments and Sample.

Excursions in Modern Mathematics, 7e: Copyright © 2010 Pearson Education, Inc. 15 Chances, Probabilities, and Odds 15.1Random Experiments and Sample.

Similar presentations

Ads by Google