Probabilistic Anonymity

1
Probabilistic Anonymity

• Mohit Bhargava, IIT New Delhi
• Catuscia Palamidessi, INRIA Futurs LIX

2
Plan of the talk

• The concept of anonymity
• Anonymity and nondeterminism
• Example the Dining Cryptographers
• Conditional probability
• Anonymity and randomization
• The randomized Dining Cryptographers
• Analysis and verification in probabilistic
  p-calculus
• Generalized D.C.
• Conclusion

3
The concept of anonymity

• Goal
• To ensure that a certain part of an information
  becomes public while another part of it remains
  secret.
• Typically, what we want to maintain secret is the
  identity of the agent involved
• Examples
• Electronic elections
• Delation
• We will consider the case of in which the
  information to make public is whether or not a
  certain event has taken place, and the
  information to hide is the identity of the agent
  performing that event

4
Anonymity and nondeterminism (1/2)

• Work by Schneider and Sidiropoulos, ESORICS 1996
• Events are modeled as consisting of two
  components the event itself, x, and the identity
  of the agent performing the event, a
• ax
• AnonyAgs the agents who want to remain secret
• Given x, define A ax a ? AnonyAgs
• A protocol described as a process P provides
  anonymity if an arbitrary permutation ?A of the
  events in A, applied to the observables of P,
  does not change the observables
• ?A(Obs(P)) Obs(P)

5
Anonymity and nondeterminism (2/2)

• In general, given P, consider the sets
• A ax a ? AnonyAgs the actions that we
  want to know only partially (we want to know x
  but not a)
• B the actions that we want to observe
• C Actions (B U A) The actions we want to
  hide

A
?
The observables to consider for the Anonymity
analysis must abstract wrt the events in C.
Definition The system is anonymous if an
arbitrary permutation ?A of the events in A,
applied to the observables of P, does not change
the observables ?A(Obs(P)) Obs(P)
B
C
6
The dining cryptographers (1/6)

• Problem and solution formulated originally by
  David Chaum, J. Cryptology, 1988
• The Problem
• Three cryptographers share a meal
• The meal is paid either by the organization
  (master) or by one of them. The master decides
  who pays
• Each of the cryptographers is informed by the
  master whether or not he is has to pay
• GOAL
• The cryptographers would like to know whether the
  meal is being paid by the master or by one of
  them, but without knowing who among them, if any,
  is paying. They cannot involve the master

7
The dining cryptographers (2/6)
8
The dining cryptographers (3/6)A solution

• Each cryptographer tosses a nondeterministic
  coin. Each coin is in between two cryptographers.
• The result of each coin-tossing is visible to the
  adjacent cryptographers, and only to them.
• Each cryptographer examines the two adjacent
  coins
• If he is paying, he announces agree if the
  results are the same, and disagree otherwise.
• If he is not paying, he says the opposite

9
The dining cryptographers (4/6)A solution
Crypt(0)
pays0
notpays0
Coin(0)
Coin(1)
look20
Master
Crypt(2)
Crypt(1)
Coin(2)
agree1 / disagree1
10
The dining cryptographers (5/6)Properties of the
solution

• Proposition 1 (Public information) if the number
  of disagree is even, then the master is paying.
  Otherwise, one of them is paying.
• Proposition 2 (Anonymity) In the latter case, if
  the coin is fair then the non paying
  cryptographers and the external observers will
  not be able to deduce whom exactly is paying

11
The dining cryptographers (6/6)Automatic
verification

• Schneider and Sidiropoulos verified the anonymity
  of the solution to the dining cryptographers by
  using CSP.
• The protocol system P of parallel CSP processes
  (master, cryptographers, coins)
• A (anonymous events) pays0, notpays0, ,
  notpays2
• B (observable events) agree0, disagree0, ,
  disagree2
• C (hidden events) results of coins
• Observables all traces of P with events from C
  removed
• For every permutation ? on A, we have
• ?(Obs(P)) Obs(P)

12
Limitations of the nondeterministic approach

• The nondeterministic components must be produced
  by random devices
• nondeterministic coin ? random coin
• An observer may deduce info about the system from
  the probability distribution of the devices.
• This possibility is not captured by the
  nondeterministic formulation The
  nondeterministic definition is too coarse
• For example, if we know that two adjacent coins
  are biased, we can deduce when the corresponding
  cryptographer is likely to be lying
• The probability distribution of the devices may
  be guessed by testing the system
• For example in if the cryptographers are more
  than 3, we can deduce that two coins are biased
  by looking at the results several times

13
Conditional probability (1/3)

• We propose a notion of anonymity based on
  conditional probability
• A brief recall of the notion of conditional
  probability
• Puzzle
• A king offers to a guest to pick one of three
  closed boxes. One contains a diamond, the other
  two are empty
• After the guest has picked a box, the king opens
  one of the other two boxes and shows that it is
  empty
• Then the king offers to the guest to exchange the
  box he picked with the other (closed) one
• Question should the guest exchange?

14
Conditional probability (2/3)

• Answer it depends on whether the king opens
  intentionally an empty box, or not.
• In the first case, the guest should better change
  his choice since the other box has now
  probability 2/3 to contain the ring
• In the second case, it does not matter. Both the
  remaining closed boxes have now probability ½ to
  contain the ring

15
Conditional probability (3/3)

• pb(XY) conditional probability of X
  given Y
• pb(X and Y) / pb(Y)
• Let us consider again the puzzle in Case 2
• Bi Box i contains the ring
• Initially pb(B1) pb(B2) pb(B3) 1/3
• After opening one box, say Box 1, if it turns out
  to be empty, we have
• pb(B2) pb(B2 not B1)
• pb(B2 and not B1) / pb(not B1)
• pb(B2)/pb(not B1)
• (1/3) / (2/3)
• 1 / 2

16
Anonymity and randomization (1/2)

• Remember that, given P, we consider the sets
• A ax a ? AnonyAgs the actions that we
  want to know only partially (we want to know x
  but not a)
• B the actions that we want to observe (it may
  include x but not a)
• C Actions (B U A) The actions we want to
  hide

A
?
B
C
17
Anonymity and randomization (2/2)

• The observables must abstract wrt C
• Definition The system is anonymous if for every
  nonderministic choice, for every observations
  O1,O2 in which x happens, and for every action
  ax ? A, we have
• pb(ax O1) pb(ax O2)
• i.e. the observables do not allow to deduce
  anything about the identity of the agent
• Equivalently for every O, a and b, we have
• pb(O ax) pb(O bx)
• namely, the probability of an observable does
  not depend on the identity of the agent
• Note that the second formulation can be regarded
  as the probabilistic version of the definition of
  Schneider/ Sidiropoulos
• Note that in general pb(ax O) / pb(bx O),
  hence the latter cannot be a good definition of
  probabilistic anonymity

18
The randomized dining cryptographers

• Each cryptographer tosses a probabilistic coin
• All the rest is the same as before. In
  particular, the master is nondeterministic

19
Verification in probabilistic p-calculus

• We have verified the anonymity of the randomized
  solution to the dining cryptographers by using
  the probabilistic p-calculus.
• The protocol system P of parallel processes
• Master probabilistic (blind)
• Coins probabilistic (blind)
• Cryptographers deterministic
• A (anonymous events) pays0, notpays0, ,
  notpays2
• combination chosen nondeterministically
• C (hidden events) results of coins
• chosen probabilistically
• B (observable events) agree0, disagree0, ,
  disagree2
• Determined by the choice of the master and of the
  coins
• Observables all traces of P with events from C
  removed

20
The generalized dining philosophers

• In general, given an arbitrary graph, where the
  nodes represent the cryptographers, and the arcs
  the coins, we can extend the protocol as follows
  
• bi 0 if cryptographer i does not pay,
• bi 1 otherwise
• coink 0 if coin k gives head,
• coink 1 otherwise
• crypti output of cryptographer i,
• calculated as follows
• crypti Sk adjacent i coink bi
• where the sums are binary

Crypti
Coink
21
The protocol in the general case

• Proposition there is a payer iff
• Si crypti 0
• Proof just observe that in this sum each coink
  is counted twice. Furthermore there is at most
  one k s.t. bk 1. Hence the result is 0 iff
  there is no k s.t. bk 1.
• Proposition If all the coins are fair, and the
  graph is connected, then
• the system is anonymous for every external
  observer
• the system is anonymous for any node j such
  that, if we remove j and all its adjacent arcs,
  the rest of the graph is still connected

22
Conclusion

• Notion of probabilistic anonymity
• Extending the classic one of Schneider-Sidiropoulo
  s
• Application to the example of the generalized
  dining cryptographers
• Verification using the p-calculus
• In retrospect, we should have verified the
  protocol using a probabilistic master