Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia.

Published byFrederick Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia."— Presentation transcript:

1 Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia Palamidessi LIX, Ecole Polytechnique kostas@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia Page of the course: http://mpri.master.univ-paris7.fr/C-2-3.html

2 Paris, 17 December 2007MPRI Course on Concurrency 2 Plan of the lecture Randomized protocols for security Focus on protection of identity (anonymity) –The dining cryptographers Correctness of the protocol Anonymity analysis –Crowds (a protocol for anonymous web surfing)

3 Paris, 17 December 2007MPRI Course on Concurrency 3 Anonymity: particular case of Privacy To prevent information from becoming known to unintended agents or entities Protection of private data (credit card number, personal info etc.) Anonymity: protection of identity of an user performing a certain action Unlinkability: protection of link between information and user Unobservability: impossibility to determine what the user is doing More properties and details at www.freehaven.net/anonbib/cache/terminology.pdfwww.freehaven.net/anonbib/

4 Paris, 17 December 2007MPRI Course on Concurrency 4 Anonymity Hide the identity of a user performing a given action The action itself might be revealed Many applications Anonymous web-surfing Anonymous posting on forums Elections Anonymous donation Protocols for anonymity often use randomization

5 Paris, 17 December 2007MPRI Course on Concurrency 5 The dining cryptographers A simple anonymity problem Introduced by Chaum in 1988 Chaum proposed a solution satisfying the so- called “strong anonymity”

6 Paris, 17 December 2007MPRI Course on Concurrency 6 The problem Three cryptographers share a meal with a master In the end the master decides who pays It can be himself, or a cryptographer The master informs each cryptographer individually The cryptographers want to find out if - one of them pays, or - it is the master who pays Anonymity requirement: the identity of the paying cryptographer (if any) should not be revealed C0C0 C1C1 Master Pay Don’t pay C1C1

7 Paris, 17 December 2007MPRI Course on Concurrency 7 The protocol C0C0 C1C1 C2C2 Coin agree / disagree Each pair of adjacent cryptographers flips a coin Each cryptographer has access only to its adjacent coins Each cryptographer looks at the coins and declares agree if the coins have the same value and disagree otherwise If a cryptographer is the payer he will say the opposite Consider the number of disagrees: odd: a cryptographer is paying even: the master is paying

8 Paris, 17 December 2007MPRI Course on Concurrency 8 Examples C0C0 C1C1 Heads Tails Heads disagree agree disagree C2C2 the master pays C0C0 C1C1 Tails Heads agree disagree agree C2C2 payer

9 Paris, 17 December 2007MPRI Course on Concurrency 9 Correctness of the protocol Let v i ∈ {0,1} be the value of coin i Each cryptographer announces v i-1 +v i where + is the sum modulo 2: - 0 means agree - 1 means disagree The payer announces v i-1 +v i +1 The total sum is - (v 0 +v 1 ) + (v 1 +v 2 ) + (v 2 +v 0 ) = 0 if the master pays - (v 0 +v 1 +1) + (v 1 +v 2 ) + (v 2 +v 0 ) = 1 if a cryptographer (C 1 ) pays C0C0 C1C1 C2C2 v1v1 v0v0 v2v2 v 0 +v 1 +1 v 1 +v 2 v 2 +v 0 payer

10 Paris, 17 December 2007MPRI Course on Concurrency 10 Correctness of the protocol The protocol is correct for any (connected) network graph The key idea is that all coins are added twice, so the cancel out Only the extra 1 added by the payer (if there is a payer) remains Note: this protocol could be extended to broadcast data anonymously, but the problem is that there in no distributed, efficient way to ensure that there is only one agent communicating the datum at each moment.

11 Paris, 17 December 2007MPRI Course on Concurrency 11 Anonymity of the protocol How can we define the notion of anonymity? First we have to fix the notion of observable: The anonymity property change depending on who is the observer / what actions he can see - An external observer can only see the declarations - One of the cryptographers can also see some of the coins

12 Paris, 17 December 2007MPRI Course on Concurrency 12 Notion of anonymity Observables... a1a1 amam o1o1 onon Protocol identity (info to be protected) Input Output Once we have fixed the observables, the protocol can be seen as a channel

13 Paris, 17 December 2007MPRI Course on Concurrency 13 Notion of anonymity Protocols are noisy channels... a1a1 amam o1o1 onon

14 Paris, 17 December 2007MPRI Course on Concurrency 14 Notion of anonymity Example: The protocol of the dining cryptographers C0C0 C2C2 aad C1C1 ada daa ddd

15 Paris, 17 December 2007MPRI Course on Concurrency 15 Notion of anonymity The conditional probabilities... a1a1 amam o1o1 onon p(o n |a 1 ) p(o 1 |a 1 )

16 Paris, 17 December 2007MPRI Course on Concurrency 16 Notion of anonymity The conditional probabilities form a matrix. In general the notion of anonymity will depend on these conditional probabilities... a1a1 amam o1o1 onon p(o n |a 1 )p(o 1 |a 1 ) p(o 1 |a m )p(o n |a m )...

17 Paris, 17 December 2007MPRI Course on Concurrency 17 Notions of strong anonymity In the following, a, a′ are hidden events, o is an observable 1. [Halpern and O’Neill - like] for all a, a′: p(a|o) = p(a′|o) 2. [Chaum], [Halpern and O’Neill]: for all a, o: p(a|o) = p(a) 3. [Bhargava and Palamidessi]: for all a, a′, o: p(o|a) = p(o|a′) (2) and (3) are equivalent. Exercise: prove it (1) is equivalent to (2),(3) plus p(a) = p(a′) for all a, a′ the condition for all a, a′ p(a) = p(a′) depends on the input’s distribution rather than on the features of the protocol

18 Paris, 17 December 2007MPRI Course on Concurrency 18 Anonymity in the Dining Cryptographers For an external observer the only observable actions are sequences of agree/disagree (daa, ada, aad,...) Strong anonymity: different payers produce the observables with equal probability p(daa | C 0 pays) = p(daa | C 1 pays) p(daa | C 0 pays) = p(daa | C 2 pays) p(ada | C 0 pays) = p(ada | C 1 pays)... This is equivalent to requiring that p(C i pays) = p(C i pays | o 0 o 1 o 2 )

19 Paris, 17 December 2007MPRI Course on Concurrency 19 Expressing the protocol in probabilistic (value passing) CCS Advantage: use model checker of probabilistic CCS to compute the conditional probabilities automatically

20 Paris, 17 December 2007MPRI Course on Concurrency 20 Expressing the protocol in probabilistic (value-passing) CCS Observables Anonymous action Probabilistic choices

21 Paris, 17 December 2007MPRI Course on Concurrency 21 Probabilistic automaton associated to the probabilistic π program for the D.C. aaa Assume we already fixed the scheduler

22 Paris, 17 December 2007MPRI Course on Concurrency 22 Anonymity of the protocol Assuming fair coins, we compute these probabilities Strong anonymity is satisfied daaadaaadddd C0C0C0C0 1/4 C1C1C1C1 C2C2C2C2

23 Paris, 17 December 2007MPRI Course on Concurrency 23 Anonymity of the protocol If the coins are unfair this is no longer true For example, if p(heads) = 0.7 Now if we see daa, we know that c1 is more likely to be the payer daaadaaadddd C0C0C0C0 0.370.21 C1C1C1C1 0.370.21 C2C2C2C2 0.370.21

24 Paris, 17 December 2007MPRI Course on Concurrency 24 Anonymity of the protocol Even if we don’t know the fact that the coins are unfair, we could find out using statistical analysis Exercise: suppose we see almost all the time one of the following announcements ada aad daa - what can we infer about the coins? - then can we find the payer? - Now if we see daa, we know that C 0 is more likely to be the payer

25 Paris, 17 December 2007MPRI Course on Concurrency 25 Weaker notions of anonymity There are some problems in which it is practically impossible to achieve strong anonymity We need to define weaker notions In general, we need to give a quantitative characterization of the degree of protection provided by a protocol

26 Paris, 17 December 2007MPRI Course on Concurrency 26 Example: Crowds A protocol for anonymous web surfing goal: send a request from a user (initiator) to a web serer problem: sending the message directly reveals the user’s identity more efficient that the dining cryptographers: involves only a small fraction of the users in each execution server

27 Paris, 17 December 2007MPRI Course on Concurrency 27 Crowds server A “crowd” of n users participates in the protocol The initiator forwards the message to a randomly selected user (forwarder) A forwarder: With probability p f forwards again the message With probability 1-p f send the message directly to the server

28 Paris, 17 December 2007MPRI Course on Concurrency 28 Anonymity of the protocol server Wrt the server: strong anonymity. The server sees only the last user More interesting case: some user is corrupted Information gathered by the corrupted user can be used to detect the initiator

29 Paris, 17 December 2007MPRI Course on Concurrency 29 Anonymity of the protocol In presence of corrupted users: strong anonymity is no longer satisfied A weaker notion called “probable innocence” can be achieved, defined as: “the detected user is less likely to be the initiator than not to be the initiator” Formally: p(u is initiator | u is detected) < p(u is not initiator | u is detected)

30 Paris, 17 December 2007MPRI Course on Concurrency 30 Degree of protection: an Information-theoretic approach We can use (the converse of) the mutual information as a measure of the degree of protection of the protocol

31 Paris, 17 December 2007MPRI Course on Concurrency 31 Open problems Information protection is a very active field of research. There are many open problems. For instance: Make model-checking more efficient for the computation of conditional probabilities Active attackers: how does the model of protocol-as-channel change? Inference of the input distribution from the observers

32 Paris, 17 December 2007MPRI Course on Concurrency 32 Bibliography K. Chatzikokolakis, C. Palamidessi, P. Panangaden. Anonymity Protocols as Noisy Channels. Information and Computation.To appear. 2007. http://www.lix.polytechnique.fr/~catuscia/papers/Anonymity/Channels/full.pdf D. Chaum. The Dining Cryptographers Problem. Journal of Cryptology, 1, 65--75, 1988. J. Y. Halpern and K. R. O'Neill. Anonymity and information hiding in multiagent systems. Journal of Computer Security, 13(3), 483-512, 2005

Download ppt "Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia."

Similar presentations

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Paris, 3 Dec 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 12 Probabilistic process calculi Catuscia Palamidessi LIX, Ecole Polytechnique.

Paris, 3 Dec 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 12 Probabilistic process calculi Catuscia Palamidessi LIX, Ecole Polytechnique.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
A Survey Anonymity and Anonymous File-Sharing Tom Chothia (Joint work with Konstantinos Chatzikokolakis)

A Survey Anonymity and Anonymous File-Sharing Tom Chothia (Joint work with Konstantinos Chatzikokolakis)
The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.

The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.

Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.
Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi

Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi
Bangalore, 2 Feb 2005Probabilistic security protocols 1 CIMPA School on Security Specification and verification of randomized security protocols Lecture.

Bangalore, 2 Feb 2005Probabilistic security protocols 1 CIMPA School on Security Specification and verification of randomized security protocols Lecture.
Probabilistic Methods in Concurrency Lecture 3 The pi-calculus hierarchy: separation results Catuscia Palamidessi

Probabilistic Methods in Concurrency Lecture 3 The pi-calculus hierarchy: separation results Catuscia Palamidessi
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.

Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.

Similar presentations

Ads by Google