Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on joint work with Mohit Bhargava, IIT New Delhi Kostas Chatzikokolakis, LIX

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 2 Plan of the talk The concept of anonymity Nondeterministic (aka possibilistic) Anonymity Example: the Dining Cryptographers Limitations of the nondeterministic approach The hierarchy of Reiter and Rubin: – Beyond Suspicion and Probable Innocence Formalization of Beyond Suspicion: Conditional anonymity Equivalent formulation for probabilistic users – independence from users’ probabilistic distribution Corresponding formulation for nondeterministic users Formalization of Probable Innocence

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 3 The concept of anonymity Goal: –To ensure that the identity of the agent involved in a certain action remains secret. Some examples of situations in which anonymity may be desirable: –Electronic elections –Delation –Donations –File sharing Some systems: –Crowds [Reiter and Rubin,1998], anonymous communication (anonymity of the sender) –Onion Routing [Syverson, Goldschlag and Reed, 1997] anonymous communication –Freenet [Clarke et al. 2001] anonymous information storage and retrieval

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 4 Formal approaches to Anonymity Concurrency Theory (CSP) –Schneider and Sidiropoulos, 1996 Epistemic Logic –Sylverson and Stubblebine, 1999 –Halpern and O’Neil, 2004 Function views –Hughes and Shmatikov, 2004 These approaches are nondeterministic (except Halpern and O’Neill) although many systems, including Crowds, Onion Routing, and Freenet, use randomized primitives

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 5 Nondeterministic Anonymity We will focus on the “Concurrency theory” approach, which started with the work by Schneider and Sidiropoulos, ESORICS 1996 Systems and protocols for anonymity are describes as CSP processes Actions for which we want anonymity of the agent are modeled as consisting of two components: –the action itself, a, –the identity of the agent performing the action, i a(i) AnonymousAgs: the agents who want to remain secret Given x, define A = { a(i) | i  AnononymousAgs } A protocol described as a process P provides anonymity if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A ( Obs(P) ) = Obs(P)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 6 Nondeterministic Anonymity In general, given P, consider the sets: –A = { x(i) | i  AnonymousAgs } : the actions for which we want anonymity –B = the actions that are visible to the observers –C = Actions – (B U A) : The actions we want to hide B C A  The observables to consider for the Anonymity analysis are B U A. In CSP this is obtained by abstracting the system P wrt the actions in C. Definition: The system is anonymous if an arbitrary permutation ρ A of the events in A, applied to the observables of P, does not change the observables ρ A ( Obs(P) ) = Obs(P)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 7 Example: The dining cryptographers Problem formulated originally by David Chaum, 1988 The Problem: –Three cryptographers share a meal –The meal is paid either by the organization (master) or by one of them. The master decides who pays –Each of the cryptographers is informed by the master whether or not he is has to pay GOAL: –The cryptographers would like to make known whether the meal is being paid by the master or by one of them, but without knowing who among them, if any, is paying. They cannot involve the master

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 8 The dining cryptographers Crypt (0) Crypt (1) Crypt (2) Master Pays(0)Notpays(0)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 9 The dining cryptographers A nondeterministic solution Each cryptographer tosses a nondeterministic coin. Each coin is in between two cryptographers. The result of each coin-tossing is visible to the adjacent cryptographers, and only to them. Each cryptographer examines the two adjacent coins –If he is not paying, he announces “agree” if the results are the same, and “disagree” otherwise. –If he is paying, he says the opposite

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 10 The dining cryptographers Crypt (0) Crypt (1) Crypt (2) Master Coin( 2) Coin (1) Coin (0) Pays(0)Notpays(0) look02 agree1 / disagree1

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 11 The dining cryptographers Properties of the solution Proposition 1: if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. Proposition 2 (Anonymity): In the latter case, if the coins are fair then the non paying cryptographers and the external observers will not be able to deduce who is paying

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 12 The dining cryptographers - Automatic verification Schneider and Sidiropoulos verified the anonymity of the solution to the dining cryptographers by using CSP and FDR. –The protocol : system P of parallel CSP processes (master, cryptographers, coins) –A (anonymous actions): pays(0), pays(1), pays(2) –B (observable actions): For an external observer: agree0, disagree0, …, disagree2 For cryptographer Crypto(0): agree0, disagree0, …, disagree2, look00, look10 –C (hidden actions): the other results of coins: look i j –Observables : all traces of P abstracting from C For every permutation ρ on A, we have ρ( Obs(P) ) = Obs(P)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 13 Limitations of the nondeterministic approach The nondeterministic components may be produced by random devices – nondeterministic coin  random coin An observer may deduce probabilistic info about the system from the probability distribution of the devices. The probability distribution of the devices may be inferred statistically by repeating the observations The leakage of probabilistic info is not captured by the nondeterministic formulation

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 14 Limitations of the nondeterministic approach Example. Suppose that we observe with high frequency one of the following results. What can we infer from them? a a d We can deduce that the coins are biased, and how Therefore we can probabilistically guess who is the payer This breach in anonymity is not detected by the nondeterministic approach (as long as the fourth possible configuration appears, from time to time). In a sense the nondeterministic notion of anonymity is too weak. d a a d d d H H T p p p H H T H H T

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 15 By introducing probabilities we can distinguish different levels of strength Example: Crowds [Reiter and Robin 98] –a system designed to provide the anonymity of the originator of a message. –The originator sends the message to another user selected randomly, who in turns forwards the message to another user, and so on, until the message reaches its destination. Reiter and Robin proposed the following (informal) hierarchy –Beyond suspicion: from the point of view of the observer, the sender appears no more likely than any other agent to be the originator –Probable innocence: … the sender appears no more likely to be the originator than not to be –Possible innocence: … there is a non trivial probability that the sender is not the originator Reiter and Robin proved “probable innocence” of Crowds under certain conditions. In the nondeterministic approach the hierarchy collapses at the lowest level Reiter and Robin ‘s hierarchy originator sender observer destination

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 16 The rest of this talk is dedicated to generalizing and formalizing the notions of probabilistic anonymity. In particular, “beyond suspicion” and “probable innocence” We describe the random mechanisms of the protocol probabilistically. The users may be probabilistic or nondeterministic We use (a simplified form of) Segala and Lynch’s probabilistic automata, which can represent both probabilistic and nondeterministic behavior

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 17 Fully probabilistic automata a b c b c 1/2 2/3 1/3 1/2 1/3 Observable actions: a, b, c Execution: a path from the root to a leaf Probability of an execution: the product of the probabilities on the edges Event: a set of executions Probability of an event: the sum of the probabilities of the executions Examples: The event c has probability p(c) = 1/2 + 1/6 = 2/3 The event ab has probability p(ab) = 1/6 + 1/18 = 2/9

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 18 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  1/2 1/3 2/3 1/2 a a

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 19 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  1/2 1/3 2/3 1/2 a a  

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 20 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  p  (a) = 1/4 1/2 a

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 21 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  1/2 1/3 2/3 1/2 a a 

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 22 (Simplified) Probabilistic Automata White nodes: nondeterministic Green nodes: probabilistic Scheduler: a function that associates to each nondeterministic nodes a node among its successors Etree(  ): the fully probabilistic automaton obtained by pruning the tree from the choices not selected by  p  (o) = the probability of the event o under  p  (a) = 1/9 1/3 2/3 a 

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 23 Notation and assumptions Conditional probability: p(x | y) = p(x and y) / p(y) Events: –a(i) : user i has performed anonymous action a –a = U i a(i) : anonymous action a has been performed –o = b 1 …b n : observable actions b 1, …, b n have been performed We assume –The a(i) ‘s form a partition of a –Each observable event o implies either a or not a

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 24 Formalization of anonymity: first attempt The immediate interpretation of the notions of Reiter and Rubin: Beyond suspicion: Forall i, j, o. p(a(i) | o) = p(a(j) | o) Probable innocence: Forall i, j, o. p(a(i) | o) < p(not a(i) | o) Possible innocence: Forall i, j, o. p(a(i) | o) < 1 However: -These notions do not apply for nondeterministic users -They depend on the probability distribution of the users -We expect “beyond suspicion” to hold for the Dining Cryptographers with fair coins, and “probable innocence” to hold for Crowds, but the above notions (in general) don’t hold

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 25 Formalization of “beyond suspicion” The property which has been proved by Chaum for the dining cryptographers with probabilistic users and probabilistic fair coins is : Forall i, j, o. p(a(i) | o) = p(a(i) | a) Namely: the observation of o does not add anything to the knowledge of the probability of a(i), except that the action a has been performed. This is similar to the property called conditional anonymity by Halpern and O’Neill Problems: –In general it may depend on the probability distribution of the users –Not applicable for nondeterministic users

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 26 Formalization of “beyond suspicion” Proposition: Forall i, j, o. if o  a then p(a(i) | o) = p(a(i) | a) (*) is equivalent to Forall i, j, o. if p(a(i)) > 0 and p(a(j)) > 0 then p(o | a(i) ) = p(o | a(j)) (**) Proposition: if the choice of the a(i)’s is done only once, then the formula (**) does not depend on the probability distribution of the a(i)’s The corresponding definition, for nondeterministic users: Forall i, j, o, if  selects a(i), and  selects a(j), then p  (o) = p  (o) (***) Proposition: (***) is satisfied by the dining cryptographers with fair coins and nondeterministic users (master)

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 27 a(1) a(2) a(3) not a p1p1 p2p2 p3p3 p q q q o o o p(o | a(i)) = p(o and a(i)) / p(a(i) = q p i /p i = q p(o | a(j)) Independence from the probability distribution of the a(i)’s =

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 28 a(1) a(2) a(3) not a q q q o o o p s (o) = q  p d (o) Nondeterministic users =

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 29 Formalization of “probable innocence” (ongoing work) We assume here that a is always performed Probabilistic users: Forall i, j, o. if p(a(i)) > 0 and p(a(i)) < 1 then p(o | a(i) ) < p(o | not a(i)) Nondeterministic users: Forall i, j, o. if s selects a(i) and d does not select a(i) then p  (o) < p  (o) In the case of Crowds, this property corresponds to the one which has been effectively proved by Reiter and Rubin

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 30 Conclusion Notion of probabilistic anonymity –Probabilistic users: conditional probability –Nondeterministic users: scheduler –Beyond suspicion and probable innocence Application to the example of the Dining Cryptographers and Crowds

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 31 The randomized dining cryptographers Each cryptographer tosses a probabilistic coin the master is probabilistic All the rest is the same as before. In case the coins are fair, this system is, intuitively, anonymous in the strongest sense (beyond suspicion). Note that this is true independently of the probability distribution of the master. However the formulation based on a “naïve” interpretation of Reiter and Robin’s definition fails, because in general pb(ax) =/= pb(bx) (they depend on the probability distribution of the master) We need to take into account the perspective and limitations of the observer, somehow. Idea: the system is (strongly) anonymous if the agent cannot be inferred from the observations. Namely, the probability of an observation does not depend on the agent. Concept of conditional probability

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 32 Conditional probability (1/3) We propose a notion of anonymity based on conditional probability A brief recall of the notion of conditional probability Puzzle: –A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty –After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty –Then the king offers to the guest to exchange the box he picked with the other (closed) one –Question: should the guest exchange?

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 33 Conditional probability (2/3) Answer: it depends on whether the king opens intentionally an empty box, or not. In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring. We can explain this outcome by using the notion of conditional probability.

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 34 Conditional probability (3/3) pb(X|Y) = conditional probability of X given Y = pb(X and Y) / pb(Y) Let us consider again the puzzle in Case 2 B i = Box i contains the ring Initially: pb(B 1 ) = pb(B 2 ) = pb(B 3 ) = 1/3 After opening one box, say Box 1, if it turns out to be empty, we have: pb(B 2 ) = pb(B 2 | not B 1 ) = pb(B 2 and not B 1 ) / pb(not B 1 ) = pb(B 2 )/pb(not B 1 ) = (1/3) / (2/3) = 1 / 2

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 35 Probabilistic Anonymity (1/2) Remember that given a system we consider the sets: –A = { ax | a  AnonAgs } : the actions for which we want anonymity –B = the actions visible to the observer –C = Actions – (B U A) : The actions we hide B C A 

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 36 Probabilistic Anonymity (2/2) Definition: The system is (strongly) anonymous if for every nonderministic choice, for every observation O, and for every anonymous agents a and b, we have pb(O | ax) = pb(O | bx) namely, the probability of an observable does not depend on the identity of the agent who performed the action Proposition: Each of the following conditions is equivalent to anonymity –pb(ax | O 1 ) = pb(ax | O 2 ), for every ax  A and for every O 1, O 2 in which x happens –pb(ax | O) = pb(ax) / pb(x), for every ax  A and for every O in which x happens Note that the “natural” probabilistic extension of the definition of Schneider/ Sidiropoulos would be pb(ax and O) = pb(bx and O), or equivalently pb(ax | O) = pb(bx | O), However in general pb(ax and O) is not equal to pb(bx and O), (this is easy to check, for instance, on the example of the randomized dining cryptographers) hence the latter cannot be a good definition of probabilistic anonymity

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 37 Verification in probabilistic  -calculus We have verified the anonymity of the randomized solution to the dining cryptographers by using the probabilistic  -calculus. –The protocol : system P of parallel processes: Master: probabilistic (blind) Coins: probabilistic (blind) Cryptographers: deterministic –A (anonymous actions): pays 0, notpays 0, …, notpays 2 chosen probabilistically –B (observable actions): agree 0, disagree 0, …, disagree 2,, plus the result of the adjacent coins for the internal observers Determined by the choice of the master and of the coins –C (hidden actions): results of the other coins chosen probabilistically For every i,k, and for every combination O of agree/disagree, we have ρb(O | pays i ) = pb(O | pays k ) Note: the probabilities are defined on the computations of P. For instance, pb(O) is the measure of all the computations in which we get O

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 38 The generalized dining philosophers In general, given an arbitrary graph, where the nodes represent the cryptographers, and the arcs the coins, we can extend the protocol as follows: –b i = 0 if cryptographer i does not pay, b i = 1 otherwise –coin k = 0 if coin k gives head, coin k = 1 otherwise –crypt i = output of cryptographer i, calculated as follows: crypt i =  k adjacent i coin k + b i where the sums are binary Crypt i Coin k

Birmingham, 19 May 2005 Probabilistic and Nondeterministic Aspects of Anonymity 39 The protocol in the general case Proposition: there is a payer iff  i crypt i = 0 Proof: just observe that in this sum each coin k is counted twice. Furthermore there is at most one k s.t. b k = 1. Hence the result is 0 iff there is no k s.t. b k = 1. Proposition: If all the coins are fair, and the graph is connected, then –the system is anonymous for every external observer –the system is anonymous for any node j such that, if we remove j and all its adjacent arcs, the rest of the graph is still connected