compositional methods for information hidingcatuscia/talks/080923_leiden.pdfbraun, chatzikokolakis,...

Compositional methods for Information Hiding

Christelle Braun, EP ParisKostas Chatzikokolakis, U Oxford

Catuscia Palamidessi, EP Paris

Braun, Chatzikokolakis, Palamidessi

Compositional Methods for Information-Hiding

Leiden 2008

Outline• Motivations and goals

• Examples of Information-hiding protocols

• The general framework

• Degree of protection - Probability of error

• A probabilistic process calculus

• Compositionality results

• Some applications

2



Leiden 2008

Motivations

• The protection of private / classified information is an important issue in the modern world

• Protocols for information hiding often use randomization

• The presence of probability and concurrency makes verification difficult

3



Leiden 2008

Goals• An appropriate notion of protection

• Quantitative - probabilistic

• Taking concurrency into account

• A formalism with the same features

• a probabilistic process calculus

• Compositionality results for (some of) the operators

• If Pt(P)≥α and Pt(Q)≥α then Pt(P op Q)≥α

4



Leiden 2008


• Examples of information-hiding protocols






5



Leiden 2008

Example: Chaum’s generalized dining cryptographers

• A set of cryptographers (nodes) with some communication channels (edges).

• They have a dinner. An external entity may select one of them to pay for the bill

• The cryptographers want to find out whether one of them is the payer, without getting to know who is he

6



Leiden 2008

Chaum’s solution to the generalized dining cryptogr.

• Associate to each edge a fair coin

• Toss the coins

• Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1

• Theorem 1: There is a payer iff the total sum is 1

7



Leiden 2008



• Toss the coins



8



Leiden 2008



• Toss the coins



9

0

1



Leiden 2008



• Toss the coins



10

0

11

1

0

00



Leiden 2008


• Theorem 2 (Strong anonymity): If the coins are fair, then the a posteriori probability that a certain node be the payer is equal to its a priori probability

11

0

11

1

0

00



Leiden 2008

Example: Crowds

• A crowd is a group of n nodes

• The initiator selects randomly a node (called forwarder) and forwards the request to it

• A forwarder:

• With prob. pf selectsrandomly a new node andforwards the request to him

• With prob. 1-pf sends therequest to the server

server

12



Leiden 2008

Common features ofinformation-hiding protocols

• There is information that we want to keep hidden- the user who pays in D.C.

- the user who initiates the request in Crowds

• There is information that is revealed (observables)- agree/disagree in D.C.

- the users who forward messages to a corrupted user in Crowds

• Protocols often use randomization to hide the link between hidden and observable information- coin tossing in D.C.

- random forwarding to another user in Crowds

13



Leiden 2008

Definition of information hiding properties.

Approaches in literature

14

Chatzikokolakis, Palamidessi, Panangaden Leiden 23/9/08

Formal aproaches to Information-hiding - An overview -

Possibilistic approaches

• [Schneider and Sidiropoulus], [...]

• Key idea: Replace the random choices by nondeterministic choices

• Common principle: A protocol provides protection iff: For every pair of hidden events a, a′, P[a] is “equivalent” to P[a′]

• Criticism: Too weak!

15

Chatzikokolakis, Palamidessi, Panangaden Leiden 23/9/08

Formal aproaches to Information-hiding - An overview -

Probabilistic approachesNotions of total protection in literature

In the following, a, a′ are hidden events, o is an observable

1. [Halpern and O’Neill - like] for all a, a’: p(a|o) = p(a′|o)

2. [Chaum], [Halpern and O’Neill]: for all a, o: p(a|o) = p(a)

3. [Bhargava and Palamidessi]: for all a, a’, o: p(o|a) = p(o|a′)

• Criticism to (1): it depends on the input’s distribution rather than on the features of the protocol and it is too strong because it is equivalent equivalent to requiring p(a) = p(a’) for all a, a’

• (2) and (3) are equivalent

• These notions are 0-1. We would like a notion that quantifies the degree of protection

16



Leiden 2008








17

Compositional Methods for information-Hiding

Braun, Chatzikokolakis, Palamidessi Leiden 2008

Assumptions

• We consider probabilistic protocols

• Inputs: elements of a random variable S

• Outputs: elements of a random variable O

• For each input s, the probability that we obtain an observable o is given by p(o | s)

• We assume that the protocol at each session receives exactly one input and produces exactly one output

• We want to define the degree of protection independently from the input’s distribution, i.e. the users of the protocol

18

Observables

Compositonal Methods for Information-Hiding

Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi

General framework:

Protocols as Information-Theoretic channels

......

s1

sm

o1

on

Protocol

Informationto be protected

Input Output

19



Protocols are noisy channels. Each run has 1 input and 1 output, but:- an input can generate different outputs (randomly choosen)- an output can be generated by different inputs

......

s1

sm

o1

on

...

20



Example: The dining cryptographers

C1

C3

aad

C2

ada

daa

ddd

21



The conditional probabilities

......

s1

sm

o1

on

...p(on|s1)

p(o1|s1)

22



The channel matrix: the array of conditional probabilities

......

s1

sm

o1 on

p(on|s1)p(o1|s1)

p(o1|sm) p(on|sm)

...

...

23



Leiden 2008








24



Leiden 2008

Probability of error

25

• Hypothesis testing

• Goal: try to guesse the true hypotesis (input) once the observable (output) is known

• Decision function: f : O → S

• Probability of error for an input (a priori) distribution π: the probability of

guessing the wrong hypothesis P(f, M, π) = ∑O p(o) ( 1 - p(f(o)| o) )

• From Bayes theorem:



Leiden 2008

The MAP rule• MAP decision function:

• Choose the hypothesis which has Maximum Aposteriori Probability,

i.e. max p(f(o)| o) or, equivalently, max p(o| f(o)) πf(o)

• The MAP decision function minimizes the probability of error

• The probability of error for the MAP rule is called Bayes risk and it is given by

26



Leiden 2008

Maximum Likelihood• If we don’t know the input distribution, we can approximate the MAP by

selecting the hypothesis with Maximum Likelihood, i.e. max p(o| f(o))

• In the case of the ML rule, the probability of error is given by

• Abstracting from the input distribution:

• It turns out that this is the same as computing the Bayes risk on the uniform input distribution, so in the rest of this talk we will only consider the MAP

27



Leiden 2008








28



Leiden 2008

CCSp: A probabilistic Process Calculus

29



Leiden 2008

The operational semantics

30

• Based on Segala & Lynch Probabilistic Automata

• Both probabilistic and nondeterimistic behaviors



Leiden 2008

Resolution of nondeterminism

• The guards in the secret choices are the inputs of the system, and decided externally

• The resolution of nondeterminism is done by assuming a scheduler ζ compatible with the secret choices

• The degree of protection provided by a protocol T is:

31



Leiden 2008








32



Leiden 2008

Compositionality results

33

∏



Proof: (1) The convex combination of matrices preserves the degree of protection

34

c

1-c

+

⎫｜⎬｜⎭

⇒



Proof: (2) The combination of columns preserves the degree of protection

35

⇒p p′ p + p′

o o′ o ∪ o′



Leiden 2008








36



Leiden 2008

An application: A compositional proof of a generalization of Chaum’s

anonymity result

A network of dining cryptographers is strongly anonymous

iff

there is a spanning tree composed by fair coins

(the other coins don’t matter)

37



Leiden 2008

An application: A compositional proof of an

extension of Chaum’s anonymity result

A network of dining cryptographers is strongly anonymous

iff

there is a spanning tree composed by fair coins

(the other coins don’t matter)

38



Leiden 2008



Proof of the if part: by induction

Base: two cryptophers connected by a fair coin are strongly anonymous

39



Leiden 2008





Induction step: given a strongly anonymous network, add one cryptographer and a fair coin (edge). Using the copositionality result, the resulting network is still strongly anonymous

40



Leiden 2008





Induction step: given a strongly anonymous network, add one cryptographer and a fair coin (edge). Using the copositionality result, the resulting network is still strongly anonymous

41



Leiden 2008

Thank you!

42

compositional methods for information hidingcatuscia/talks/080923_leiden.pdfbraun, chatzikokolakis,...

Documents