compositional methods for information hidingcatuscia/talks/080923_leiden.pdfbraun, chatzikokolakis,...
TRANSCRIPT
Compositional methods for Information Hiding
Christelle Braun, EP ParisKostas Chatzikokolakis, U Oxford
Catuscia Palamidessi, EP Paris
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Outline• Motivations and goals
• Examples of Information-hiding protocols
• The general framework
• Degree of protection - Probability of error
• A probabilistic process calculus
• Compositionality results
• Some applications
2
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Motivations
• The protection of private / classified information is an important issue in the modern world
• Protocols for information hiding often use randomization
• The presence of probability and concurrency makes verification difficult
3
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Goals• An appropriate notion of protection
• Quantitative - probabilistic
• Taking concurrency into account
• A formalism with the same features
• a probabilistic process calculus
• Compositionality results for (some of) the operators
• If Pt(P)≥α and Pt(Q)≥α then Pt(P op Q)≥α
4
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Outline• Motivations and goals
• Examples of information-hiding protocols
• The general framework
• Degree of protection - Probability of error
• A probabilistic process calculus
• Compositionality results
• Some applications
5
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Example: Chaum’s generalized dining cryptographers
• A set of cryptographers (nodes) with some communication channels (edges).
• They have a dinner. An external entity may select one of them to pay for the bill
• The cryptographers want to find out whether one of them is the payer, without getting to know who is he
6
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Chaum’s solution to the generalized dining cryptogr.
• Associate to each edge a fair coin
• Toss the coins
• Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1
• Theorem 1: There is a payer iff the total sum is 1
7
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Chaum’s solution to the generalized dining cryptogr.
• Associate to each edge a fair coin
• Toss the coins
• Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1
• Theorem 1: There is a payer iff the total sum is 1
8
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Chaum’s solution to the generalized dining cryptogr.
• Associate to each edge a fair coin
• Toss the coins
• Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1
• Theorem 1: There is a payer iff the total sum is 1
9
0
1
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Chaum’s solution to the generalized dining cryptogr.
• Associate to each edge a fair coin
• Toss the coins
• Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1
• Theorem 1: There is a payer iff the total sum is 1
10
0
11
1
0
00
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Chaum’s solution to the generalized dining cryptogr.
• Theorem 2 (Strong anonymity): If the coins are fair, then the a posteriori probability that a certain node be the payer is equal to its a priori probability
11
0
11
1
0
00
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Example: Crowds
• A crowd is a group of n nodes
• The initiator selects randomly a node (called forwarder) and forwards the request to it
• A forwarder:
• With prob. pf selectsrandomly a new node andforwards the request to him
• With prob. 1-pf sends therequest to the server
server
12
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Common features ofinformation-hiding protocols
• There is information that we want to keep hidden- the user who pays in D.C.
- the user who initiates the request in Crowds
• There is information that is revealed (observables)- agree/disagree in D.C.
- the users who forward messages to a corrupted user in Crowds
• Protocols often use randomization to hide the link between hidden and observable information- coin tossing in D.C.
- random forwarding to another user in Crowds
13
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Definition of information hiding properties.
Approaches in literature
14
Chatzikokolakis, Palamidessi, Panangaden Leiden 23/9/08
Formal aproaches to Information-hiding - An overview -
Possibilistic approaches
• [Schneider and Sidiropoulus], [...]
• Key idea: Replace the random choices by nondeterministic choices
• Common principle: A protocol provides protection iff: For every pair of hidden events a, a′, P[a] is “equivalent” to P[a′]
• Criticism: Too weak!
15
Chatzikokolakis, Palamidessi, Panangaden Leiden 23/9/08
Formal aproaches to Information-hiding - An overview -
Probabilistic approachesNotions of total protection in literature
In the following, a, a′ are hidden events, o is an observable
1. [Halpern and O’Neill - like] for all a, a’: p(a|o) = p(a′|o)
2. [Chaum], [Halpern and O’Neill]: for all a, o: p(a|o) = p(a)
3. [Bhargava and Palamidessi]: for all a, a’, o: p(o|a) = p(o|a′)
• Criticism to (1): it depends on the input’s distribution rather than on the features of the protocol and it is too strong because it is equivalent equivalent to requiring p(a) = p(a’) for all a, a’
• (2) and (3) are equivalent
• These notions are 0-1. We would like a notion that quantifies the degree of protection
16
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Outline• Motivations and goals
• Examples of information-hiding protocols
• The general framework
• Degree of protection - Probability of error
• A probabilistic process calculus
• Compositionality results
• Some applications
17
Compositional Methods for information-Hiding
Braun, Chatzikokolakis, Palamidessi Leiden 2008
Assumptions
• We consider probabilistic protocols
• Inputs: elements of a random variable S
• Outputs: elements of a random variable O
• For each input s, the probability that we obtain an observable o is given by p(o | s)
• We assume that the protocol at each session receives exactly one input and produces exactly one output
• We want to define the degree of protection independently from the input’s distribution, i.e. the users of the protocol
18
Observables
Compositonal Methods for Information-Hiding
Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi
General framework:
Protocols as Information-Theoretic channels
......
s1
sm
o1
on
Protocol
Informationto be protected
Input Output
19
Compositonal Methods for Information-Hiding
Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi
Protocols are noisy channels. Each run has 1 input and 1 output, but:- an input can generate different outputs (randomly choosen)- an output can be generated by different inputs
......
s1
sm
o1
on
...
20
Compositonal Methods for Information-Hiding
Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi
Example: The dining cryptographers
C1
C3
aad
C2
ada
daa
ddd
21
Compositonal Methods for Information-Hiding
Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi
The conditional probabilities
......
s1
sm
o1
on
...p(on|s1)
p(o1|s1)
22
Compositonal Methods for Information-Hiding
Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi
The channel matrix: the array of conditional probabilities
......
s1
sm
o1 on
p(on|s1)p(o1|s1)
p(o1|sm) p(on|sm)
...
...
23
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Outline• Motivations and goals
• Examples of information-hiding protocols
• The general framework
• Degree of protection - Probability of error
• A probabilistic process calculus
• Compositionality results
• Some applications
24
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Probability of error
25
• Hypothesis testing
• Goal: try to guesse the true hypotesis (input) once the observable (output) is known
• Decision function: f : O → S
• Probability of error for an input (a priori) distribution π: the probability of
guessing the wrong hypothesis P(f, M, π) = ∑O p(o) ( 1 - p(f(o)| o) )
• From Bayes theorem:
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
The MAP rule• MAP decision function:
• Choose the hypothesis which has Maximum Aposteriori Probability,
i.e. max p(f(o)| o) or, equivalently, max p(o| f(o)) πf(o)
• The MAP decision function minimizes the probability of error
• The probability of error for the MAP rule is called Bayes risk and it is given by
26
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Maximum Likelihood• If we don’t know the input distribution, we can approximate the MAP by
selecting the hypothesis with Maximum Likelihood, i.e. max p(o| f(o))
• In the case of the ML rule, the probability of error is given by
• Abstracting from the input distribution:
• It turns out that this is the same as computing the Bayes risk on the uniform input distribution, so in the rest of this talk we will only consider the MAP
27
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Outline• Motivations and goals
• Examples of information-hiding protocols
• The general framework
• Degree of protection - Probability of error
• A probabilistic process calculus
• Compositionality results
• Some applications
28
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
CCSp: A probabilistic Process Calculus
29
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
The operational semantics
30
• Based on Segala & Lynch Probabilistic Automata
• Both probabilistic and nondeterimistic behaviors
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Resolution of nondeterminism
• The guards in the secret choices are the inputs of the system, and decided externally
• The resolution of nondeterminism is done by assuming a scheduler ζ compatible with the secret choices
• The degree of protection provided by a protocol T is:
31
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Outline• Motivations and goals
• Examples of information-hiding protocols
• The general framework
• Degree of protection - Probability of error
• A probabilistic process calculus
• Compositionality results
• Some applications
32
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Compositionality results
33
∏
Compositonal Methods for Information-Hiding
Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi
Proof: (1) The convex combination of matrices preserves the degree of protection
34
c
1-c
+
⎫|⎬|⎭
⇒
Compositonal Methods for Information-Hiding
Leiden 23/9/2008Braun, Chatzikokolakis, Palamidessi
Proof: (2) The combination of columns preserves the degree of protection
35
⇒p p′ p + p′
o o′ o ∪ o′
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
Outline• Motivations and goals
• Examples of information-hiding protocols
• The general framework
• Degree of protection - Probability of error
• A probabilistic process calculus
• Compositionality results
• Some applications
36
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
An application: A compositional proof of a generalization of Chaum’s
anonymity result
A network of dining cryptographers is strongly anonymous
iff
there is a spanning tree composed by fair coins
(the other coins don’t matter)
37
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
An application: A compositional proof of an
extension of Chaum’s anonymity result
A network of dining cryptographers is strongly anonymous
iff
there is a spanning tree composed by fair coins
(the other coins don’t matter)
38
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
An application: A compositional proof of an
extension of Chaum’s anonymity result
Proof of the if part: by induction
Base: two cryptophers connected by a fair coin are strongly anonymous
39
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
An application: A compositional proof of an
extension of Chaum’s anonymity result
Proof of the if part: by induction
Base: two cryptophers connected by a fair coin are strongly anonymous
Induction step: given a strongly anonymous network, add one cryptographer and a fair coin (edge). Using the copositionality result, the resulting network is still strongly anonymous
40
Braun, Chatzikokolakis, Palamidessi
Compositional Methods for Information-Hiding
Leiden 2008
An application: A compositional proof of an
extension of Chaum’s anonymity result
Proof of the if part: by induction
Base: two cryptophers connected by a fair coin are strongly anonymous
Induction step: given a strongly anonymous network, add one cryptographer and a fair coin (edge). Using the copositionality result, the resulting network is still strongly anonymous
41