Formal approaches to
protection of private
information
Catuscia Palamidessi
Equipe Projet Comète
INRIA Saclay
Lille, 12 June 2009
Protection of private information
In the modern world the issue of privacy
is exacerbated by orders of magnitude
RFID tags may be everywhere…
/(#-0"1(23
83,292:2(;";-5
234"&'(0*+-.<
234"&'(00*5'
673&8"9:"#;
•
Electronic devices and their continuous
interaction with users
possibility to gather a huge amount of info
6(*7)2)
&"::"#9
!"#"$%&&"
'()*)+,-."
42)5-32-
!"#$%&'$($%")$&*+,./01$&23
!"#$%&'()
*+,-.,/-.+0,-1
•
Increase of computers’ capacities
possibility to store and process such info
•
Communication though insecure networks
possible interference of malicious agents
Catuscia Palamidessi, COMETE
2
Protection of private information
Malicious agents
Catuscia Palamidessi, COMETE
•
Private information can be gathered and
used for malicious purposes
•
The information is often collected without
the honest parties’ consent
•
The honest parties might not even be aware
of their privacy’s violation
3
Protection of private information
Protocols and their properties
Catuscia Palamidessi, COMETE
•
Need for protocols that guarantee
the protection of users’ private
information
•
Need for precise definition of
privacy properties
•
Need for frameworks and tools
that guarantee that such protocols
satisfy the expected properties
4
Protection of private information
Private and public information
Catuscia Palamidessi, COMETE
•
The main difficulty in protecting
the private information is that it
is often intertwined with public
information
•
In other words, the public
information often allows to infer
information that we would like to
keep private
•
Need to guarantee secure
information flow from private to
public
5
Protection of private information
Problems and challenges
•
•
Main problems
•
Information security: avoid the inference of private
information from the public one
Technical challenges
•
•
Probabilistic aspects (randomized protocols, behavior of users)
•
(Preventing the) Inference of the the unknown distribution of a
random variable
(Preventing the) Inference of the unknown value of a random
variable
Catuscia Palamidessi, COMETE
6
Protection of private information
Examples of anonymity protocols:
Crowds and Onion Routing
Purpose: anonymous message sending.
I.e. send a message to a server without revealing the sender’s
identity to malicious users
•
•
Crowd: a group of users who agree to cooperate in the protocol
•
A forwarder:
The sender selects randomly a node (called forwarder)
and forwards the request to it
•
With probability p selects randomly a new node and
forwards the request to him
•
With probability 1-p sends the request to the server
Catuscia Palamidessi, COMETE
server
7
Protection of private information
Frameworks and techniques
•
Probability
•
•
•
Behavior of users
Protocols often use randomized primitives
Basis for precise assessment of degree of trust / protection
• Information theory
•
• Hypothesis testing
Protocols for secure information flow = noisy channels
•
•
•
Bayesian methods
Beta distribution / conjugate analysis
Hidden Markov Models (evolution of the probability distribution)
Catuscia Palamidessi, COMETE
8
Protection of private information
Information theory
Public information
Confidential information
s1
o1
...
Protocol
...
sm
on
Input
Output
•
Protocol for controlling the flow of information = noisy channel
•
Information protection = channel opacity (the converse of channel capacity).
•
Shannon entropy, Rényi minimum entropy
Catuscia Palamidessi, COMETE
9
Protection of private information
Some recent results
•
Notion of protection: A version of Mutual
Information based on Renyi’s min entropy
•
Characterization and analysis of the worst-case
(least protection)
•
Methods for secure composition (synthesis) of
protocol specification
Catuscia Palamidessi, COMETE
10
Protection of private information
Some recent results
•
•
•
Hypothesis testing: guessing the secret from
the observable
0.6
0.5
Probability of making the wrong guess.
Bayesian Risk
Relation with Conditional Entropy
0.4
Pe
•
H(A|O)
Bounds by Rény, Hellman-Raviv, Santhi-Vardy
0.3
0.2
0.1
0.0
0.0
0.1
0.2
0.3
0.4
x1
0.5
0.6
0.7
0.8
0.9
0.0
1.0
0.2
0.4
1.0
0.8
0.6
x2
Figure 2. Ternary hypothesis testing. The solid curve represents the Bayes risk for the channel in Example 4.4,
the dotted curve represents the Santhi-Vardy bound 1 − 2 −H(A|O) .
•
input distribution. In fact
the matrix are all the same and the distribution is
In this case, we have
!
P (!x) =
1−
max p(o|a
Our results: Characterization of the “corner points”.
Method
to)x compute Pthe
max of ! max p(o|a
! !
( , ,..., ) = 1 −
= 1−
p(o|a )x
!
!
= 1−
p(o|a)
the Bayes risk. Tighter functional bound
= 1−
x =0
!
e
j
o
j
j
o
j
j
j
j
j
Capacity 0 The case in which the capacity of the channel
is 0 is by definition obtained when I(A; O) = 0 for all possible input distributions of A. From information theory we
know that this is the case iff A and O are independent (cfr.
[8], page 27). Hence we have the following characterization:
Catuscia Palamidessi, COMETE
Proposition 5.1 Given an anonymity system "A, O, p(·|·)#,
the capacity of the corresponding channel is 0 iff all the
rows of the channel matrix are the same, i.e. p(o|a) =
p(o|a" ) for all o, a, a" .
The condition p(o|a) = p(o|a " ) for all o, a, a" has been
called strong probabilistic anonymity in [1] and it is equiv-
1 1
e n n
1
n
j
o
o
=
=
1−
1
n
j
1
n
o
p(o|a)
n−1
n
An example of protocol with capacity 0 is th
cryptographers in a connected graph [4], under the
tion that it is always one of the cryptographers w
and that the coins are fair.
6 Application: Crowds
In this section we discuss how to compute the
matrix for a given protocol using automated tools,
it to improve the bound for the probability of er
illustrate our ideas on a variation of Crowds, a wel
11
Protection of private information
Ongoing and Future work
•
Design of ProPiS: a Probabilistic specification language for
Security applications.
•
•
•
•
•
probability
cryptographic primitives
data structures
Develop a logic for efficient model checking
•
PCTL with conditional probabilities
Development of various tools for prototyping and verification
•
•
•
interpreter
model checker
counterexample generation
Catuscia Palamidessi, COMETE
12
Protection of private information
Thanks!
Catuscia Palamidessi, COMETE
13