Compositionality of Secure Information Flow Christelle Braun, Ecole - - PowerPoint PPT Presentation

compositionality of secure information flow
SMART_READER_LITE
LIVE PREVIEW

Compositionality of Secure Information Flow Christelle Braun, Ecole - - PowerPoint PPT Presentation

Apr 30, 2023 200 likes •617 views

Compositionality of Secure Information Flow Christelle Braun, Ecole Polytechnique Kostas Chatzikokolakis, University of Eindhoven Catuscia Palamidessi, INRIA & Ecole Polytechnique Probabilistic Methods for Security Outline Motivations

slide-1
SLIDE 1

Compositionality of Secure Information Flow

Christelle Braun, Ecole Polytechnique Kostas Chatzikokolakis, University of Eindhoven Catuscia Palamidessi, INRIA & Ecole Polytechnique

slide-2
SLIDE 2

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Outline

  • Motivations and goals
  • Examples of Information-hiding protocols
  • A general Information-Theoretic model
  • Degree of Protection - Probability of error
  • A probabilistic process calculus
  • Compositionality results
  • Some applications

2

slide-3
SLIDE 3

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Motivations

  • The protection of private / secret / classified

information is an important issue in the modern world

  • We are interested in probabilistic aspects

because the protocols for information hiding often use randomization

  • We are interested in compositionality because

the presence of probability and concurrency makes verification difficult

3

slide-4
SLIDE 4

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Goals

  • An appropriate notion of information protection
  • Quantitative - probabilistic
  • Taking concurrency into account
  • A probabilistic process calculus
  • Compositionality results for (some of) the
  • perators
  • If Pt(P)≥α and Pt(Q)≥α then Pt(P op Q)≥α

4

slide-5
SLIDE 5

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Outline

  • Motivations and goals
  • Examples of information-hiding protocols
  • The general framework
  • Degree of protection - Probability of error
  • A probabilistic process calculus
  • Compositionality results
  • Some applications

5

slide-6
SLIDE 6

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

Example: Chaum’s generalized dining cryptographers

  • A set of cryptographers (nodes) with

some communication channels (edges).

  • They have a dinner. An external entity

may select one of them to pay for the bill

  • The cryptographers want to find out

whether one of them is the payer, without getting to know who is he

6

slide-7
SLIDE 7

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

Chaum’s solution to the generalized dining cryptogr.

  • Associate to each edge a fair coin
  • Toss the coins
  • Each cryptograher announces the binary

sum of the incident edges. If there is a payer, he adds 1

  • Theorem 1: There is a payer iff the total

sum is 1

7

slide-8
SLIDE 8

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

Chaum’s solution to the generalized dining cryptogr.

  • Associate to each edge a fair coin
  • Toss the coins
  • Each cryptograher announces the binary

sum of the incident edges. If there is a payer, he adds 1

  • Theorem 1: There is a payer iff the total

sum is 1

8

slide-9
SLIDE 9

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

Chaum’s solution to the generalized dining cryptogr.

  • Associate to each edge a fair coin
  • Toss the coins
  • Each cryptograher announces the binary

sum of the incident edges. If there is a payer, he adds 1

  • Theorem 1: There is a payer iff the total

sum is 1

9

1

slide-10
SLIDE 10

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

Chaum’s solution to the generalized dining cryptogr.

  • Associate to each edge a fair coin
  • Toss the coins
  • Each cryptograher announces the binary

sum of the incident edges. If there is a payer, he adds 1

  • Theorem 1: There is a payer iff the total

sum is 1

10

1 1 1

slide-11
SLIDE 11

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

Chaum’s solution to the generalized dining cryptogr.

  • Theorem 2 (Strong anonymity):

If the coins are fair, then the a posteriori probability that a certain node be the payer is equal to its a priori probability

11

1 1 1

slide-12
SLIDE 12

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Example: Crowds

  • A crowd is a group of n nodes
  • The initiator selects randomly a node (called forwarder)

and forwards the request to it

  • A forwarder:
  • With prob. pf selects

randomly a new node and forwards the request to him

  • With prob. 1-pf sends the

request to the server

server

12

slide-13
SLIDE 13

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Common features of information-hiding protocols

  • There is information that we want to keep hidden
  • the user who pays in D.C.
  • the user who initiates the request in Crowds
  • There is information that is revealed (observables)
  • agree/disagree in D.C.
  • the users who forward messages to a corrupted user in Crowds
  • Protocols often use randomization to hide the link between

hidden and observable information

  • coin tossing in D.C.
  • random forwarding to another user in Crowds

13

slide-14
SLIDE 14

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Outline

  • Motivations and goals
  • Examples of information-hiding protocols
  • The general framework
  • Degree of protection - Probability of error
  • A probabilistic process calculus
  • Compositionality results
  • Some applications

14

slide-15
SLIDE 15

Probabilistic Methods for Security Braun, Chatzikokolakis, Palamidessi AMAST 2010

Assumptions

  • We consider probabilistic protocols
  • Inputs: elements of a random variable S
  • Outputs: elements of a random variable O
  • For each input s, the probability that we obtain an observable o

is given by p(o | s)

  • We assume that the protocol at each session receives exactly
  • ne input and produces exactly one output
  • We want to define the degree of protection independently

from the input’s distribution, i.e. the users of the protocol

15

slide-16
SLIDE 16

Observables

Probabilistic Methods for Security AMAST 2010 Braun, Chatzikokolakis, Palamidessi

General framework: Protocols as Information-Theoretic channels

.. . .. .

s1 sm

  • 1
  • n

Protocol

Information to be protected

Input

Output

16

slide-17
SLIDE 17

Probabilistic Methods for Security AMAST 2010 Braun, Chatzikokolakis, Palamidessi

Protocols are noisy channels. Each run has 1 input and 1 output, but:

  • an input can generate different outputs (randomly choosen)
  • an output can be generated by different inputs

.. . .. .

s1 sm

  • 1
  • n

.. .

17

slide-18
SLIDE 18

Probabilistic Methods for Security AMAST 2010 Braun, Chatzikokolakis, Palamidessi

Example: The dining cryptographers

C1 C3 aad C2 ada daa ddd

18

slide-19
SLIDE 19

Probabilistic Methods for Security AMAST 2010 Braun, Chatzikokolakis, Palamidessi

The conditional probabilities

.. . .. .

s1 sm

  • 1
  • n

.. .

p(on|s1) p(o1|s1)

19

slide-20
SLIDE 20

Probabilistic Methods for Security AMAST 2010 Braun, Chatzikokolakis, Palamidessi

The channel matrix: the array of conditional probabilities .. . .. .

s1 sm

  • 1
  • n

p(on|s1) p(o1|s1) p(o1|sm) p(on|sm)

... ...

20

slide-21
SLIDE 21

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Outline

  • Motivations and goals
  • Examples of information-hiding protocols
  • The general framework
  • Degree of protection - Probability of error
  • A probabilistic process calculus
  • Compositionality results
  • Some applications

21

slide-22
SLIDE 22

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Probability of error

22

  • Hypothesis testing
  • Goal: try to guess the true hypothesis (input) once the observable (output)

is known

  • Decision function: f : O → S
  • Probability of error for an input (a priori) distribution π: the probability of

guessing the wrong hypothesis P(f, M, π) = ∑O p(o) ( 1 - p(f(o)| o) )

  • From Bayes theorem:
slide-23
SLIDE 23

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

The MAP rule

  • MAP decision function:
  • Choose the hypothesis which has Maximum Aposteriori Probability,

i.e. max p(f(o)| o) or, equivalently, max p(o| f(o)) πf(o)

  • The MAP decision function minimizes the probability of error
  • The probability of error for the MAP rule is called Bayes risk and it is given

by

23

slide-24
SLIDE 24

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Maximum Likelihood

  • If we don’t know the input distribution, we can approximate the MAP by

selecting the hypothesis with Maximum Likelihood, i.e. max p(o| f(o))

  • In the case of the ML rule, the probability of error is given by
  • Abstracting from the input distribution:
  • It turns out that this is the same as computing the Bayes risk on the uniform

input distribution, so in the rest of this talk we will only consider the MAP

24

slide-25
SLIDE 25

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Outline

  • Motivations and goals
  • Examples of information-hiding protocols
  • The general framework
  • Degree of protection - Probability of error
  • A probabilistic process calculus
  • Compositionality results
  • Some applications

25

slide-26
SLIDE 26

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

CCSp: A probabilistic Process Calculus

26

slide-27
SLIDE 27

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

The operational semantics

27

  • Based on Segala & Lynch Probabilistic Automata
  • Both probabilistic and nondeterministic behaviors
slide-28
SLIDE 28

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Resolution of nondeterminism

  • The guards in the secret choices are the inputs of the system, and decided

externally

  • The resolution of nondeterminism is done by assuming a scheduler ζ

compatible with the secret choices

  • The degree of protection provided by a protocol T is:

28

slide-29
SLIDE 29

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Outline

  • Motivations and goals
  • Examples of information-hiding protocols
  • The general framework
  • Degree of protection - Probability of error
  • A probabilistic process calculus
  • Compositionality results
  • Some applications

29

slide-30
SLIDE 30

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Compositionality results

30

slide-31
SLIDE 31

Probabilistic Methods for Security AMAST 2010 Braun, Chatzikokolakis, Palamidessi

Proof: (1) The convex combination of matrices preserves the degree of protection

31

c 1-c

+

⎫ | ⎬ | ⎭

slide-32
SLIDE 32

Probabilistic Methods for Security AMAST 2010 Braun, Chatzikokolakis, Palamidessi

Proof: (2) The combination of columns preserves the degree of protection

32

p p′ p + p′

  • ∪ o′
slide-33
SLIDE 33

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Outline

  • Motivations and goals
  • Examples of information-hiding protocols
  • The general framework
  • Degree of protection - Probability of error
  • A probabilistic process calculus
  • Compositionality results
  • Some applications

33

slide-34
SLIDE 34

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

An application: A compositional proof of a generalization of Chaum’s anonymity result

A network of dining cryptographers is strongly anonymous if there is a spanning tree composed by fair coins (the other coins don’t matter)

34

slide-35
SLIDE 35

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

An application: A compositional proof of an extension of Chaum’s anonymity result

A network of dining cryptographers is strongly anonymous if there is a spanning tree composed by fair coins (the other coins don’t matter)

35

slide-36
SLIDE 36

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

An application: A compositional proof of an extension of Chaum’s anonymity result

Proof of the if part: by induction Base: two cryptographers connected by a fair coin are strongly anonymous

36

slide-37
SLIDE 37

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

An application: A compositional proof of an extension of Chaum’s anonymity result

Proof of the if part: by induction Base: two cryptographers connected by a fair coin are strongly anonymous Induction step: given a strongly anonymous network, add one cryptographer and a fair coin (edge). Using the compositionality result, the resulting network is still strongly anonymous

37

slide-38
SLIDE 38

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

An application: A compositional proof of an extension of Chaum’s anonymity result

Proof of the if part: by induction Base: two cryptographers connected by a fair coin are strongly anonymous Induction step: given a strongly anonymous network, add one cryptographer and a fair coin (edge). Using the compositionality result, the resulting network is still strongly anonymous

38

slide-39
SLIDE 39

Braun, Chatzikokolakis, Palamidessi Compositional Methods for Information-Hiding AMAST 2010

Note: we have proved also the converse, but with a different method

A network of dining cryptographers is strongly anonymous

  • nly if

there is a spanning tree composed by fair coins

39

slide-40
SLIDE 40

Braun, Chatzikokolakis, Palamidessi Probabilistic Methods for Security AMAST 2010

Thank you!

40