theorem proving privacy and anonymity
play

Theorem-proving Privacy and Anonymity Yoshinobu KAWABE NTT - PowerPoint PPT Presentation

May 07, 2023 •23 likes •303 views

Theorem-proving Privacy and Anonymity Yoshinobu KAWABE NTT Communication Science Laboratories NTT Corporation References Simulation-based proof method of privacy/anonymity Y. Kawabe, K. Mano, H. Sakurada and Y. Tsukada

  1. Theorem-proving Privacy and Anonymity Yoshinobu KAWABE NTT Communication Science Laboratories NTT Corporation

  2. References • Simulation-based proof method of privacy/anonymity – Y. Kawabe, K. Mano, H. Sakurada and Y. Tsukada Theorem-proving anonymity of infinite state systems Information Processing Letters, vol. 101, No.1, 2007 – Y. Kawabe, K. Mano, H. Sakurada and Y. Tsukada Backward simulations for anonymity WITS ’06 (Full version: submitted for journal publication) – I. Hasuo and Y. Kawabe Probabilistic anonymity via coalgebraic simulations Submitted for publication

  3. Online privacy Online anonymity is attracting growing • Threats – ISPs in EU are forced to keep logs of your web access • Public concerns – You don’t care? • Research interest – See Anonymity Bibliography http://freehaven.net/anonbib/ – No decisive definition for “privacy”, “anonymity”, etc.

  4. Overview of this talk A formal definition of anonymity which is based on traces [ESORICS ’96, Schneider & Sidiropoulos] Proving trace inclusion by simulation [Lynch & Vaandrager] • Simulation-based proof method for trace anonymity • Theorem-proving anonymity

  5. Contents • A method to prove anonymity (=privacy) • Formalization of anonymity & anonymous simulation technique • Theorem-proving anonymity/privacy • Crowds protocol

  6. What is anonymity? • Nobody can know “who it is”. • Key notion: Principle of confusion Who?

  7. What is anonymity? Adversary’s viewpoint This person looks like Kawabe … but his face is hidden. This person • Nobody can know “who it is”. might not be Kawabe. • Key notion: Principle of confusion Who?

  8. What is anonymity? Adversary’s viewpoint This person looks like Kawabe … but his face is hidden. This person • Nobody can know “who it is”. The guys on this photo might not be Kawabe. are too small ! I cannot • Key notion: Principle of confusion recognize Kawabe! Who? Can you Releasing find me? sea turtles

  9. “Trace” anonymity [Schneider&Sidiropoulos, ESORICS’96] • Anonymous donation as an example X X’ Alice Alice Bob Bob

  10. “Trace” anonymity [Schneider&Sidiropoulos, ESORICS’96] • Anonymous donation as an example X X’ : actor action Alice Alice Alice (invisible for adversary) : observable action Bob Bob Are these protocols anonymous?

  11. “Trace” anonymity [Schneider&Sidiropoulos, ESORICS’96] • Anonymous donation as an example Anonymous! Not anonymous! X X’ Alice Alice Bob Bob

  12. “Trace” anonymity [Schneider&Sidiropoulos, ESORICS’96] • Anonymous donation as an example Anonymous! Not anonymous! X X’ Alice Alice Bob Bob Observation can be attributed to anybody (confusion!) Definition (Trace anonymity) Alice Bob Chris

  13. How to prove anonymity? --- Find an anonymous simulation! • Binary relation as over states ( X ) 1. Initial state condition: as ( s, s ) for any s ∈ start ( X ) 2. Step correspondence condition: (Case 1) a is an actor action (Case 2) a is not an actor action a a s 1 s 2 s 1 s 2 as as t 1 t 1 s 2 s 2 implies implies as as ∀ a’ a ∃ ∃ t 1 t 1 t 2 t 2

  14. Soundness of the technique • An anonymous simulation is a simulation from anonym ( X ) to X . [Thm] ∃simulation from X to Y ⇒ traces ( X ) ⊆ traces ( Y ) . [Lynch and Vaandrager, Inform.&Comput. 1995] X anonym ( X ) Alice Alice Bob Alice Bob Bob

  15. Soundness of the technique • An anonymous simulation is a simulation from anonym ( X ) to X . “anonymized” version of X [Thm] ∃simulation from X to Y ⇒ traces ( X ) ⊆ traces ( Y ) . (trivially anonymous) [Lynch and Vaandrager, Inform.&Comput. 1995] X anonym ( X ) Alice Alice Bob Alice Bob Bob

  16. Soundness of the technique • An anonymous simulation is a simulation from anonym ( X ) to X . “anonymized” version of X [Thm] ∃simulation from X to Y ⇒ traces ( X ) ⊆ traces ( Y ) . (trivially anonymous) [Lynch and Vaandrager, Inform.&Comput. 1995] X anonym ( X ) Alice Alice Bob Alice Bob Bob traces ( X ) ⊆ traces ( anonym ( X )) is trivial. ⇒ traces ( X ) = traces ( anonym ( X )) holds!

  17. Contents • A method to prove anonymity (=privacy) • Formalization of anonymity & anonymous simulation technique • Theorem-proving anonymity/privacy • Crowds protocol

  18. An example: Crowds [Reiter & Rubin, ACM Trans. 1998] • Comm. system for anonymous web access Crowds Web site Next agent is chosen randomly. Initiator

  19. An example: Crowds [Reiter & Rubin, ACM Trans. 1998] • Comm. system for anonymous web access Crowds Web site Next agent is chosen randomly. observe Initiator reporting Forwarders Adversary might be “corrupt” Anonymous = the adversary cannot know the initiator.

  20. Theorem-proving anonymity of the Crowds example • Steps – Specify the system in IOA language which is a formal specification language based I/O- automaton – Translate the specification into LP’s language --- first-order logic formulae --- with IOA-Toolkit – Prove anonymity with Larch Prover by proving there is an anonymous simulation

  21. IOA language • Formal specification language based on I/O- automaton – I/O-automaton (N. Lynch): formal system to describe and analyze distributed algorithms • Formalization of distributed algorithms in IOA – Actions: precondition-effect style (i.e. if ~ then ~ ) – Data: (many-sorted) equational theory • LSL (Larch Specification Language)

  22. Specification of Crowds Crowds Web site Next agent is chosen randomly. observe observe Initiator reporting reporting Forwarders Forwarders Adversary Adversary might be “corrupt” might be “corrupt”

  23. IOA-Toolkit • Collection of formal verification tools for distributed systems Prove anonymity Larch ioaCheck lsl .ioa .lsl .lp Prover il2lsl Target Source file file .lsl Libraries Compiling .ioa into .lp with IOA-Toolkit

  24. Theorem-proving anonymity • Introducing a candidate relation • Proving that as is an anonymous simulation Initial state condition Step correspondence condition (for actor actions)

  25. Conclusion • A technique to theorem-prove anonymity of security protocols – Simulation technique for trace-based anonymity • Example – Crowds

  26. Coming soon with theorem provers

  27. Ongoing work • Simulation-based proof techniques for probabilistic anonymity – Conditional anonymity (with Ichiro Hasuo) • With coalgebras, our method is extended. – Probable innocence (with Hideki Sakurada and Ichiro Hasuo) • Verifying anonymity for protocols in the presence of intruders

  28. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity Being on-line without giving up everything about you Ensuring collected data doesnt reveal its users data Privacy in Structured Data:

766 views • 49 slides
Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity, t-Closeness CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 4 : 590.03 Fall 12 1

647 views • 61 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy. College Bescherming Persoonsgegevens (CBP) What is privacy? Users must be able to determine for themselves when, how, to what extent and

798 views • 45 slides
Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire

Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire

CS 134 Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire (Image from geekologie.com) Relevant to corporations & government agencies Recently increased awareness However, general public

171 views • 16 slides
K Anonymity Dagstuhl Workshop Federated Semantic 8 Data Management, June 2017 4 27.06.2017

K Anonymity Dagstuhl Workshop Federated Semantic 8 Data Management, June 2017 4 27.06.2017

27.06.2017 Schutz der Privatsphre (WS15/16) Introduction to Privacy (Part 1) You have zero privacy. Get over it. Scott McNealy, 1999 Privacy, k anonymity, and differential privacy Johann Christoph Freytag Humboldt-Universitt zu

457 views • 11 slides
Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 21, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk.

609 views • 40 slides
Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 23, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk. Available for

1.03k views • 54 slides
Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a theorem? Statement proven based on basis of previously established statements Premise: If I attend UofT, I am a student Premise: I attend

375 views • 25 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem proving problems premise selection deep learning for theorem proving state estimation Today automated reasoning learning in classical ATPs

1.18k views • 97 slides
Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Miller and Baileys ECE 422 Anonymity Anonymity: Concealing your identity In the context of the Internet, we

860 views • 61 slides
Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

W HAT YOU WILL LEARN how to use a theorem prover background, how it works how to prove and specify NICTA Advanced Course Slide 1 Slide 3 Theorem Proving Health Warning Principles, Techniques, Applications Theorem Proving is

262 views • 9 slides
Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not given or known - Anonymity != Privacy != Security - Anonymity: they can see what you do, but not who you are - Privacy: they can see

379 views • 33 slides
Dealing with imbalanced datasets Bart Baesens Professor Data Science at KU Leuven DataCamp

Dealing with imbalanced datasets Bart Baesens Professor Data Science at KU Leuven DataCamp

DataCamp Fraud Detection in R FRAUD DETECTION IN R Dealing with imbalanced datasets Bart Baesens Professor Data Science at KU Leuven DataCamp Fraud Detection in R Imbalanced data sets Key challenge : label events as fraud or not Major

1.14k views • 64 slides
NASA SMD Dual-Anonymous Peer Review Virtual Community Town Hall March 3, 2020 Thomas Zurbuchen

NASA SMD Dual-Anonymous Peer Review Virtual Community Town Hall March 3, 2020 Thomas Zurbuchen

NASA SMD Dual-Anonymous Peer Review Virtual Community Town Hall March 3, 2020 Thomas Zurbuchen Michael New Daniel Evans Associate Administrator Deputy Associate Administrator for Research Program Scientist Science Mission Directorate, NASA

815 views • 44 slides
Understanding Online Social Network Usage from a Network Perspective Fabian Schneider

Understanding Online Social Network Usage from a Network Perspective Fabian Schneider

Understanding Online Social Network Usage from a Network Perspective Fabian Schneider fabian@net.t-labs.tu-berlin.de Anja Feldmann Balachander Krishnamurthy Walter Willinger Work done while at AT&T LabsResearch

294 views • 26 slides
Towards Constraint Logic Programming over Strings for Test Data Generation Sebastian Krings, J.

Towards Constraint Logic Programming over Strings for Test Data Generation Sebastian Krings, J.

Towards Constraint Logic Programming over Strings for Test Data Generation Sebastian Krings, J. Schmidt, P. Skowronek, J. Dunkelau, D. Ehmke Test Data vs. Privacy Software testing needs Personal data should has appropriate test data to be

212 views • 18 slides
Location Privacy Raja Khurram Shahzad 1984 "It was terribly dangerous to let your thoughts

Location Privacy Raja Khurram Shahzad 1984 "It was terribly dangerous to let your thoughts

Location Privacy Raja Khurram Shahzad 1984 "It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away . A nervous tic, an unconscious

760 views • 38 slides
Differen'ally Private Loca'on Privacy in Prac'ce Vincent Primault

Differen'ally Private Loca'on Privacy in Prac'ce Vincent Primault

Differen'ally Private Loca'on Privacy in Prac'ce Vincent Primault Sonia Ben Mokhtar Cdric Lauradoux Lionel Brunie May 17th 2014 Loca'on-based

620 views • 33 slides
Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de

Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de

Maximising (Re)Usability of Library metadata using Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de Madrid asun@fi.upm.es @asungomezperez Acknowledgments: Daniel Vila Suero (Library linked data and

987 views • 77 slides
Encryption and Anonymization in Hadoop Current and Future needs Sept-28-2015 ApacheCon, Budapest

Encryption and Anonymization in Hadoop Current and Future needs Sept-28-2015 ApacheCon, Budapest

Encryption and Anonymization in Hadoop Current and Future needs Sept-28-2015 ApacheCon, Budapest Page 1 Agenda Need for data protection Encryption and Anonymization Current State of Encryption in Hadoop Demo Future focus

259 views • 25 slides

More recommend