Theorem-proving Privacy and Anonymity Yoshinobu KAWABE NTT - - PowerPoint PPT Presentation

theorem proving privacy and anonymity
SMART_READER_LITE
LIVE PREVIEW

Theorem-proving Privacy and Anonymity Yoshinobu KAWABE NTT - - PowerPoint PPT Presentation

May 07, 2023 23 likes •303 views

Theorem-proving Privacy and Anonymity Yoshinobu KAWABE NTT Communication Science Laboratories NTT Corporation References Simulation-based proof method of privacy/anonymity Y. Kawabe, K. Mano, H. Sakurada and Y. Tsukada

slide-1
SLIDE 1

Theorem-proving Privacy and Anonymity

Yoshinobu KAWABE NTT Communication Science Laboratories NTT Corporation

slide-2
SLIDE 2

References

  • Simulation-based proof method of

privacy/anonymity

– Y. Kawabe, K. Mano, H. Sakurada and Y. Tsukada Theorem-proving anonymity of infinite state systems Information Processing Letters, vol. 101, No.1, 2007 – Y. Kawabe, K. Mano, H. Sakurada and Y. Tsukada Backward simulations for anonymity WITS ’06 (Full version: submitted for journal publication) – I. Hasuo and Y. Kawabe Probabilistic anonymity via coalgebraic simulations Submitted for publication

slide-3
SLIDE 3

Online privacy Online anonymity

is attracting growing

  • Threats

– ISPs in EU are forced to keep logs of your web access

  • Public concerns

– You don’t care?

  • Research interest

– See Anonymity Bibliography

http://freehaven.net/anonbib/

– No decisive definition for “privacy”, “anonymity”, etc.

slide-4
SLIDE 4

Overview of this talk

A formal definition of anonymity which is based on traces

[ESORICS ’96, Schneider & Sidiropoulos]

  • Simulation-based proof method

for trace anonymity

  • Theorem-proving anonymity

Proving trace inclusion by simulation [Lynch & Vaandrager]

slide-5
SLIDE 5

Contents

  • A method to prove anonymity (=privacy)
  • Formalization of anonymity

& anonymous simulation technique

  • Theorem-proving anonymity/privacy
  • Crowds protocol
slide-6
SLIDE 6

What is anonymity?

  • Nobody can know “who it is”.
  • Key notion: Principle of confusion

Who?

slide-7
SLIDE 7

What is anonymity?

  • Nobody can know “who it is”.
  • Key notion: Principle of confusion

Who?

Adversary’s viewpoint This person looks like Kawabe … but his face is hidden. This person might not be Kawabe.

slide-8
SLIDE 8

What is anonymity?

  • Nobody can know “who it is”.
  • Key notion: Principle of confusion

Who? Can you find me?

Releasing sea turtles

The guys on this photo are too small ! I cannot recognize Kawabe! Adversary’s viewpoint This person looks like Kawabe … but his face is hidden. This person might not be Kawabe.

slide-9
SLIDE 9

Alice Bob Bob Alice

“Trace” anonymity

[Schneider&Sidiropoulos, ESORICS’96]

  • Anonymous donation as an example

X X’

slide-10
SLIDE 10

Alice Bob Bob Alice

: actor action

(invisible for adversary)

: observable action

Alice

Are these protocols anonymous?

“Trace” anonymity

[Schneider&Sidiropoulos, ESORICS’96]

  • Anonymous donation as an example

X X’

slide-11
SLIDE 11

Alice Bob Bob Alice

Anonymous! Not anonymous!

“Trace” anonymity

[Schneider&Sidiropoulos, ESORICS’96]

  • Anonymous donation as an example

X X’

slide-12
SLIDE 12

Alice Bob Bob Alice

Anonymous! Not anonymous!

“Trace” anonymity

[Schneider&Sidiropoulos, ESORICS’96]

  • Anonymous donation as an example

X X’

Definition (Trace anonymity) Bob Chris Alice

Observation can be attributed to anybody (confusion!)

slide-13
SLIDE 13
  • Binary relation as over states(X)
  • 1. Initial state condition: as(s, s) for any s ∈ start(X)
  • 2. Step correspondence condition:

How to prove anonymity?

  • -- Find an anonymous simulation!

a

s1 s2 t1

(Case 1) a is an actor action (Case 2) a is not an actor action

a’

s2 t2 t1

∃ ∀

implies

as as

a

s1 s2 t1

a

s2 t2 t1

implies

as as

slide-14
SLIDE 14

Soundness of the technique

  • An anonymous simulation is a simulation from

anonym(X) to X.

[Thm] ∃simulation from X to Y ⇒ traces(X)⊆traces(Y). [Lynch and Vaandrager, Inform.&Comput. 1995] X

Bob Alice Bob Alice

anonym(X)

Bob Alice

slide-15
SLIDE 15

Soundness of the technique

  • An anonymous simulation is a simulation from

anonym(X) to X.

[Thm] ∃simulation from X to Y ⇒ traces(X)⊆traces(Y). [Lynch and Vaandrager, Inform.&Comput. 1995] X

Bob Alice Bob Alice

anonym(X)

Bob Alice

“anonymized” version

  • f X

(trivially anonymous)

slide-16
SLIDE 16

Soundness of the technique

  • An anonymous simulation is a simulation from

anonym(X) to X.

[Thm] ∃simulation from X to Y ⇒ traces(X)⊆traces(Y). [Lynch and Vaandrager, Inform.&Comput. 1995] X

Bob Alice Bob Alice

anonym(X)

Bob Alice

“anonymized” version

  • f X

(trivially anonymous)

traces(X)⊆traces(anonym(X)) is trivial. ⇒ traces(X) = traces(anonym(X)) holds!

slide-17
SLIDE 17

Contents

  • A method to prove anonymity (=privacy)
  • Formalization of anonymity

& anonymous simulation technique

  • Theorem-proving anonymity/privacy
  • Crowds protocol
slide-18
SLIDE 18

An example: Crowds

[Reiter & Rubin, ACM Trans. 1998]

  • Comm. system for anonymous web access

Crowds

Next agent is chosen randomly. Web site Initiator

slide-19
SLIDE 19

An example: Crowds

[Reiter & Rubin, ACM Trans. 1998]

  • Comm. system for anonymous web access

Crowds

Next agent is chosen randomly. Initiator Forwarders might be “corrupt” reporting

Adversary

  • bserve

Anonymous = the adversary cannot know the initiator. Web site

slide-20
SLIDE 20

Theorem-proving anonymity of the Crowds example

  • Steps

– Specify the system in IOA language which is a formal specification language based I/O- automaton – Translate the specification into LP’s language --- first-order logic formulae --- with IOA-Toolkit – Prove anonymity with Larch Prover by proving there is an anonymous simulation

slide-21
SLIDE 21

IOA language

  • Formal specification language based on I/O-

automaton

– I/O-automaton (N. Lynch): formal system to describe and analyze distributed algorithms

  • Formalization of distributed algorithms in IOA

– Actions: precondition-effect style (i.e. if ~ then ~) – Data: (many-sorted) equational theory

  • LSL (Larch Specification Language)
slide-22
SLIDE 22

Specification of Crowds

Crowds

Next agent is chosen randomly. Initiator Forwarders might be “corrupt” reporting

Adversary

  • bserve

Forwarders might be “corrupt” reporting

Adversary

  • bserve

Web site

slide-23
SLIDE 23

IOA-Toolkit

  • Collection of formal verification tools for

distributed systems

ioaCheck il2lsl

.ioa .lsl .lsl

lsl

.lp

Source file Libraries Target file

Compiling .ioa into .lp with IOA-Toolkit

Larch Prover

Prove anonymity

slide-24
SLIDE 24

Theorem-proving anonymity

  • Introducing a candidate relation
  • Proving that as is an anonymous simulation

Step correspondence condition (for actor actions) Initial state condition

slide-25
SLIDE 25

Conclusion

  • A technique to theorem-prove anonymity of

security protocols

– Simulation technique for trace-based anonymity

  • Example

– Crowds

slide-26
SLIDE 26

Coming soon with theorem provers

slide-27
SLIDE 27

Ongoing work

  • Simulation-based proof techniques for

probabilistic anonymity

– Conditional anonymity (with Ichiro Hasuo)

  • With coalgebras, our method is extended.

– Probable innocence (with Hideki Sakurada and Ichiro Hasuo)

  • Verifying anonymity for protocols in the

presence of intruders

slide-28
SLIDE 28

Questions?