Anonymity and Probabilistic Model Checking - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

Anonymity and Probabilistic Model Checking

Description:

... about probabilistic temporal properties of probabilistic finite ... False. PCTL: Path Formulas. A path formula is a temporal property of a chain of states ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 59
Provided by: VitalySh6
Category:

less

Transcript and Presenter's Notes

Title: Anonymity and Probabilistic Model Checking


1
Anonymity andProbabilistic Model Checking
CS 259
2008
John Mitchell
2
Course schedule
  • Lectures
  • Prob. model checking, other tools (with examples)
  • Homework 2
  • Posted last week, due Tues Feb 12
  • Simple exercises using probabilistic tool
  • Projects
  • Presentation 2 Feb 19, 21
  • Describe tool or approach and the properties you
    will check
  • Presentation 3 Mar 4 13 (two or three
    meetings)
  • Final results turn in slides and tool input

3
Dining Cryptographers
  • Clever idea how to make a message public in a
    perfectly untraceable manner
  • David Chaum. The dining cryptographers problem
    unconditional sender and recipient
    untraceability. Journal of Cryptology, 1988.
  • Guarantees information-theoretic anonymity for
    message senders
  • This is an unusually strong form of security
    defeats adversary who has unlimited computational
    power
  • Impractical, requires huge amount of randomness
  • In group of size N, need N random bits to send 1
    bit

4
Three-Person DC Protocol
  • Three cryptographers are having dinner.
  • Either NSA is paying for the dinner, or
  • one of them is paying, but wishes to remain
    anonymous.
  • Each diner flips a coin and shows it to his left
    neighbor.
  • Every diner will see two coins his own and his
    right neighbors.
  • Each diner announces whether the two coins are
    the same. If he is the payer, he lies (says the
    opposite).
  • Odd number of same ? NSA is paying
  • even number of same ? one of them is
    paying
  • But a non-payer cannot tell which of the other
    two is paying!

5
Non-Payers View Same Coins
same
different
?
Without knowing the coin toss between the other
two, non-payer cannot tell which of them is lying
6
Non-Payers View Different Coins
same
same
?
Without knowing the coin toss between the other
two, non-payer cannot tell which of them is lying
7
Superposed Sending
  • This idea generalizes to any group of size N
  • For each bit of the message, every user generates
    1 random bit and sends it to 1 neighbor
  • Every user learns 2 bits (his own and his
    neighbors)
  • Each user announces (own bit XOR neighbors bit)
  • Sender announces (own bit XOR neighbors bit XOR
    message bit)
  • XOR of all announcements message bit
  • Every randomly generated bit occurs in this sum
    twice (and is canceled by XOR), message bit
    occurs once

8
DC-Based Anonymity is Impractical
  • Requires secure pairwise channels between group
    members
  • Otherwise, random bits cannot be shared
  • Requires massive communication overhead and large
    amounts of randomness
  • DC-net (a group of dining cryptographers) is
    robust even if some members cooperate
  • Guarantees perfect anonymity for the other
    members
  • A great protocol to analyze
  • Difficult to reason about each members knowledge

9
Definitions of Anonymity
  • Anonymity is the state of being not identifiable
    within a set of subjects.
  • There is no such thing as absolute anonymity
  • Unlinkability of action and identity
  • E.g., sender and his email are no more related
    within the system than they are related in
    a-priori knowledge
  • Unobservability
  • Any item of interest (message, event, action) is
    indistinguishable from any other item of interest
  • Anonymity is bullshit - Joan Feigenbaum

10
Anonymity and Knowledge
  • Anonymity deals with hiding information
  • Users identity is hidden
  • Relationship between users is hidden
  • User cannot be identified within a set of
    suspects
  • Natural way to express anonymity is to state what
    the adversary should not know
  • Good application for logic of knowledge
  • Not supported by conventional formalisms for
    security (process calculi, I/O automata, )
  • To determine whether anonymity holds, need some
    representation of knowledge

11
k-Anonymity
  • Basic idea
  • Someone robbed the bank
  • Detectives know that it is one of k people
  • Advantage
  • Does not involve probability
  • Disadvantages
  • Does not involve probability
  • Depends on absence of additional information

12
Data Anonymity
  • Problem de-identifying data does not necessarily
    make it anonymous. It can often be
    re-identified

SOURCE LATANYA SWEENEY
13
Date of birth, gender 5-digit ZIP uniquely
identifies 87.1 of U.S. population
  • one ZIP code

SOURCE LATANYA SWEENEY
14
Anonymity via Random Routing
  • Hide message source by routing it randomly
  • Popular technique Crowds, Freenet, Onion Routing
  • Routers dont know for sure if the apparent
    source of a message is the true sender or another
    router
  • Only secure against local attackers!

15
Onion Routing
Reed, Syverson, Goldschlag 97
R
R4
R
R
R3
R
R1
R
R2
Alice
R
Bob
  • Sender chooses a random sequence of routers
  • Some routers are honest, some hostile
  • Sender controls the length of the path
  • Similar to a MIX cascade
  • Goal hostile routers shouldnt learn that Alice
    is talking to Bob

16
The Onion
R2
R4
Alice
R3
Bob
R1
Mpk(B)
B,k4pk(R4), k4
R4,k3pk(R3),
k3
R3,k2pk(R2),
k2
R2,k1pk(R1),

k1
  • Routing info for each link encrypted with
    routers public key
  • Each router learns only the identity of the next
    router

17
Crowds System
Reiter,Rubin 98
Messages encrypted with shared symmetric keys
C
C4
C
C
C3
C
C
C1
C
pf
C2
C0
1-pf
C
C
sender
recipient
  • Routers form a random path when establishing
    connection
  • In onion routing, random path is chosen in
    advance by sender
  • After receiving a message, honest router flips a
    biased coin
  • With probability Pf randomly selects next router
    and forwards msg
  • With probability 1-Pf sends directly to the
    recipient

18
Probabilistic Notions of Anonymity
  • Beyond suspicion
  • The observed source of the message is no more
    likely to be the true sender than anybody else
  • Probable innocence
  • Probability that the observed source of the
    message is the true sender is less than 50
  • Possible innocence
  • Non-trivial probability that the observed source
    of the message is not the true sender

Guaranteed by Crowds if there are sufficiently
many honest routers NgoodNbad ?
pf/(pf-0.5)?(Nbad 1)
19
A Couple of Issues
  • Is probable innocence enough?
  • 1
  • 1
  • 1
  • 49
  • 1
  • 1
  • 1

Maybe Ok for plausible deniability
  • Multiple-paths vulnerability
  • Can attacker relate multiple paths from same
    sender?
  • E.g., browsing the same website at the same time
    of day
  • Each new path gives attacker a new observation
  • Cant keep paths static since members join and
    leave

20
Probabilistic Model Checking
  • Participants are finite-state machines
  • Same as Mur?
  • State transitions are probabilistic
  • Transitions in Mur? are nondeterministic
  • Standard intruder model
  • Same as Mur? model cryptography with abstract
    data types
  • Mur? question
  • Is bad state reachable?
  • Probabilistic model checking question
  • Whats the probability of reaching bad state?

0.2
0.3
0.5
...
...
bad state
21
Discrete-Time Markov Chains
(S, s0, T, L)
  • S is a finite set of states
  • s0 ?S is an initial state
  • T S?S?0,1 is the transition relation
  • ?s,s?S ?s T(s,s)1
  • L is a labeling function

22
Markov Chain Simple Example
Probabilities of outgoing transitions sum up to
1.0 for every state
C
0.5
0.2
A
E
0.1
s0
0.5
0.8
1.0
D
B
0.9
1.0
  • Probability of reaching E from s0 is
    0.2?0.50.8?0.1?0.50.14
  • The chain has infinite paths if state graph has
    loops
  • Need to solve a system of linear equations to
    compute probabilities

23
PRISM
Kwiatkowska et al., U. of Birmingham
  • Probabilistic model checker
  • System specified as a Markov chain
  • Parties are finite-state machines w/ local
    variables
  • State transitions are associated with
    probabilities
  • Can also have nondeterminism (Markov decision
    processes)
  • All parameters must be finite
  • Correctness condition specified as PCTL formula
  • Computes probabilities for each reachable state
  • Enumerates reachable states
  • Solves system of linear equations to find
    probabilities

24
PRISM Syntax
C
0.5
0.2
A
E
0.1
s0
0.5
0.8
1.0
D
B
0.9
1.0
module Simple state 1..5 init 1
state1 -gt 0.8 state2 0.2 state3
state2 -gt 0.1 state3 0.9 state4
state3 -gt 0.5 state4 0.5
state5 endmodule
IF state3 THEN with prob. 50 assign 4 to
state, with prob. 50
assign 5 to state
25
Modeling Crowds with PRISM
  • Model probabilistic path construction
  • Each state of the model corresponds to a
    particular stage of path construction
  • 1 router chosen, 2 routers chosen,
  • Three probabilistic transitions
  • Honest router chooses next router with
    probability pf, terminates the path with
    probability 1-pf
  • Next router is probabilistically chosen from N
    candidates
  • Chosen router is hostile with certain probability
  • Run path construction protocol several times and
    look at accumulated observations of the intruder

26
PRISM Path Construction in Crowds
module crowds . . . // N total of routers,
C of corrupt routers // badC C/N, goodC
1-badC (!good !bad) -gt goodC
(goodtrue) (revealAppSendertrue)
badC (badObservetrue) // Forward with
probability PF, else deliver (good
!deliver) -gt PF (pIndexpIndex1)
(forwardtrue) notPF (delivertrue) . .
. endmodule
27
PRISM Intruder Model
module crowds . . . // Record the apparent
sender and deliver (badObserve appSender0)
-gt (observe0observe01)
(delivertrue) . . . // Record the apparent
sender and deliver (badObserve
appSender15) -gt (observe15observe151)
(delivertrue) . . . endmodule
  • For each observed path, bad routers record
    apparent sender
  • Bad routers collaborate, so treat them as a
    single attacker
  • No cryptography, only probabilistic inference

28
PCTL Logic
Hansson, Jonsson 94
  • Probabilistic Computation Tree Logic
  • Used for reasoning about probabilistic temporal
    properties of probabilistic finite state spaces
  • Can express properties of the form under any
    scheduling of processes, the probability that
    event E occurs is at least p
  • By contrast, Mur? can express only properties of
    the form does event E ever occur?

29
PCTL Syntax
  • State formulas
  • First-order propositions over a single state
  • ? True a ? ? ? ? ? ? ?? Pgtp?
  • Path formulas
  • Properties of chains of states
  • ? X ? ? U?k ? ? U ?

Predicate over state variables (just like a Mur?
invariant)
Path formula holds with probability gt p
State formula holds for every state in the chain
First state formula holds for every state in the
chain until second becomes true
30
PCTL State Formulas
  • A state formula is a first-order state predicate
  • Just like non-probabilistic logic

True
False
X1 y2
1.0
X2 y0
True
0.2
X1 y1
0.5
1.0
X3 y0
s0
0.5
0.8
False
  • ? (ygt1) (x1)

31
PCTL Path Formulas
  • A path formula is a temporal property of a chain
    of states
  • ?1U?2 ?1 is true until ?2 becomes and stays
    true

X1 y2
1.0
X2 y0
0.2
X1 y1
0.5
1.0
X3 y0
s0
0.5
0.8
  • ? (ygt0) U (xgty) holds for this chain

32
PCTL Probabilistic State Formulas
  • Specify that a certain predicate or path formula
    holds with probability no less than some bound

True
True
X1 y2
1.0
X2 y0
False
0.2
X1 y1
0.5
1.0
X3 y0
s0
0.5
0.8
False
  • ? Pgt0.5(ygt0) U (x2)

33
Intruder Model Redux
module crowds . . . // Record the apparent
sender and deliver (badObserve appSender0)
-gt (observe0observe01)
(delivertrue) . . . // Record the apparent
sender and deliver (badObserve
appSender15) -gt (observe15observe151)
(delivertrue) . . . endmodule
Every time a hostile crowd member receives a
message from some honest member, he records his
observation (increases the count for that honest
member)
34
Negation of Probable Innocence
launch -gt true U (observe0gtobserve1) done gt
0.5

launch -gt true U (observe0gtobserve9) done gt
0.5
The probability of reaching a state in which
hostile crowd members completed their
observations and observed the true sender (crowd
member 0) more often than any of the other
crowd members (1 9) is greater than 0.5
35
Analyzing Multiple Paths with PRISM
  • Use PRISM to automatically compute interesting
    probabilities for chosen finite configurations
  • Positive P(K0 gt 1)
  • Observing the true sender more than once
  • False positive P(Ki?0 gt 1)
  • Observing a wrong crowd member more than once
  • Confidence P(Ki?0 ? 1 K0 gt 1)
  • Observing only the true sender more than once

Ki how many times crowd member i was recorded
as apparent sender
36
Size of State Space
All hostile routers are treated as a single
router, selected with probability 1/6
37
Sender Detection (Multiple Paths)
  • All configurations satisfy probable innocence
  • Probability of observing the true sender
    increases with the number of paths observed
  • but decreases with the increase in crowd size
  • Is this an attack?
  • Reiter Rubin absolutely not
  • But
  • Cant avoid building new paths
  • Hard to prevent attacker from correlating
    same-sender paths

1/6 of routers are hostile
38
Attackers Confidence
  • Confidence probability of detecting only the
    true sender
  • Confidence grows with crowd size
  • Maybe this is not so strange
  • True sender appears in every path, others only
    with small probability
  • Once attacker sees somebody twice, he knows its
    the true sender
  • Is this an attack?
  • Large crowds lower probability to catch senders
    but higher confidence that the caught user is the
    true sender
  • But what about deniability?

1/6 of routers are hostile
39
Probabilistic Contract Signing
Slides borrowed from Vitaly Shmatikov
40
Probabilistic Fair Exchange
  • Two parties exchange items of value
  • Signed commitments (contract signing)
  • Signed receipt for an email message (certified
    email)
  • Digital cash for digital goods (e-commerce)
  • Important if parties dont trust each other
  • Need assurance that if one does not get what it
    wants, the other doesnt get what it wants either
  • Fairness is hard to achieve
  • Gradual release of verifiable commitments
  • Convertible, verifiable signature commitments
  • Probabilistic notions of fairness

41
Properties of Fair Exchange Protocols
  • Fairness
  • At each step, the parties have approximately
    equal probabilities of obtaining what they want
  • Optimism
  • If both parties are honest, then exchange
    succeeds without involving a judge or trusted
    third party
  • Timeliness
  • If something goes wrong, the honest party does
    not have to wait for a long time to find out
    whether exchange succeeded or not

?
42
Rabins Beacon
  • A beacon is a trusted party that publicly
    broadcasts a randomly chosen number between 1 and
    N every day
  • Michael Rabin. Transaction protection by
    beacons. Journal of Computer and System
    Sciences, Dec 1983.

28
25
15
11
2
2

Jan 27
Jan 28
Jan 29
Jan 30
Jan 31
Feb 1
43
Contract
CONTRACT(A, B, future date D, contract terms)
Exchange of commitments must be concluded by this
date
44
Rabins Contract Signing Protocol
sigAI am committed if 1 is broadcast on day D
sigBI am committed if 1 is broadcast on day D
CONTRACT(A, B, future date D, contract terms)
45
Probabilistic Fairness
  • Suppose B stops after receiving As ith message
  • B has sigAcommitted if 1 is broadcast,
  • sigAcommitted if 2 is broadcast,
  • sigAcommitted if i is broadcast
  • A has sigBcommitted if 1 is broadcast, ...
  • sigBcommitted if i-1 is broadcast
  • and beacon broadcasts number b on day D
  • If b lti, then both A and B are committed
  • If b gti, then neither A, nor B is committed
  • If b i, then only A is committed

This happens only with probability 1/N
46
Properties of Rabins Protocol
  • Fair
  • The difference between As probability to obtain
    Bs commitment and Bs probability to obtain As
    commitment is at most 1/N
  • But communication overhead is 2N messages
  • Not optimistic
  • Need input from third party in every transaction
  • Same input for all transactions on a given day
    sent out as a one-way broadcast. Maybe this is
    not so bad!
  • Not timely
  • If one of the parties stops communicating, the
    other does not learn the outcome until day D

?
47
BGMR Probabilistic Contract Signing
Ben-Or, Goldreich, Micali, Rivest 85-90
  • Doesnt need beacon input in every transaction
  • Uses sigAI am committed with probability pA
    instead of
  • sigAI am committed if i is broadcast
    on day D
  • Each party decides how much to increase the
    probability at each step
  • A receives sigBI am committed with probability
    pB from B
  • Sets pAmin(1,pB??)
  • Sends sigAI am committed with probability pA to
    B
  • the algorithm for B is symmetric

? is a parameter chosen by A
48
BGMR Message Flow
CONTRACT(A, B, future date D, contract terms)
49
Conflict Resolution
sigAI am committed with probability
pA2
???
50
Judge
  • Waits until date D to decide
  • Announces verdict to both parties
  • Tosses coin once for each contract
  • Remembers previous coin tosses
  • Constant memory use pseudo-random functions with
    a secret input to produce repeatable coin tosses
    for each contract
  • Does not remember previous verdicts
  • Same coin toss combined with different evidence
    (signed message with a different probability
    value) may result in a different verdict

51
Privilege and Fairness
Privilege
A party is privileged if it has the evidence
to cause the judge to declare contract binding
Intuition the contract binds either both
parties, or neither what matters
is the ability to make the contract binding
Fairness
At any step where Prob(B is privileged) gt
v, Prob(A is not privileged B is privileged) lt ?
Intuition at each step, the parties should
have comparable probabilities of causing
the judge to declare contract binding
(privilege must be symmetric)
52
Properties of BGMR Protocol
  • Fair
  • Privilege is almost symmetric at each step
  • if Prob(B is privileged) gt pA0, then
  • Prob(A is not privileged B is privileged)
    lt 1-1/?
  • Optimistic
  • Two honest parties dont need to invoke a judge
  • Not timely
  • Judge waits until day D to toss the coin
  • What if the judge tosses the coin and announces
    the verdict as soon as he is invoked?

?
53
Formal Model
  • Protocol should ensure fairness given any
    possible behavior by a dishonest participant
  • Contact judge although communication hasnt
    stopped
  • Contact judge more than once
  • Delay messages from judge to honest participant
  • Need nondeterminism
  • To model dishonest participants choice of
    actions
  • Need probability
  • To model judges coin tosses
  • The model is a Markov decision process

54
Constructing the Model
  • Discretize probability space of coin tosses
  • The coin takes any of N values with equal
    probability
  • Fix each partys probability step
  • Rate of increases in the probability value
    contained in the partys messages determines how
    many messages are exchanged
  • A state is unfair if privilege is asymmetric
  • Difference in evidence, not difference in
    commitments
  • Compute probability of reaching an unfair state
    for different values of the parties probability
    steps

Defines state space
Use PRISM
55
Attack Strategy
  • Dishonest Bs probability of driving the protocol
    to an unfair state is maximized by this strategy
  • Contact judge as soon as first message from A
    arrives
  • Judge tries to send verdict to A (the verdict is
    probably negative, since As message contains a
    low probability value)
  • B delays judges verdicts sent to A
  • B contacts judge again with each new message from
    A until a positive verdict is obtained
  • This strategy only works in the timely protocol
  • In the original protocol, coin is not tossed and
    verdict is not announced until day D
  • Conflict between optimism and timeliness

56
Analysis Results
Probability of reaching a state where B is
privileged and A is not
Increase in Bs probability value at each
step (lower increase means more messages must be
exchanged)
For a higher probability of winning, dishonest B
must exchange more messages with honest A
57
Attackers Tradeoff
Expected number of messages before unfair state
is reached
Probability of reaching a state where B is
privileged and A is not
  • Linear tradeoff for dishonest B between
    probability of winning and ability to delay
    judges messages to A
  • Without complete control of the communication
    network, B may settle for a lower probability of
    winning

58
Summary
  • Probabilistic contract signing is a good testbed
    for probabilistic model checking techniques
  • Standard formal analysis techniques not
    applicable
  • Combination of nondeterminism and probability
  • Good for quantifying tradeoffs
  • Probabilistic contract signing is subtle
  • Unfairness as asymmetric privilege
  • Optimism cannot be combined with timeliness, at
    least not in the obvious way
Write a Comment
User Comments (0)
About PowerShow.com