Compositionality of Secure Information Flow Christelle Braun, Ecole Polytechnique Kostas Chatzikokolakis, University of Eindhoven Catuscia Palamidessi, INRIA & Ecole Polytechnique
Probabilistic Methods for Security Outline • Motivations and goals • Examples of Information-hiding protocols • A general Information-Theoretic model • Degree of Protection - Probability of error • A probabilistic process calculus • Compositionality results • Some applications Braun, Chatzikokolakis, Palamidessi AMAST 2010 2
Probabilistic Methods for Security Motivations • The protection of private / secret / classified information is an important issue in the modern world • We are interested in probabilistic aspects because the protocols for information hiding often use randomization • We are interested in compositionality because the presence of probability and concurrency makes verification difficult Braun, Chatzikokolakis, Palamidessi AMAST 2010 3
Probabilistic Methods for Security Goals • An appropriate notion of information protection • Quantitative - probabilistic • Taking concurrency into account • A probabilistic process calculus • Compositionality results for (some of) the operators • If Pt (P) ≥α and Pt (Q) ≥α then Pt (P op Q) ≥α Braun, Chatzikokolakis, Palamidessi AMAST 2010 4
Probabilistic Methods for Security Outline • Motivations and goals • Examples of information-hiding protocols • The general framework • Degree of protection - Probability of error • A probabilistic process calculus • Compositionality results • Some applications Braun, Chatzikokolakis, Palamidessi AMAST 2010 5
Compositional Methods for Information-Hiding Example: Chaum’s generalized dining cryptographers • A set of cryptographers (nodes) with some communication channels (edges). • They have a dinner. An external entity may select one of them to pay for the bill • The cryptographers want to find out whether one of them is the payer, without getting to know who is he Braun, Chatzikokolakis, Palamidessi AMAST 2010 6
Compositional Methods for Information-Hiding Chaum’s solution to the generalized dining cryptogr. • Associate to each edge a fair coin • Toss the coins • Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1 • Theorem 1: There is a payer iff the total sum is 1 Braun, Chatzikokolakis, Palamidessi AMAST 2010 7
Compositional Methods for Information-Hiding Chaum’s solution to the generalized dining cryptogr. • Associate to each edge a fair coin • Toss the coins • Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1 • Theorem 1: There is a payer iff the total sum is 1 Braun, Chatzikokolakis, Palamidessi AMAST 2010 8
Compositional Methods for Information-Hiding Chaum’s solution to the generalized dining cryptogr. 0 1 • Associate to each edge a fair coin • Toss the coins • Each cryptograher announces the binary sum of the incident edges. If there is a payer, he adds 1 • Theorem 1: There is a payer iff the total sum is 1 Braun, Chatzikokolakis, Palamidessi AMAST 2010 9
Compositional Methods for Information-Hiding Chaum’s solution to the generalized dining cryptogr. 1 1 • Associate to each edge a fair coin • Toss the coins 0 • Each cryptograher announces the binary 1 sum of the incident edges. If there is a 0 payer, he adds 1 • Theorem 1: There is a payer iff the total 0 sum is 1 0 Braun, Chatzikokolakis, Palamidessi AMAST 2010 10
Compositional Methods for Information-Hiding Chaum’s solution to the generalized dining cryptogr. 1 1 • 0 Theorem 2 (Strong anonymity): If the coins are fair, then 1 the a posteriori probability that a 0 certain node be the payer is equal to its a priori probability 0 0 Braun, Chatzikokolakis, Palamidessi AMAST 2010 11
Probabilistic Methods for Security Example: Crowds • A crowd is a group of n nodes • The initiator selects randomly a node (called forwarder) and forwards the request to it • A forwarder: server • With prob. p f selects randomly a new node and forwards the request to him • With prob. 1 -p f sends the request to the server Braun, Chatzikokolakis, Palamidessi AMAST 2010 12
Probabilistic Methods for Security Common features of information-hiding protocols • There is information that we want to keep hidden - the user who pays in D.C. - the user who initiates the request in Crowds • There is information that is revealed (observables) - agree/disagree in D.C. - the users who forward messages to a corrupted user in Crowds • Protocols often use randomization to hide the link between hidden and observable information - coin tossing in D.C. - random forwarding to another user in Crowds Braun, Chatzikokolakis, Palamidessi AMAST 2010 13
Probabilistic Methods for Security Outline • Motivations and goals • Examples of information-hiding protocols • The general framework • Degree of protection - Probability of error • A probabilistic process calculus • Compositionality results • Some applications Braun, Chatzikokolakis, Palamidessi AMAST 2010 14
Probabilistic Methods for Security Assumptions • We consider probabilistic protocols • Inputs: elements of a random variable S • Outputs: elements of a random variable O • For each input s, the probability that we obtain an observable o is given by p(o | s) • We assume that the protocol at each session receives exactly one input and produces exactly one output • We want to define the degree of protection independently from the input’s distribution, i.e. the users of the protocol Braun, Chatzikokolakis, Palamidessi AMAST 2010 15
Probabilistic Methods for Security Information Observables to be protected s 1 o 1 Protocol .. .. . . s m o n Input Output General framework: Protocols as Information-Theoretic channels Braun, Chatzikokolakis, Palamidessi AMAST 2010 16
Probabilistic Methods for Security s 1 o 1 .. .. .. . . . s m o n Protocols are noisy channels. Each run has 1 input and 1 output, but: - an input can generate different outputs (randomly choosen) - an output can be generated by different inputs Braun, Chatzikokolakis, Palamidessi AMAST 2010 17
Probabilistic Methods for Security aad C 1 ada C 2 daa C 3 ddd Example: The dining cryptographers Braun, Chatzikokolakis, Palamidessi AMAST 2010 18
Probabilistic Methods for Security p(o 1 |s 1 ) s 1 o 1 .. .. .. . . . p(o n |s 1 ) s m o n The conditional probabilities Braun, Chatzikokolakis, Palamidessi AMAST 2010 19
Probabilistic Methods for Security ... o 1 o n ... s 1 p(o 1 |s 1 ) p(o n |s 1 ) .. .. . . s m p(o 1 |s m ) p(o n |s m ) The channel matrix: the array of conditional probabilities Braun, Chatzikokolakis, Palamidessi AMAST 2010 20
Probabilistic Methods for Security Outline • Motivations and goals • Examples of information-hiding protocols • The general framework • Degree of protection - Probability of error • A probabilistic process calculus • Compositionality results • Some applications Braun, Chatzikokolakis, Palamidessi AMAST 2010 21
Probabilistic Methods for Security Probability of error • Hypothesis testing • Goal: try to guess the true hypothesis (input) once the observable (output) is known • Decision function: f : O → S • Probability of error for an input (a priori) distribution π : the probability of guessing the wrong hypothesis P ( f, M , π ) = ∑ O p ( o ) ( 1 - p ( f ( o ) | o ) ) • From Bayes theorem: Braun, Chatzikokolakis, Palamidessi AMAST 2010 22
Probabilistic Methods for Security The MAP rule • MAP decision function: • Choose the hypothesis which has Maximum Aposteriori Probability, i.e. max p ( f ( o ) | o ) or, equivalently, max p ( o | f ( o )) π f ( o ) • The MAP decision function minimizes the probability of error • The probability of error for the MAP rule is called Bayes risk and it is given by Braun, Chatzikokolakis, Palamidessi AMAST 2010 23
Probabilistic Methods for Security Maximum Likelihood • If we don’t know the input distribution, we can approximate the MAP by selecting the hypothesis with Maximum Likelihood, i.e. max p ( o | f ( o )) • In the case of the ML rule, the probability of error is given by • Abstracting from the input distribution: • It turns out that this is the same as computing the Bayes risk on the uniform input distribution, so in the rest of this talk we will only consider the MAP Braun, Chatzikokolakis, Palamidessi AMAST 2010 24
Probabilistic Methods for Security Outline • Motivations and goals • Examples of information-hiding protocols • The general framework • Degree of protection - Probability of error • A probabilistic process calculus • Compositionality results • Some applications Braun, Chatzikokolakis, Palamidessi AMAST 2010 25
Probabilistic Methods for Security CCSp: A probabilistic Process Calculus Braun, Chatzikokolakis, Palamidessi AMAST 2010 26
Probabilistic Methods for Security The operational semantics • Based on Segala & Lynch Probabilistic Automata • Both probabilistic and nondeterministic behaviors Braun, Chatzikokolakis, Palamidessi AMAST 2010 27
Recommend
More recommend