Results 1  10
of
53
Verifying privacytype properties of electronic voting protocols
"... Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. We study three p ..."
Abstract

Cited by 61 (34 self)
 Add to MetaCart
Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. We study three privacytype properties of electronic voting protocols: in increasing order of strength, they are voteprivacy, receiptfreeness, and coercionresistance. We use the applied pi calculus, a formalism well adapted to modelling such protocols, which has the advantages of being based on wellunderstood concepts. The privacytype properties are expressed using observational equivalence and we show in accordance with intuition that coercionresistance implies receiptfreeness, which implies voteprivacy. We illustrate our definitions on three electronic voting protocols from the literature. Ideally, these three properties should hold even if the election officials are corrupt. However, protocols that were designed to satisfy receiptfreeness or coercionresistance may not do so in the presence of corrupt officials. Our model and definitions allow us to specify and easily change which authorities are supposed to be trustworthy.
On the Foundations of Quantitative Information Flow
"... Abstract. There is growing interest in quantitative theories of information flow in a variety of contexts, such as secure information flow, anonymity protocols, and sidechannel analysis. Such theories offer an attractive way to relax the standard noninterference properties, letting us tolerate “sma ..."
Abstract

Cited by 51 (6 self)
 Add to MetaCart
Abstract. There is growing interest in quantitative theories of information flow in a variety of contexts, such as secure information flow, anonymity protocols, and sidechannel analysis. Such theories offer an attractive way to relax the standard noninterference properties, letting us tolerate “small ” leaks that are necessary in practice. The emerging consensus is that quantitative information flow should be founded on the concepts of Shannon entropy and mutual information.Butauseful theory of quantitative information flow must provide appropriate security guarantees: if the theory says that an attack leaks x bits of secret information, then x should be useful in calculating bounds on the resulting threat. In this paper, we focus on the threat that an attack will allow the secret to be guessed correctly in one try. With respect to this threat model, we argue that the consensus definitions actually fail to give good security guarantees—the problem is that a random variable can have arbitrarily large Shannon entropy even if it is highly vulnerable to being guessed. We then explore an alternative foundation based on a concept of vulnerability (closely related to Bayes risk) and which measures uncertainty using Rényi’s minentropy, rather than Shannon entropy. 1
On the Bayes Risk in InformationHiding Protocols ∗
"... Randomized protocols for hiding private information can be regarded as noisy channels in the informationtheoretic sense, and the inference of the concealed information can be regarded as a hypothesistesting problem. We consider the Bayesian approach to the problem, and investigate the probability ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
Randomized protocols for hiding private information can be regarded as noisy channels in the informationtheoretic sense, and the inference of the concealed information can be regarded as a hypothesistesting problem. We consider the Bayesian approach to the problem, and investigate the probability of error associated to the MAP (Maximum Aposteriori Probability) inference rule. Our main result is a constructive characterization of a convex base of the probability of error, which allows us to compute its maximum value (over all possible input distributions), and to identify upper bounds for it in terms of simple functions. As a side result, we are able to improve the HellmanRaviv and the SanthiVardy bounds expressed in terms of conditional entropy. We then discuss an application of our methodology to the Crowds protocol, and in particular we show how to compute the bounds on the probability that an adversary break anonymity. 1
Measuring anonymity with relative entropy
 In Proceedings of the 4th International Workshop on Formal Aspects in Security and Trust, volume 4691 of LNCS
, 2007
"... Abstract. Anonymity is the property of maintaining secret the identity of users performing a certain action. Anonymity protocols often use random mechanisms which can be described probabilistically. In this paper, we propose a probabilistic process calculus to describe protocols for ensuring anonymi ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. Anonymity is the property of maintaining secret the identity of users performing a certain action. Anonymity protocols often use random mechanisms which can be described probabilistically. In this paper, we propose a probabilistic process calculus to describe protocols for ensuring anonymity, and we use the notion of relative entropy from information theory to measure the degree of anonymity these protocols can guarantee. Furthermore, we prove that the operators in the probabilistic process calculus are nonexpansive, with respect to this measuring method. We illustrate our approach by using the example of the Dining Cryptographers Problem. 1
Probability of Error in InformationHiding Protocols
 in "Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF20)", IEEE Computer Society
"... There are many bounds known in literature for the Bayes ’ risk. One of these is the equivocation bound, due to Rényi [22], which states that the probability of error is bound by the conditional entropy of the channel’s input given the output. Later, Hellman and Raviv improved this bound by half [13] ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
There are many bounds known in literature for the Bayes ’ risk. One of these is the equivocation bound, due to Rényi [22], which states that the probability of error is bound by the conditional entropy of the channel’s input given the output. Later, Hellman and Raviv improved this bound by half [13]. Recently, Santhi and Vardy have proposed a new bound, that depends exponentially on the (opposite of the) conditional entropy, and which considerably improves the HellmanRaviv bound in the case of multiinria00200957,
Informationtheoretic bounds for differentially private mechanisms
 In 24rd IEEE Computer Security Foundations Symposium, CSF 2011. IEEE Computer Society, Los Alamitos
"... Abstract—There are two active and independent lines of research that aim at quantifying the amount of information that is disclosed by computing on confidential data. Each line of research has developed its own notion of confidentiality: on the one hand, differential privacy is the emerging consensu ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract—There are two active and independent lines of research that aim at quantifying the amount of information that is disclosed by computing on confidential data. Each line of research has developed its own notion of confidentiality: on the one hand, differential privacy is the emerging consensus guarantee used for privacypreserving data analysis. On the other hand, informationtheoretic notions of leakage are used for characterizing the confidentiality properties of programs in languagebased settings. The purpose of this article is to establish formal connections between both notions of confidentiality, and to compare them in terms of the security guarantees they deliver. We obtain the following results. First, we establish upper bounds for the leakage of every ɛdifferentially private mechanism in terms of ɛ and the size of the mechanism’s input domain. We achieve this by identifying and leveraging a connection to coding theory. Second, we construct a class of ɛdifferentially private channels whose leakage grows with the size of their input domains. Using these channels, we show that there cannot be domainsizeindependent bounds for the leakage of all ɛdifferentially private mechanisms. Moreover, we perform an empirical evaluation that shows that the leakage of these channels almost matches our theoretical upper bounds, demonstrating the accuracy of these bounds. Finally, we show that the question of providing optimal upper bounds for the leakage of ɛdifferentially private mechanisms in terms of rational functions of ɛ is in fact decidable.
Computing the Leakage of InformationHiding Systems
"... Abstract. We address the problem of computing the information leakage of a system in an efficient way. We propose two methods: one based on reducing the problem to reachability, and the other based on techniques from quantitative counterexample generation. The second approach can be used either for ..."
Abstract

Cited by 9 (6 self)
 Add to MetaCart
Abstract. We address the problem of computing the information leakage of a system in an efficient way. We propose two methods: one based on reducing the problem to reachability, and the other based on techniques from quantitative counterexample generation. The second approach can be used either for exact or approximate computation, and provides feedback for debugging. These methods can be applied also in the case in which the input distribution is unknown. We then consider the interactive case and we point out that the definition of associated channel proposed in literature is not sound. We show however that the leakage can still be defined consistently, and that our methods extend smoothly. 1
Information Flow in Interactive Systems
, 2010
"... Abstract. We consider the problem of defining the information leakage in interactive systems where secrets and observables can alternate during the computation. We show that the informationtheoretic approach which interprets such systems as (simple) noisy channels is not valid anymore. However, the ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract. We consider the problem of defining the information leakage in interactive systems where secrets and observables can alternate during the computation. We show that the informationtheoretic approach which interprets such systems as (simple) noisy channels is not valid anymore. However, the principle can be recovered if we consider more complicated types of channels, that in Information Theory are known as channels with memory and feedback. We show that there is a complete correspondence between interactive systems and such kind of channels. Furthermore, we show that the capacity of the channels associated to such systems is a continuous function of the Kantorovich metric. 1
A semiringbased trace semantics for processes with applications to information leakage analysis
 In 6th IFIP TC 1/WG 2.2 Int. Conf. TCS 2010, Part of WCC2010 Proceedings
, 2010
"... Abstract. We propose a framework for reasoning about program security building on languagetheoretic and coalgebraic concepts. The behaviour of a system is viewed as a mapping from traces of high (unobservable) events to low (observable) events: the less the degree of dependency of low events on hig ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. We propose a framework for reasoning about program security building on languagetheoretic and coalgebraic concepts. The behaviour of a system is viewed as a mapping from traces of high (unobservable) events to low (observable) events: the less the degree of dependency of low events on high traces, the more secure the system. We take the abstract view that low events are drawn from a generic semiring, where they can be combined using product and sum operations; throughout the paper, we provide instances of this framework, obtained by concrete instantiations of the underlying semiring. We specify systems via a simple process calculus, whose semantics is given as the unique homomorphism from the calculus into the set of behaviours, i.e. formal power series, seen as a final coalgebra. We provide a compositional semantics for the calculus in terms of rational operators on formal power series and show that the final and the compositional semantics coincide. 1
Information Hiding in Probabilistic Concurrent Systems
, 2010
"... Information hiding is a general concept which refers to the goal of preventing an adversary to infer secret information from the observables. Anonymity and Information Flow are examples of this notion. We study the problem of information hiding in systems characterized by the presence of randomizati ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Information hiding is a general concept which refers to the goal of preventing an adversary to infer secret information from the observables. Anonymity and Information Flow are examples of this notion. We study the problem of information hiding in systems characterized by the presence of randomization and concurrency. It is well known that the raising of nondeterminism, due to the possible interleavings and interactions of the parallel components, can cause unintended information leaks. One way to solve this problem is to fix the strategy of the scheduler beforehand. In this work, we propose a milder restriction on the schedulers, and we define the notion of strong (probabilistic) information hiding under various notions of observables. Furthermore, we propose a method, based on the notion of automorphism, to verify that a system satisfies the property of strong information hiding, namely strong anonymity or nointerference, depending on the context.