## Parameterised anonymity (2008)

### BibTeX

@MISC{Groote08parameterisedanonymity,

author = {Jan Friso Groote and Simona Orzan},

title = {Parameterised anonymity},

year = {2008}

}

### OpenURL

### Abstract

We introduce the notion of parameterised anonymity, to formalize the anonymity property of protocols with an arbitrary number of participants. This definition is an extension of the well known CSP anonymity formalization of Schneider and Sidiropoulos [23]. Using recently developed invariant techniques for solving parameterised boolean equation systems, we then show that the Dining Cryptographers protocol guarantees parameterised anonymity with respect to outside observers. We also argue that although the question whether a protocol guarantees parameterised anonymity is in general undecidable, there are practical subclasses where anonymity can be decided for any group of processes.

### Citations

474 | The Dining Cryptographers problem: Unconditional sender and recipient untraceability
- Chaum
- 1988
(Show Context)
Citation Context ...where a participant i acts according to a choice c from a protocol behaviour where i has taken a different choice d. We then give a formal correctness proof for Chaum’s Dining Cryptographers protocol =-=[2]-=-, arguably the most well-known example of a protocol where anonymity is the main requirement. Starting with [23], where DC has been proved correct for 3 cryptographers, various verification approaches... |

139 | Anonymity, unobservability, and pseudonymity - a proposal for terminology - Pfitzmann, Köhntopp - 2000 |

91 | CSP and anonymity
- Schneider, Sidiropoulos
- 1996
(Show Context)
Citation Context ... to formalize the anonymity property of protocols with an arbitrary number of participants. This definition is an extension of the well known CSP anonymity formalization of Schneider and Sidiropoulos =-=[23]-=-. Using recently developed invariant techniques for solving parameterised boolean equation systems, we then show that the Dining Cryptographers protocol guarantees parameterised anonymity with respect... |

88 | Reasoning about rings
- Emerson, Namjoshi
- 1995
(Show Context)
Citation Context ... operator. For any N≥1, NPA is decidable iff it can be decided that, for any n≥N and x1, . . . , xN−1, y1, . . . , yN−1∈D, P (0, x0)� · · · �P (N−1, xN−1)�Q(n) ∼ P (0, y0)� · · · �P (N−1, yN−1)�Q(n). =-=(6)-=- Proof. The first step is to determine whether for every x with Restriction(x) a v can be found such that Restriction(v) and v0 �= x0 satisfying (6). As x and v can only attain a finite number of valu... |

78 | Anonymity and information hiding in multiagent systems
- Halpern, O’Neill
(Show Context)
Citation Context ...that might involve sensitive personal data, like electronic auctions, voting, anonymous broadcasts, file-sharing etc. Due to its relevance and subtle nature, anonymity has been given many definitions =-=[1,11,12,22]-=- and has been the subject of many theoretical studies and formal analysis work [13,19]. Protocols where anonymity is one of the aims are typically meant for large groups of users. However, formal veri... |

68 | Algebraic process verification
- Groote, Reniers
- 2001
(Show Context)
Citation Context ...ection 4 the DC correctness proof for it and Section 5 the (un)decidability results. 2 Preliminaries A short introduction to mCRL2. mCRL2 is a process algebraic specification language with data types =-=[8,9]-=-. Processes are built from atomic multi-actions (e.g. a|b|c is a multiaction where actions a, b and c happen simultaneously). Behaviour is combined by the process algebraic operators for sequential co... |

63 | Analysis of an electronic voting protocol in the applied pi calculus
- Kremer, Ryan
- 2005
(Show Context)
Citation Context ...adcasts, file-sharing etc. Due to its relevance and subtle nature, anonymity has been given many definitions [1,11,12,22] and has been the subject of many theoretical studies and formal analysis work =-=[13,19]-=-. Protocols where anonymity is one of the aims are typically meant for large groups of users. However, formal verification of anonymity only treat (small) examples of individual protocols [17,23,24] a... |

49 | Information hiding, anonymity and privacy: A modular approach
- Hughes, Shmatikov
(Show Context)
Citation Context ...that might involve sensitive personal data, like electronic auctions, voting, anonymous broadcasts, file-sharing etc. Due to its relevance and subtle nature, anonymity has been given many definitions =-=[1,11,12,22]-=- and has been the subject of many theoretical studies and formal analysis work [13,19]. Protocols where anonymity is one of the aims are typically meant for large groups of users. However, formal veri... |

40 | Weak probabilistic anonymity
- Deng, Palamidessi, et al.
- 2007
(Show Context)
Citation Context ...that might involve sensitive personal data, like electronic auctions, voting, anonymous broadcasts, file-sharing etc. Due to its relevance and subtle nature, anonymity has been given many definitions =-=[1,11,12,22]-=- and has been the subject of many theoretical studies and formal analysis work [13,19]. Protocols where anonymity is one of the aims are typically meant for large groups of users. However, formal veri... |

40 | Is it possible to decide whether a cryptographic protocol is secure or not
- Comon, Shmatikov
(Show Context)
Citation Context ...quality tests etc. [15], and also for the multiparty case [14]. Recently, the need to answer decidability questions for other security properties like anonymity, privacy, fairness etc. was recognized =-=[5]-=- and gained interest. For the case of two-party protocols, effectiveness, fairness and balance of contract-signing is decidable [16], as well as a property related to anonymity, called opacity [20]. W... |

39 | The formal specification language mCRL2
- Groote, Mathijssen, et al.
- 2007
(Show Context)
Citation Context ...ection 4 the DC correctness proof for it and Section 5 the (un)decidability results. 2 Preliminaries A short introduction to mCRL2. mCRL2 is a process algebraic specification language with data types =-=[8,9]-=-. Processes are built from atomic multi-actions (e.g. a|b|c is a multiaction where actions a, b and c happen simultaneously). Behaviour is combined by the process algebraic operators for sequential co... |

35 | Probabilistic model checking of an anonymity system
- Shmatikov
(Show Context)
Citation Context ...work [13,19]. Protocols where anonymity is one of the aims are typically meant for large groups of users. However, formal verification of anonymity only treat (small) examples of individual protocols =-=[17,23,24]-=- and claims about the correctness of anonymity protocols for any group size are generally not made. In this paper, we propose a parameterised possibilistic definition of anonymity based on a notion of... |

21 | A formalization of anonymity and onion routing
- Mauw, Verschuren, et al.
- 2004
(Show Context)
Citation Context ...adcasts, file-sharing etc. Due to its relevance and subtle nature, anonymity has been given many definitions [1,11,12,22] and has been the subject of many theoretical studies and formal analysis work =-=[13,19]-=-. Protocols where anonymity is one of the aims are typically meant for large groups of users. However, formal verification of anonymity only treat (small) examples of individual protocols [17,23,24] a... |

17 | Parameterised Boolean Equation Systems
- Groote, Willemse
- 2005
(Show Context)
Citation Context ...n the original paper. We use a recently developed theory where standard verification problems like model checking and equivalence checking are encoded as parameterised boolean equation systems (PBES) =-=[10]-=-. PBESs are usually solved by symbolic approximation and by discovering equation patterns and invariants [10,21]. In solving the PBES corresponding to the DC protocol, we make essential use of invaria... |

12 | A framework for automatically checking anonymity with µCRL
- Chothia, Orzan, et al.
- 2007
(Show Context)
Citation Context ...ious verification approaches, both process theoretical and logical, have been applied to it, e.g. [23,1,17] — but only for concrete instances, the maximum instance being as large as 15 cryptographers =-=[4]-=-. No formal proof exists so far for an arbitrary number of parties, although a mathematical argument has already been given by Chaum in the original paper. We use a recently developed theory where sta... |

12 | Implementing influence analysis using parameterised boolean equation systems
- Gallardo, Joubert, et al.
- 2006
(Show Context)
Citation Context ...ms (PBES) [10] provide a fundamental framework for solving verification problems. They can encode model checking questions [10], checking of various process equivalences [3], static analysis problems =-=[7]-=- etc. The PBES solution is then the solution to the encoded problem. The basic PBES solving techniques are successive symbolic approximation of the system’s equations and instantiation of the data par... |

12 | On the decidability of cryptographic protocols with open-ended data structures
- Küsters
(Show Context)
Citation Context ...ensively studied and well understood in various models - atomic or complex keys, DolevYao intruder with (un)bounded message size, (dis)allow equality tests etc. [15], and also for the multiparty case =-=[14]-=-. Recently, the need to answer decidability questions for other security properties like anonymity, privacy, fairness etc. was recognized [5] and gained interest. For the case of two-party protocols, ... |

12 | Automata-Based Analysis of Recursive Cryptographic Protocols
- Küsters, Wilke
- 2004
(Show Context)
Citation Context ...secrecy and authentication has been extensively studied and well understood in various models - atomic or complex keys, DolevYao intruder with (un)bounded message size, (dis)allow equality tests etc. =-=[15]-=-, and also for the multiparty case [14]. Recently, the need to answer decidability questions for other security properties like anonymity, privacy, fairness etc. was recognized [5] and gained interest... |

8 | Equivalence checking for infinite systems using parameterized boolean equation systems
- Chen, Ploeger, et al.
- 2007
(Show Context)
Citation Context ...terised boolean equation systems (PBES) [10] provide a fundamental framework for solving verification problems. They can encode model checking questions [10], checking of various process equivalences =-=[3]-=-, static analysis problems [7] etc. The PBES solution is then the solution to the encoded problem. The basic PBES solving techniques are successive symbolic approximation of the system’s equations and... |

7 |
Model checking multi-agent systems
- Raimondi
- 2006
(Show Context)
Citation Context ...work [13,19]. Protocols where anonymity is one of the aims are typically meant for large groups of users. However, formal verification of anonymity only treat (small) examples of individual protocols =-=[17,23,24]-=- and claims about the correctness of anonymity protocols for any group size are generally not made. In this paper, we propose a parameterised possibilistic definition of anonymity based on a notion of... |

5 | T.: Deciding properties of contractsigning protocols
- Kähler, Küsters, et al.
- 2005
(Show Context)
Citation Context ...ity properties like anonymity, privacy, fairness etc. was recognized [5] and gained interest. For the case of two-party protocols, effectiveness, fairness and balance of contract-signing is decidable =-=[16]-=-, as well as a property related to anonymity, called opacity [20]. We start with preliminaries regarding the formal language used and PBESs (Section 2). Section 3 presents our anonymity formalization,... |

2 |
On the expressiveness of choice quantification
- Luttik
(Show Context)
Citation Context ...earisation of the parallel composition, looks as: Protocol(x) = x0�≈0 → M1·δ + x0≈0 → M2·δ. A positive answer to NPA means that M1·δ �∼ M2·δ and a negative answer means that M1·δ ∼ M2·δ. According to =-=[18]-=-, strong, branching and weak bisimulation are all undecidable for processes with infinite choice, hence NPA is undecidable as well. ⊓⊔ So, unsurprisingly, parameterised anonymity is in general undecid... |

2 | Decidability of opacity with non-atomic keys
- Mazaré
- 2005
(Show Context)
Citation Context ...zed [5] and gained interest. For the case of two-party protocols, effectiveness, fairness and balance of contract-signing is decidable [16], as well as a property related to anonymity, called opacity =-=[20]-=-. We start with preliminaries regarding the formal language used and PBESs (Section 2). Section 3 presents our anonymity formalization, Section 4 the DC correctness proof for it and Section 5 the (un)... |