Probable innocence revisited

In this paper we propose a formalization of probable innocence, a notion of probabilistic anonymity that is associated to "realistic" protocols such as Crowds. We analyze critically two different definitions of probable innocence from the literature. The first one, corresponding to the property that Reiter and Rubin have proved for Crowds, aims at limiting the probability of detection. The second one, by Halpern and O'Neill, aims at constraining the attacker's confidence. Our proposal combines the spirit of both these definitions while generalizing them. In particular, our definition does not need symmetry assumptions, and it does not depend on the probabilities of the users to perform the action of interest. We show that, in case of a symmetric system, our definition corresponds exactly to the one of Reiter and Rubin. Furthermore, in the case of users with uniform probabilities, it amounts to a property similar to that of Halpern and O'Neill.Another contribution of our paper is the study of probable innocence in the case of protocol composition, namely when multiple runs of the same protocol can be linked, as in the case of Crowds.

[1]  Vitaly Shmatikov Probabilistic analysis of an anonymity system , 2004, J. Comput. Secur..

[2]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[3]  Joseph Y. Halpern,et al.  Anonymity and information hiding in multiagent systems , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[4]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[5]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[6]  Paul F. Syverson,et al.  Group Principals and the Formalization of Anonymity , 1999, World Congress on Formal Methods.

[7]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[8]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[9]  Micah Adler,et al.  An Analysis of the Degradation of Anonymous Protocols , 2002, NDSS.

[10]  Catuscia Palamidessi,et al.  Probabilistic Anonymity , 2005, CONCUR.

[11]  Catuscia Palamidessi,et al.  Probabilistic Asynchronous pi-Calculus , 2000, FoSSaCS.

[12]  Hannes Federrath,et al.  Web MIXes: A System for Anonymous and Unobservable Internet Access , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[13]  Vitaly Shmatikov,et al.  Probabilistic analysis of anonymity , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[14]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[15]  PalamidessiCatuscia,et al.  A randomized encoding of the π-calculus with mixed choice , 2005 .

[16]  Vitaly Shmatikov,et al.  Probabilistic Model Checking of an Anonymity System , 2004 .

[17]  Jun Pang,et al.  Weak Probabilistic Anonymity , 2007, SecCO@CONCUR.

[18]  Marta Z. Kwiatkowska,et al.  PRISM 2.0: a tool for probabilistic model checking , 2004, First International Conference on the Quantitative Evaluation of Systems, 2004. QEST 2004. Proceedings..

[19]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[20]  Alexandre V. Evfimievski,et al.  Limiting privacy breaches in privacy preserving data mining , 2003, PODS.

[21]  Steve A. Schneider,et al.  CSP and Anonymity , 1996, ESORICS.

[22]  Vitaly Shmatikov,et al.  Information Hiding, Anonymity and Privacy: a Modular Approach , 2004, J. Comput. Secur..

[23]  Roger Dingledine,et al.  The Free Haven Project: Distributed Anonymous Storage Service , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[24]  Catuscia PalamidessiDept Probabilistic Asynchronous -calculus ? , 2000 .