Modular Reasoning about Differential Privacy in a Probabilistic Process Calculus

The verification of systems for protecting sensitive and confidential information is becoming an increasingly important issue. Differential privacy is a promising notion of privacy originated from the community of statistical databases, and now widely adopted in various models of computation. We consider a probabilistic process calculus as a specification formalism for concurrent systems, and we propose a framework for reasoning about the degree of differential privacy provided by such systems. In particular, we investigate the preservation of the degree of privacy under composition via the various operators. We illustrate our idea by proving an anonymity-preservation property for a variant of the Crowds protocol for which the standard analyses from the literature are inapplicable. Finally, we make some preliminary steps towards automatically computing the degree of privacy of a system in a compositional way.

[1]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[2]  Vitaly Shmatikov,et al.  Airavat: Security and Privacy for MapReduce , 2010, NSDI.

[3]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[4]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Frank McSherry,et al.  Privacy integrated queries: an extensible platform for privacy-preserving data analysis , 2009, SIGMOD Conference.

[6]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[7]  Theo Dimitrakos,et al.  Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers , 2007, Formal Aspects in Security and Trust.

[8]  Hannes Federrath Designing Privacy Enhancing Technologies , 2001, Lecture Notes in Computer Science.

[9]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[10]  Joseph Y. Halpern,et al.  Anonymity and information hiding in multiagent systems , 2005 .

[11]  Roberto Segala,et al.  Modeling and verification of randomized distributed real-time systems , 1996 .

[12]  Vincent Danos,et al.  Transactions in RCCS , 2005, CONCUR.

[13]  Catuscia Palamidessi,et al.  Probable innocence revisited , 2005, Theor. Comput. Sci..

[14]  Mark Ryan,et al.  Identity Escrow Protocol and Anonymity Analysis in the Applied Pi-Calculus , 2010, TSEC.

[15]  Catuscia Palamidessi,et al.  Probabilistic Anonymity , 2005, CONCUR.

[16]  Vladimiro Sassone,et al.  Probable Innocence in the Presence of Independent Knowledge , 2009, Formal Aspects in Security and Trust.

[17]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[18]  Jun Pang,et al.  Measuring Anonymity with Relative Entropy , 2006, Formal Aspects in Security and Trust.

[19]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[20]  Gilles Barthe,et al.  Probabilistic relational reasoning for differential privacy , 2012, POPL '12.

[21]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[22]  Catuscia Palamidessi,et al.  Compositional methods for information-hiding † , 2008, Mathematical Structures in Computer Science.

[23]  Vladimiro Sassone,et al.  Trust in Crowds: Probabilistic Behaviour in Anonymity Protocols , 2010, TGC.

[24]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[25]  Ian Clarke,et al.  Freenet: A Distributed Anonymous Information Storage and Retrieval System , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[26]  Jerry den Hartog,et al.  Formal Verification of Privacy for RFID Systems , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[27]  Cynthia Dwork,et al.  Differential privacy and robust statistics , 2009, STOC '09.

[28]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[29]  Ian Stark,et al.  Free-Algebra Models for the pi-Calculus , 2005, FoSSaCS.

[30]  Dilsun Kirli Kaynar,et al.  Formal Verification of Differential Privacy for Interactive Systems , 2011, ArXiv.

[31]  Geoffrey Smith,et al.  Computing the Leakage of Information-Hiding Systems , 2010, TACAS.

[32]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[33]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.