Anonymity protocols as noisy channels

We consider a framework in which anonymity protocols are interpreted as noisy channels in the information-theoretic sense, and we explore the idea of using the notion of capacity as a measure of the loss of anonymity. Such idea was already suggested by Moskowitz, Newman and Syverson, in their analysis of the covert channel that can be created as a result of non-perfect anonymity. We consider the case in which some leak of information is intended by design, and we introduce the notion of conditional capacity to rule out this factor, thus retrieving a natural correspondence with the notion of anonymity. Furthermore, we show how to compute the capacity and the conditional capacity when the anonymity protocol satisfies certain symmetries. We also investigate how the adversary can test the system to try to infer the user's identity, and we study how his probability of success depends on the characteristics of the channel. We then illustrate how various notions of anonymity can be expressed in this framework, and show the relation with some definitions of probabilistic anonymity in literature. Finally, we show how to compute the matrix of the channel (and hence the capacity and conditional capacity) using model checking.

[1]  Jun Pang,et al.  Measuring Anonymity with Relative Entropy , 2006, Formal Aspects in Security and Trust.

[2]  Paul Syverson,et al.  Quasi-Anonymous Channels , 2003 .

[3]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[4]  Ueli Maurer,et al.  Authentication theory and hypothesis testing , 2000, IEEE Trans. Inf. Theory.

[5]  Micah Adler,et al.  An Analysis of the Degradation of Anonymous Protocols , 2002, NDSS.

[6]  Catuscia Palamidessi,et al.  Probable innocence revisited , 2005, Theor. Comput. Sci..

[7]  David Clark,et al.  Quantified Interference for a While Language , 2005, QAPL.

[8]  Chris Hankin,et al.  Measuring the confinement of probabilistic systems , 2005, Theor. Comput. Sci..

[9]  Catuscia Palamidessi,et al.  Probabilistic Anonymity , 2005, CONCUR.

[10]  Ira S. Moskowitz,et al.  Covert channels and anonymizing networks , 2003, WPES '03.

[11]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[12]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[13]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[14]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[15]  Marta Kwiatkowska,et al.  PRISM 2.0: a tool for probabilistic model checking , 2004 .

[16]  Riccardo Bettati,et al.  Anonymity vs. Information Leakage in Anonymity Systems , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[17]  Paul F. Syverson,et al.  Group Principals and the Formalization of Anonymity , 1999, World Congress on Formal Methods.

[18]  Vitaly Shmatikov,et al.  Information Hiding, Anonymity and Privacy: a Modular Approach , 2004, J. Comput. Secur..

[19]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[20]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[21]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[22]  Latanya Sweeney,et al.  Achieving k-Anonymity Privacy Protection Using Generalization and Suppression , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[23]  Steve A. Schneider,et al.  CSP and Anonymity , 1996, ESORICS.

[24]  Vitaly Shmatikov,et al.  Probabilistic analysis of anonymity , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[25]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[26]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[27]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[28]  Joseph Y. Halpern,et al.  Anonymity and information hiding in multiagent systems , 2005 .

[29]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[30]  Jun Pang,et al.  Weak Probabilistic Anonymity , 2007, SecCO@CONCUR.

[31]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[32]  Prakash Panangaden,et al.  Probability of Error in Information-Hiding Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[33]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[34]  Chris Hankin,et al.  Approximate non-interference , 2004 .